WannaCry Encryption Flow
Generating RSA Key pair
Sample generates RSA public and private key pair and export them to disk.
Public RSA key is written in file 00000000.pky and private RSA key is encrypted with another public RSA key embedded in malware binary and written to file 00000000.eky.
Embedded Public RSA key in sample used to encrypt generated private RSA key.
Enumerate Files in a Directory using Windows API’s FindFirstFile and FindNextFile.
Before encrypting file in a directory, malware checks for list of directories and files to be excluded.
Directories to Exclude
File Extensions to Exclude
Exclude Files Dropped by Malware
File Types to Encrypt
File types to be encrypted is present as hard coded list in malware binary.
Str2 is extension from hard coded list in malware binary.
Str1 is extension of the file to be checked against hard coded list.
Random key at Run Time
If extension of the file is found in hard coded list then malware generates a Random key of size 0x10 (16) bytes using cryptography provider type 0x18(24) PROV_RSA_AES.
Random Key highlighted in red.
Encrypting Random Key
After performing operation on generated Random key which will be later used to encrypt content of file, malware encrypts the Random key with one public RSA key it has generated and written to file 00000000.pky.
After encryption the size of encrypted random key is 0x100(256) bytes.
Create New File
Malware creates a new file with name “original_file.old_extension.WNCRYT”.
Malware writes below information to the file created above.
- WANACRY! - Malware Magic Byte – 8 bytes
- ENCRYPTED RANDOM KEY LENGTH - 0x100(256) bytes.
- KEY BYTES - Encrypted Random key bytes of size in point 2.
- UNKNOW - dword value 0x4 - 4 bytes
- ORIGINAL FILE SIZE - 8 bytes
- DATA – Encrypted bytes of size in point 5
Encrypting Original file data and writing encrypted data to file “original_file.old_extension.WNCRYT”
Destination Buffer containing encrypted file content.
Encrypted file “original_file.old_extension.WNCRYT” content after encryption is completed.
Set time of encrypted file to time of original file.
Moving encrypted file “original_file.old_extension.WNCRYT” to “original_file.old_extension.WNCRY”