WannaCry Encryption Flow

Encryption Flow
Generating RSA Key pair
Sample generates RSA public and private key pair and export them to disk.

Public RSA key is written in file 00000000.pky and private RSA key is encrypted with another public RSA key embedded in malware binary and written to file 00000000.eky.

Embedded Public RSA key in sample used to encrypt generated private RSA key.

File Enumeration
Enumerate Files in a Directory using Windows API’s FindFirstFile and FindNextFile.
Before encrypting file in a directory, malware checks for list of directories and files to be excluded.

Directories to Exclude

File Extensions to Exclude

Exclude Files Dropped by Malware

File Types to Encrypt
File types to be encrypted is present as hard coded list in malware binary.

Str2 is extension from hard coded list in malware binary.
Str1 is extension of the file to be checked against hard coded list.

Key Generation
Random key at Run Time

If extension of the file is found in hard coded list then malware generates a Random key of size 0x10 (16) bytes using cryptography provider type 0x18(24) PROV_RSA_AES.

Random Key highlighted in red.

Encrypting Random Key
After performing operation on generated Random key which will be later used to encrypt content of file, malware encrypts the Random key with one public RSA key it has generated and written to file 00000000.pky.

After encryption the size of encrypted random key is 0x100(256) bytes.

Encrypting File

Create New File
Malware creates a new file with name “original_file.old_extension.WNCRYT”.
Malware writes below information to the file created above.
  1. WANACRY! - Malware Magic Byte – 8 bytes
  2. ENCRYPTED RANDOM KEY LENGTH - 0x100(256) bytes.
  3. KEY BYTES - Encrypted Random key bytes of size in point 2.
  4. UNKNOW  - dword value 0x44 bytes 
  5. ORIGINAL FILE SIZE -  8 bytes
  6. DATA – Encrypted bytes of size in point  5

Encrypting Original file data and writing encrypted data to file “original_file.old_extension.WNCRYT

Destination Buffer containing encrypted file content.

Encrypted file “original_file.old_extension.WNCRYT” content after encryption is completed.

Set time of encrypted file to time of original file.
Moving encrypted file “original_file.old_extension.WNCRYT” to  “original_file.old_extension.WNCRY


  1. This is great observation. Similarly,if you want to encrypt your messages or want to prevent your conversation from the unauthorized access you may use an EnKryptonite app.
    You may download this app from:
    https://goo.gl/3BvS1f and PlayStore https://goo.gl/EjBups


Post a Comment

Popular posts from this blog

VIrtual Machine Detection Techniques

Debugging MBR : IDA Pro and Bochs Emulator

Analyzing ATM Malwares

DoublePulsar Backdoor

Google CTF 2017 : Android RE Challenge

Samsung CTF : Chicken or Egg Reversing Challenge

FireEye FLARE CTF 2017 : APK Challenge 8

FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

NotPetya\Petya : Overwriting System MBR