{ "id": "87c810af-40b3-4eb9-9213-dae32e36e2e8", "created_at": "2026-04-19T02:21:44.925532Z", "updated_at": "2026-04-20T02:20:47.969585Z", "deleted_at": null, "sha1_hash": "98dd2f30d4339e318babe6dfe3c295ad2a327652", "title": "CRYING IS FUTILE: SandBlast Forensic Analysis of WannaCry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46922, "plain_text": "CRYING IS FUTILE: SandBlast Forensic Analysis of WannaCry\r\nBy bferrite\r\nPublished: 2017-05-16 · Archived: 2026-04-19 02:05:44 UTC\r\nUsing the NSA exploit EternalBlue released by the Shadow Brokers, the WannaCry ransomware developers have\r\nadded their names to malware lore. Given the number of institutions hit and the amount of media generated, it\r\nseemed appropriate to show what the ransomware actually does on a system through our SandBlast Agent\r\nForensics product.\r\nThe WannaCry outbreak has been a good test case for the recently launched SandBlast Anti-Ransomware. AR and\r\nForensics work together as part of our SandBlast Agent product. As we had expected, Anti-Ransomware was up to\r\nthe task and has successfully blocked all WannaCry samples we’ve thrown at it, without requiring any signatures\r\nor updates.\r\nFor this report, we disabled Anti-Ransomware, Anti-Malware and Threat Emulation (all 3 catch the attack) so that\r\nwe could see what the attack does when encrypting a system.\r\nWe let SandBlast Agent Forensics perform its automated analysis of the incident.  The interactive forensics report\r\nis here:\r\nhttp://freports.us.checkpoint.com/wannacryptor2_1/\r\nWe invite you to click and explore the analysis.\r\nFigure 1. Forensics Overview Screen for WannaCrypt. Click to access the online report.\r\nThe report generated by forensics will reduce the time taken to determine, analyze and understand the impact of\r\nan incident from hours or days to mere minutes. Let us see how by following what the malware is doing.\r\nThe first executable in the infection chain is not shown in the report because it checks for a specific URL before\r\ncontinuing the attack (so called kill switch). Malware researchers have discovered most of the URLs in the\r\ndifferent samples of the attack and so the ransomware component is not created and executed.\r\nWe start the analysis from the actual ransomware executable itself as shown in Figure 2. Having analyzed multiple\r\nsamples of the ransomware, we noticed that the behavior is fairly consistent.\r\nFigure 2. Forensics Execution Tree starting with wcry.exe. Click to access the online report.\r\nIn our report, the attack starts with the launching of the wcry.exe sample. This executable drops a lot of files that\r\nare most likely configuration/data files needed to continue execution. We see the dropped files by clicking on the\r\nwcry.exe process and then viewing the File Ops Tab. A large number of files with the “wnry” extension are created\r\nfor example.\r\nFigure 3. attrib.exe and icacls.exe are the first processes launched by wcry.exe\r\nhttps://blog.checkpoint.com/research/crying-futile-sandblast-forensic-analysis-wannacry/\r\nPage 1 of 3\n\nThis sample then proceeds to hide all the files in its own folder. This is done through the Windows “Attrib.exe”\r\nprocess as shown in Figure 3. We believe this is done so that the sample does not accidentally encrypt itself,\r\nthough it could also be a basic technique to hide from investigators.\r\nWCry.exe then executes Windows “icacls.exe” to modify the current folders permissions. We are still\r\ninvestigating as to why this is. This is the first ransomware family we have seen that actually utilizes this\r\nWindows process.\r\nFigure 4. Last stage of the encryption process per file includes a rename.\r\nWcry.exe then begins the encryption process starting with files on the desktop. By following the flow of any one\r\nof the encrypted documents, we see that the malware wrote into a newly created file with the extension wncryt (t\r\nfor temp?) and then after the encryption of the original file was completed it renamed the file to have the extension\r\nwncry.\r\nFor example:\r\n1. The file 2014-financial-statements-en.pdf was read\r\n2. The file 2014-financial-statements-en.pdf.wncryt was created.\r\n3. The file 2014-financial-statements-en.pdf.wncryt was modified with encrypted content of the original\r\n2014-financial-statements-en.\r\n4. The file 2014-financial-statements-en.pdf.wncryt was renamed to 2014-financial-statements-en.pdf.wncry\r\nIt also creates an executable called @[email protected] and launches it. This executable creates the Tor\r\nApplication folder, and installs Tor in it. This can be seen with suspicious event Tor Application Download.\r\n@[email protected] then launches taskhsvc.exe that is used to begin TOR communication.\r\nFigure 5 cmd.exe execution triggered uac command prompt\r\nAfter the encryption of files is finished we see a UAC prompt pop up because of a CMD that wishes to elevate\r\nprivileges. The cmd.exe requires elevated privileges in order to delete shadow copies and modify boot options. If\r\nthe user clicks OK then Shadow Copy Deletion occurs through both vssadmin.exe and wmic.exe. BCEdit and\r\nwbadmin executons are meant to occur based on the cmd.exe arguments (/c vssadmin delete shadows /all /quiet \u0026\r\nwmic shadowcopy delete \u0026 bcdedit /set {default} bootstatuspolicy ignoreallfailures \u0026 bcdedit /set {default}\r\nrecoveryenabled no \u0026 wbadmin delete catalog –quiet). However, neither are executed.\r\nFigure 6. Suspicious Events for the process, Wall Paper Change details are shown\r\nAfter the encryption the wall paper is also changed as seen in Suspicious events Wall Paper Change. Like Cerber\r\nand Locky, the wallpaper is changed to display a ransom message.\r\nPersistence on boot is meant to occur based on the registry run key with the process named: tasksche.exe, but this\r\nprocess was never created by the attack and so nothing happens on reboot of the system. This process apparently\r\nshould have been created from the downloader that detects if a kill switch is present. However, given that we\r\nexecuted this without executing the downloader it was unable to persist.\r\nFinally the process called @[email protected] is also used to display the UI asking for payment.\r\nhttps://blog.checkpoint.com/research/crying-futile-sandblast-forensic-analysis-wannacry/\r\nPage 2 of 3\n\nFor more information on Check Point’s Sandblast Agent Forensics please visit:\r\nhttp://blog.checkpoint.com/tag/sandblast-agent-forensics/\r\nSource: https://blog.checkpoint.com/research/crying-futile-sandblast-forensic-analysis-wannacry/\r\nhttps://blog.checkpoint.com/research/crying-futile-sandblast-forensic-analysis-wannacry/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.checkpoint.com/research/crying-futile-sandblast-forensic-analysis-wannacry/" ], "report_names": [ "crying-futile-sandblast-forensic-analysis-wannacry" ], "threat_actors": [ { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-20T02:00:05.950269Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-20T02:00:03.330251Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "The ShadowBrokers", "TSB", "Shadow Brokers", "ShadowBrokers" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1776565304, "ts_updated_at": 1776651647, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/98dd2f30d4339e318babe6dfe3c295ad2a327652.pdf", "text": "https://archive.orkl.eu/98dd2f30d4339e318babe6dfe3c295ad2a327652.txt", "img": "https://archive.orkl.eu/98dd2f30d4339e318babe6dfe3c295ad2a327652.jpg" } }