{
	"id": "9cf0ed9a-b186-416b-9e67-fc422833d35d",
	"created_at": "2026-04-06T00:10:18.439458Z",
	"updated_at": "2026-04-10T03:23:52.236935Z",
	"deleted_at": null,
	"sha1_hash": "a647d41055ac6053f62162d9e91bdadc5944ee63",
	"title": "Third time's the charm? analysing wannacry samples",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1397220,
	"plain_text": "Third time's the charm? analysing wannacry samples\r\nBy f0wL\r\nPublished: 2019-07-28 · Archived: 2026-04-05 12:37:14 UTC\r\nSun 28 July 2019 in Ransomware\r\nAfter over two years since the inital spread of the ransomware and Malwaretechs sentencing last week I got a bit\r\nnostalgic and took a second look at different samples\r\nSince the first wave of infections in May 2017 WannaCry is basically the goto example for the whole ransomware\r\nscheme and that is actually a good thing. The potential damage that WannaCry and the variants following the\r\noriginal version would have been massive if it wouldn't have been for Malwaretech, 2sec4u and all the other\r\nresearchers who helped to contain the spread of ransomware powered by the wormable EternalBlue exploit.\r\nFunnily enough there are still people from around the world that pay the ~300$ ransom in hopes to get their data\r\ndecrypted as can be seen here.\r\nA general disclaimer as always: downloading and running the samples (especially the ones without the kill\r\nswitch) linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with\r\nyour local laws as owning malware binaries/ sources might be illegal depending on where you live.\r\nThe three samples I'll be looking at:\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 1 of 11\n\nWannacry Sample #1 sometimes referred to as \"dropper\" available @\r\nhttps://www.ghidra.ninja/samples/wannacry.zip sha256\r\n24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\r\nWannacry Sample #2 sometimes referred to as \"encryptor\" available @\r\nhttps://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry sha256\r\ned01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\r\nWannacry Plus available @\r\nhttps://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry_Plus sha256\r\n55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3\r\nThe first thing we're going to take a look at is the symbol tree. Stepping into the function called entry: we notice\r\nthat it is in fact not the main / WinMain function, but rather a preparing function that will call WinMain at the end\r\n(this might acutally be an artifact of Ghidra's decompiler).\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 2 of 11\n\nBecause the decompilation result in our WinMain function is not that pretty yet we will edit its function signature\r\nto match the one described in the Win32 API Reference.\r\nint WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow);\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 3 of 11\n\nAfter this is done the decompilation result will be much better and easier on the eyes. One of the first things you\r\nwill spot is the famous Kill Switch URL registered by Malwaretech after the inital outbreak which is to this day\r\npointing to the Kryptos Logic sinkhole. After Line 41 you are also able to see multiple InternetOpen etc. function\r\ncalls that will check if the aforementioned URL is registered and reachable. If that is the case it will close the\r\nconnection socket and exit to WinMain before the encryption processs even started. Of course this also means that\r\nif the infected PC is not connected to the Interwebs (remember it propagates via SMB over local networks as well)\r\nor is unable to resolve the domain name the ransomware will go to town with the user's files.\r\nLooking into sample #2 there is acutally no such kill switch which means that it is one of the later versions\r\nfollowing the inital outbreak.\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 4 of 11\n\nTo show the differences between the kill switched first sample and the second rambo version I fired up\r\nhasherezade's awesome PE-Bear and loaded Sample #2 and #1. This indeed confirms that the samples are\r\nbasically the same, but version #2 is missing the notorious kill switch.\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 5 of 11\n\nWannaCry Plus\r\nI haven't heard of this strain/ variant before, but it got it's own subfolder in ytisf's TheZoo so it has to be special in\r\nsome way, right? Let's first check the entropy of the binary with \"Detect it easy\" to see if it is packed or\r\nobfuscated in any way:\r\nLooking at the entropy graph we can pretty comfortably say that the PE is neither packed nor obfuscated (which\r\nwould have been out of the ordinary for a WannaCry sample anyway). Looking at the symbol tree we are greated\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 6 of 11\n\nwith a new function called PlayGame. Please no Fortnite ransomware kthxbye :D We'll have a look into that later..\r\nJumping into the entry function things are looking quite different compared to first two samples. Following the\r\nprocedure we are dropped into FUN_10001016 which is what i presume the file encryption function. This pretty\r\neasy to spot through the rather characteristic combination of FindResourceA, CreateFileA and WriteFile.\r\nTo see what happens if I run the malware I fired up a Windows 7 x86 VM in VirtualBox provided by\r\nhttps://modern.ie/. After seeing the error message below I thought the executable might actually be a x86_64 one\r\nsince it refuses to run on the 32-bit Windows 7 System. Even these days it is actually quite unusual for malware to\r\nbe compiled for x64 systems only since it'll cut out a lot of the old and vulnerable systems running x86 XP for\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 7 of 11\n\nexample (which is kind of a no-brainer since the potatohead holding PCs for ransom would want to maximise the\r\nattack surface and earnings).\r\nKudos to Microsoft in this case: Their Defender and SmartScreen really stepped up their game. For an attacker\r\nand (sadly) for a malware reverse engineer it is actually quite difficult to circumvent or disable the built in\r\nMal-/Ransomware Protection. You are constantly greeted with Pop-Ups about a detected ransomware executable\r\nand the Defender will even go as far as simply deleting your precious sample :(\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 8 of 11\n\nBut even after calming down the Windows Defender I couldn't get the malware to encrypt anything :S\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 9 of 11\n\nLooking at the Anyrun Sandbox Analysis over here we see the same error message but it seems to drop another\r\nexecutable called \"SearchProtocolHost.exe\" which is probably RunPE Process Hollowing at play. The next step\r\nwill probably be manual debugging, so stay tuned!\r\nIOCs\r\nWannacry (SHA256)\r\n24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\r\ned01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\r\n55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3\r\n32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf\r\n697158bcade7373ccc9e52ea1171d780988fc845d2b696898654e18954578920\r\ned01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 10 of 11\n\nSource: https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nhttps://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html"
	],
	"report_names": [
		"third-times-the-charm-analysing-wannacry-samples.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434218,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a647d41055ac6053f62162d9e91bdadc5944ee63.pdf",
		"text": "https://archive.orkl.eu/a647d41055ac6053f62162d9e91bdadc5944ee63.txt",
		"img": "https://archive.orkl.eu/a647d41055ac6053f62162d9e91bdadc5944ee63.jpg"
	}
}