{
	"id": "a4421521-afe0-4eae-b82f-c85a551dd87c",
	"created_at": "2026-04-10T03:20:46.363145Z",
	"updated_at": "2026-04-10T03:22:18.312925Z",
	"deleted_at": null,
	"sha1_hash": "f7aad4566ae0ba5d6e3afc2405ce0d92435f01eb",
	"title": "WannaHusky Malware Analysis w/ YARA + TTPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2351280,
	"plain_text": "WannaHusky Malware Analysis w/ YARA + TTPs\r\nBy Mars\r\nPublished: 2022-04-05 · Archived: 2026-04-10 03:00:47 UTC\r\n6 min read\r\nApr 5, 2022\r\nHello! I have recently gained a new interest in threat intelligence, malware research and analysis. In response, I\r\nhave been taking courses to learn the tools and methodologies of malware analysis and reverse engineering. This\r\nblog is a result of my new-found interest.\r\nMy first blog post follows my observations on a malware sample provided by HuskyHacks as a part of his\r\ncourse, Practical Malware Analysis \u0026 Triage. The formatting of this post is more report-style, highlighting my\r\nfindings in my initial triage. I’ve included a full set of YARA rules, as well as the TTPs of the sample at the end.\r\nPlease feel free to give feedback, as I would like to further improve my malware analysis skills and perform\r\ndeeper and more thorough analysis in the future.\r\nExecutive Summary\r\nRansomware.WannaHusky is a Nim-compiled ransomware malware sample, provided as part of the Practical\r\nMalware Analysis \u0026 Triage course. It is an 32-bit executable.\r\nRansomware.Wannahusky consists of multiple steps: The sample first returns the current directory of the user and\r\nthen returns the home directory of the user. If cosmo.jpeg is on the Desktop of the infected host, the sample\r\nexecutes a PowerShell script (ps1.ps1). Next, the sample will encrypt cosmo.jpeg, adding the .WANNAHUSKY\r\nextension and write the WANNAHUSKY.png to the Desktop. The sample will then change the Desktop wallpaper\r\nto the WANNAHUSKY.png file. Lastly, it runs the tree C:\\ command.\r\nIndicators of compromise include ps1.ps1, the encryption of cosmo.jpeg (with the file becoming\r\ncosmo.WANNAHUSKY), a ransomware note saved as WANNAHUSKY.png, the Desktop wallpaper changing to the\r\ncontents of WANNAHUSKY.png and the tree C:\\ command being run.\r\nSHA256 Hash: 3D35CEBCF40705C23124FDC4656A7F400A316B8E96F1F9E0C187E82A9D17DCA3\r\nObservations\r\nMalware Composition:\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 1 of 10\n\nThe sample provided consists of two components:\r\nFile Name: Ransomware.WannaHusky.exe\r\nSHA256 Hash: 3D35CEBCF40705C23124FDC4656A7F400A316B8E96F1F9E0C187E82A9D17DCA3File Name: ps1.ps1\r\nSHA256 Hash: D6317F374F879CD4E67FB4E9DDC0D283926489F4C0D6CF07D912A247E5CFDE99\r\nStatic Analysis:\r\nCAPA:\r\nCAPA is a tool that detects capabilities in executable files. After running the binary against the CAPA tool, the\r\nfollowing information was extracted:\r\nHashes: SHA1, SHA256 and MD5\r\nLanguage: The binary is compiled with Nim\r\nEncryption: The binary uses HC-128 to encrypt data\r\nEncoding: The binary uses Base64 to encode data\r\nThere are detected capabilities of reading and writing files to the file system\r\nThere are detected capabilities of creating and terminating processes\r\nPress enter or click to view image in full size\r\nFigure 1.1: CAPA output — Tactics \u0026 Techniques, Behaviours\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 2 of 10\n\nFigure 1.2: CAPA output — Capabilities\r\nPE Studio:\r\nAfter analyzing the Strings in PE Studio, some strings of interest are listed below:\r\ntree C:\\ command is run\r\nThe ps1.ps1 script is written to the Desktop, and then executed\r\nThe contents of the PowerShell script:\r\nThe script imports the user32.dll. It then sets the $currDir variable to the contents of the Get-Location cmdlet, sets the $wallpaper variable to the WANNAHUSKY.png file, and sets the\r\n$fullPath variable to the joined paths of the current directory and WANNAHUSKY.png (ex.\r\nDesktop\\WANNAHUSKY.png ). It then invokes the SetWallpaper function to change the user’s Desktop\r\nwallpaper to the ransom note (WANNAHUSKY.png).\r\nWANNAHUSKY.png is written on the Desktop\r\nPress enter or click to view image in full size\r\nFigure 2: PE Studio — Strings\r\nPress enter or click to view image in full size\r\nFigure 3: Contents of ps1.ps1\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 3 of 10\n\nDynamic Analysis:\r\nInitial Detonation:\r\nWhen the binary is run, cosmo.jpeg is encrypted and deleted. Two new files named cosmo.WANNAHUSKY and\r\nWANNAHUSKY.png are written to the Desktop. The wallpaper is changed to the contents of WANNAHUSKY.png.\r\nFigure 4: WANNAHUSKY.png\r\nA cmd.exe window also appears on the screen, running the tree command. It appears that the cmd.exe window is\r\nnot being run discreetly in the background and shows the output of the command before exiting.\r\nPress enter or click to view image in full size\r\nFigure 5: Capture of the tree command output\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 4 of 10\n\nAfter monitoring for network traffic in Wireshark, there was no detection of the binary attempting to call out to\r\nhosts or domains.\r\nGet Mars’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAdditionally, in order for the binary to execute successfully, cosmo.jpeg needs to be on the Desktop. If the binary\r\ncannot locate cosmo.jpeg, it returns an error (shown below).\r\nPress enter or click to view image in full size\r\nFigure 6: Failed execution of Ransomware.Wannahusky.exe\r\nA Deeper Dive\r\nDisassembling:\r\nThere are 3 important functions in NimMainModule@0:\r\nwannaHusky__4JhDTDCSrwYIQ19bJbLaL2w@0: This function is responsible for the encryption and deletion of\r\ncosmo.jpeg and writing cosmo.WANNAHUSKY to the Desktop\r\nchangeBackground__4JhDTDCSrwYIQ19bJbLaL2w_2@0: This function is responsible for changing the\r\nDesktop wallpaper. This occurs by writing the WANNAHUSKY.png file to the Desktop and executing the\r\nps1.ps1 script, which changes the Desktop wallpaper.\r\nnosexecShellCmd@4: This function is responsible for spawning cmd.exe and running the tree command on\r\nthe C:\\ directory → C:\\Windows\\system32\\cmd.exe /c tree C:\\\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 5 of 10\n\nFigure 7: NimMainModule in Cutter\r\nWithin the wannaHusky__4JhDTDCSrwYIQ19bJbLaL2w@0 function, the encryption and encoding function calls are\r\nlocated. The target file (cosmo.jpeg) appears to get encrypted and encoded.\r\nPress enter or click to view image in full size\r\nFigure 8.1 — Encryption and encoding functions\r\nThe new encrypted file is then written to the Desktop (cosmo.WANNAHUSKY) and the target file is deleted.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 6 of 10\n\nFigure 8.2 — Overwriting target file\r\nPress enter or click to view image in full size\r\nFigure 8.3 — Target file being deleted\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 7 of 10\n\nFigure 8.4 — Decompiler showing encryption, encoding, writing and deletion of files\r\nDebugging:\r\nWhen stepping through the sample and simultaneously looking at the process tree in Procmon, there are two\r\ncmd.exe processes that are run.\r\nOne cmd.exe window spawns Powershell, which executes the contents of ps1.ps1:\r\nC:\\Windows\\system32\\cmd.exe /c powershell C:\\Users\\mars\\Desktop\\ps1.ps1\r\nOne cmd.exe window executes the tree command: C:\\Windows\\system32\\cmd.exe /c tree C:\\\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 8 of 10\n\nWhile the Powershell script has an intended function, which is changing the user’s Desktop wallpaper to\r\nWANNAHUSKY.png, the tree command does not have a function. After further investigation, it appears that the\r\nvisible cmd.exe window with the tree command executing is a decoy or distraction to the user/malware analyst, as\r\nthe Powershell script is running in the background discreetly.\r\nPress enter or click to view image in full size\r\nFigure 9.1: Process Tree\r\nFigure 9.2: Commands as seen in the Process Tree\r\nIndicators of Compromise\r\nNetwork Indicators\r\nAfter monitoring for network traffic, there was no detection of the binary attempting to call out to hosts or\r\ndomains. Therefore, there are no network indicators for this sample.\r\nHost-based Indicators\r\nps1.ps1\r\na ransomware note saved as WANNAHUSKY.png\r\nthe Desktop wallpaper changing to the contents of WANNAHUSKY.png\r\ncmd.exe window with the tree C:\\ command being executed\r\nRules \u0026 Signatures\r\nA full set of YARA rules can be found below, as well as on my Github.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 9 of 10\n\nTactics \u0026 Techniques\r\nI’ve highlighted the Tactics and Techniques that I have found in my analysis of the sample below:\r\nPress enter or click to view image in full size\r\nSource: https://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nhttps://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909"
	],
	"report_names": [
		"wannahusky-malware-analysis-w-yara-ttps-2069fb479909"
	],
	"threat_actors": [],
	"ts_created_at": 1775791246,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7aad4566ae0ba5d6e3afc2405ce0d92435f01eb.pdf",
		"text": "https://archive.orkl.eu/f7aad4566ae0ba5d6e3afc2405ce0d92435f01eb.txt",
		"img": "https://archive.orkl.eu/f7aad4566ae0ba5d6e3afc2405ce0d92435f01eb.jpg"
	}
}