WannaCry analyser

A small utility I’m using to parse WannaCry-encrypted files. It’s not decrypting the files, unless you have the private key. Nothing fancy, nothing gets uploaded, all processing is done in your browser. Uses this library.

Start by dropping a file with the extension .WNCRY on the drop zone below. Don’t have one at hand? Download and use this one.

Header info

typedef struct _wannacry_file_t {
	char     signature[8]; 			// 64-bit signature.
	uint32_t key_length;            // Length of encrypted key.
	uint8_t  key[256]; 				// AES key encrypted with RSA.
	uint32_t unknown;            	// Usually 4 or 3, not sure what it is used for.
	uint64_t data_length;           // Length of file before encryption.
	uint8_t  data;               	// AES-128 ciphertext.
} wannacry_file_t;

File info

Encryption key info

Encrypted payload info

author sizeof(cat)

created Saturday, May 7, 2016

tags #wannacry, #malware, #tools