Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #Ghidra

1,346,346

29,973 0

Published 2019-03-27

Part 2 is out! • Reversing WannaCry Part 2 - Diving in...

In this first video of the "Reversing WannaCry" series we will look at the infamous killswitch and the installation and unpacking procedure of WannaCry.

Twitter: twitter.com/ghidraninja

Links:
- Interview with MalwareTech: soundcloud.com/arrow-bandwidth/s3-episode-11-wanna…
- MalwareTech's blogpost about the killswitch: www.malwaretech.com/2017/05/how-to-accidentally-st…

Further reading
- Wikipedia: en.wikipedia.org/wiki/WannaCry_ransomware_attack
- LogRhythm Analysis: logrhythm.com/blog/a-technical-analysis-of-wannacr…
- Secureworks Analysis: www.secureworks.com/research/wcry-ransomware-analy…

All Comments (21)

@_a_x_s_ 5 years ago

Reverse engineering enhances the understanding of both programming thought and skills. This video is easy to follow, and the main techniques of reverse engineering are shown clearly, which makes me want to decompile a small interesting program to analyze it.
@l2ubio 4 years ago

"Microsoft security center (2.0) sevice" LMAO
@SouravTechLabs 5 years ago

Looks like Ghidra is a very good renaming tool!
@lynx5327 5 years ago

I'm a vegetable that doesn't understand anything but this was an interesting video
@_ahmedkira 4 years ago

Ghidra ninja:The function is very simple Me:
@_nit 4 years ago

Wow that was probably one of the best descriptive reverse engineering videos I've seen to date. Your method of explaining and showcasing each step in each function is fantastic and even explaining how to identify when disassemblers/decompilers mess up and how to fix them. Bravo. I'm upset that I waited this long to actually start watching these videos.
@MrMasterRhythm 5 years ago

Love this! Please create a series of Reverse Engineering Basics!
@tomasviane3844 5 years ago

I didn't understand anything of what you did, but the casualness of explaining something so exoticly complicated drew me in.
@ThoughtinFlight 5 years ago

This was SUPER interesting and well made, please continue! You left us on a cliffhanger!
@sebastienducasse934 5 years ago

Very interesting and complete video, first time I watch a reversing engineering video and I love the way you investigate and explain what you do. It's the first video of your channel I see and I love it. Keep going !
@CorporateSeltzer 4 years ago

I came across your channel shortly after downloading Ghidra. I appreciate how you clearly detail your train of thought in each video. I hope to see more!
@PeepzaHazMyNoze 5 years ago

Really well done video. I think you should keep this series in this format. Personally I like the pacing of the video, and wouldn't want it slower, or faster.
@i-use-arch-btw3954 4 years ago

WannaCry: exists Ghidra: im about to end this mans whole carrer
@TheDankTiel 5 years ago

I understood everything except for the renaming parts. Meaning i did not understand a thing. Cool vid tho, you've earned a sub!
@freeweed4all 5 years ago

Using an open source reversing platform like Ghidra, everyone could potentially come closer to the reversing world. Oh what if I could be some years younger..
@jed833 5 years ago

Fantastic Video, I hope to see more both on wannacry and other things soon. As an embedded SW guy looking to get into RE this was great.
@saadeddhaher1706 4 years ago

everyone: try not downloading files from entrusted places!!! Ghidra: let's unpack the malware !
@georgedomse 5 years ago

Just wow. Impressive job! I hope you are employed by one of the major tech/AV companies.
@andrasfogarasi5014 5 years ago

Reading the WannaCry warning, the creaters were real lads, providing multiple languages, information about BitCoin and a contact method. They just sound incredibly kind.
@eversoanxious 5 years ago

You know too many things. You explain it too casually like it's food lmao. This guy be like: Ok, let me present you my house.