 Hello, today I want to show you how you can use some of my tools to start analyzing the WannaCry sample, the ransomware. So I have the ransomware here and some of my tools. And with PE check, we can have a first look at this executable. Okay, so I have a high entropy, the hashes, the sections, some of the imports, resources, there is no signature and there is no overlay. So let's look at the resources. So with option O, we can have an overview of the resources with choice R, like this. Okay, and we have three resources here, one, two, three. That's an index provided by PE check so that we can select the file to do the resource for further actions. So we have a version resource, a manifest resource and then here XIA resource. And here you have the size and here the hex dump or an ASCII dump of the start. You can see it starts with PK, PK0304. So this is an indication that this is a zip file. So we will analyze this zip file. So PE check, overview of resources. We get the first resource and we dump it. And then we pipe this into zip dump to analyze the content of this zip file. Okay, we get an error, bad password for file. So this means the zip file inside the PE file, so as resource in the ransomware executable. So that zip file is password protected. Now my latest versions of zip dump can do some simple dictionary password attacks. So let's try this. So with option PE, uppercase PE, I can start a password dictionary attack and I have to provide it with a file that contains passwords dictionary. But there is also a built-in list in zip dump and that is the same list as used by John the Ripper because that's in the public domain. And you can access this with a simple dot like this. So this will try out about 3,000 to 4,000 passwords. Okay, but again, we get the same error, bad password for file. So that was not one of the passwords in that list. So now we are going to check if maybe the password is in clear text as a string in the executable. So with my strings tool, we are going to dump all the strings in the executable like this and we are going to write that to file passwords. Okay, and now we are going to use zip dump again to the password cracking, but instead of the built-in list, we are going to use our passwords here. Okay, so this was successful. So the password is indeed in clear text somewhere in the executable. If we want to know which one, we can use another option. So password file stop. This option will just do a dictionary attack and nothing more and print you the password when it finds it like this. Okay, so this is the password that can be found inside the executable and that is the password needed to decrypt the content of the zip file. So we are going to do this again to have an overview of the content inside the zip file. Okay, so we have a different want to cry files here, all the messages, different translations of the ransomware message and here are some executables. So here 27, we have the Spanish text, we are going to look at that one. And this one here, 35, task se.exe, we are going also to take a look at that one. So we start with 27. So I select 27 and I will do a dump, so just print it out to memory, sorry to standard out. Okay, and this is actually an RTF file, okay and here you can see some Spanish text that is the Spanish text that is displayed by the ransomware. Okay, so the other file was the executable, task se.exe. So we are going to dump this and pipe this to p-check like this. It has a very low entropy. Sections here, these are the hashes. Here some version information, imports, resources, it has no signature and no overlays. We can have a look at the strings. So and this task se executable is actually the executable that will enumerate the RDP sessions on the local Windows machines and inject the ransomware into each section, session. So I'm going to search for strings that have WTS, sorry, it's strings.py like this. And here you have the different Windows API calls to work with the sessions like enumerate the session and get the session ID.