The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.
The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.
The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.
This malware is designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.