WannaCry 2058.XIA File Command Response & Analysis

1. root@Gibson:~# file 2058.XIA
2. 2058.XIA: Zip archive data, at least v2.0 to extract
3.  
4. So It's a ZIP file essentially, and if we try to extract it we get this.
5.  
6. root@Gibson:~# unzip 2058.XIA
7. Archive: 2058.XIA
8. [2058.XIA] b.wnry password:
9.  
10. It's password protected, BUT going through the assembler we see that it tried to add an parameter to the stack, so after changing the signature from undefined4 FUN_00401dab (HMODULE param_1,) to undefined4 FUN_00401dab (HMODULE param_1, char * param_2) we get this. FUN_00401dab((HMODULE)0x0,s_WNcry@2ol7_0040f52c);
11.  
12. So we try WNcry@2ol7 as the password for the ZIP file.
13.  
14. root@Gibson:~# unzip -P WNcry@2ol7 2058.XIA
15. Archive: 2058.XIA
16. inflating: b.wnry
17. inflating: c.wnry
18. inflating: msg/m_bulgarian.wnry
19. inflating: msg/m_chinese (simplified).wnry
20. inflating: msg/m_chinese (traditional).wnry
21. inflating: msg/m_croatian.wnry
22. inflating: msg/m_czech.wnry
23. inflating: msg/m_danish.wnry
24. inflating: msg/m_dutch.wnry
25. inflating: msg/m_english.wnry
26. inflating: msg/m_filipino.wnry
27. inflating: msg/m_finnish.wnry
28. inflating: msg/m_french.wnry
29. inflating: msg/m_german.wnry
30. inflating: msg/m_greek.wnry
31. inflating: msg/m_indonesian.wnry
32. inflating: msg/m_italian.wnry
33. inflating: msg/m_japanese.wnry
34. inflating: msg/m_korean.wnry
35. inflating: msg/m_latvian.wnry
36. inflating: msg/m_norwegian.wnry
37. inflating: msg/m_polish.wnry
38. inflating: msg/m_portuguese.wnry
39. inflating: msg/m_romanian.wnry
40. inflating: msg/m_russian.wnry
41. inflating: msg/m_slovak.wnry
42. inflating: msg/m_spanish.wnry
43. inflating: msg/m_swedish.wnry
44. inflating: msg/m_turkish.wnry
45. inflating: msg/m_vietnamese.wnry
46. inflating: r.wnry
47. inflating: s.wnry
48. extracting: t.wnry
49. inflating: taskdl.exe
50. inflating: taskse.exe
51. inflating: u.wnry
52.  
53. It works!