wannacry

General

Target

XClient.exe
Size

84KB
Sample

240408-pbt4eagg86
MD5

0b163732fcb85953d90e43880aa7e84f
SHA1

de6d7a236ea98c489a91a3d75e0343061bbe832f
SHA256

86cff0dbed58c5f05cc6ed8fcc6035f19e95803c2f44c879491d57c658b1694f
SHA512

1d75eab9c69c1f6720b096d3337a155cc8821eda4e57ae01d4b1118d20be3141561aa23545cf8b823b9629ded73a33744ea877b8ac0d65a4d0d8aaac4b35de21
SSDEEP

1536:39rC3KBSId2ckJb3GJ+raqLubhwVf3S6GYO226fUKMUJUWmdSs:Nrmod2ckV3GJ+erbcqYO2VUPUJUws

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:22569

147.185.221.19:22569

Attributes

Install_directory
%Temp%
install_file
java.exe

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

- Target
  
  XClient.exe
- Size
  
  84KB
- MD5
  
  0b163732fcb85953d90e43880aa7e84f
- SHA1
  
  de6d7a236ea98c489a91a3d75e0343061bbe832f
- SHA256
  
  86cff0dbed58c5f05cc6ed8fcc6035f19e95803c2f44c879491d57c658b1694f
- SHA512
  
  1d75eab9c69c1f6720b096d3337a155cc8821eda4e57ae01d4b1118d20be3141561aa23545cf8b823b9629ded73a33744ea877b8ac0d65a4d0d8aaac4b35de21
- SSDEEP
  
  1536:39rC3KBSId2ckJb3GJ+raqLubhwVf3S6GYO226fUKMUJUWmdSs:Nrmod2ckV3GJ+erbcqYO2VUPUJUws
Score

10^/10

wannacry xworm evasion persistence ransomware rat spyware stealer trojan worm
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1