wannacry

Sharing

Copy URL

Twitter E-mail

General

Target

2ab29016b3293871bd76b520af6255ef_JaffaCakes118
Size

4.3MB
Sample

240728-3ewcja1cmm
MD5

2ab29016b3293871bd76b520af6255ef
SHA1

a28fc86d07283b23c5a4609eca672be0653f9413
SHA256

dea137b7286f22ec0e69d7d85dc14ebacc4951d70d2303bd2b4f201cf4a52334
SHA512

d6f7b215a4ed125626e5d36961e389cfbebfcdb33b1f9e46c96c13d2de7749c417481cae0fcc9d82b9188755dbd28adcc8d257bf7ff0c1224651950f8c3a146c
SSDEEP

98304:zhi9+vG61S0je0fb8uPdferpaSUFSD6QAapb53C0hdTNBLOAAnL8w3n3:l2/+See0fAQfOpaXSDxAaC0zjLOAuIwn

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  webinjects.txt
- Size
  
  69KB
- MD5
  
  798f654ef8af8db3c44355d4bfda9ee4
- SHA1
  
  4eba8f81cd43cec138575e357d166e14bbafbce0
- SHA256
  
  234d7d11a0b0bc12e6bd6762411d27e19889d6fccaa7d7a4258a11e7331c1f4f
- SHA512
  
  1cf09220345ccea9180500f1e4cbeae3712c9cc02f40198d58701c8072a90eb17583ef0ea1105ffdcfcc4e109d182c8545daa4a51b533f705c8df45136fcd927
- SSDEEP
  
  384:EnXjehVhgLiNnZb+8oZW1/QeeSsyE/qXIidEB1oES4YiPEK1vZH/jfq0dPpq7YDs:eG9MWFVtSEK1vZH/L0+JpY
Score

3^/10

execution
behavioral1 behavioral2
- Target
  
  zsb.exe
- Size
  
  114KB
- MD5
  
  ea67f30e34edf7dfedc4e97c44adc6d5
- SHA1
  
  5ff147bf41ec70d13867663bd868042dd621711b
- SHA256
  
  6faf23e09610b497b4e54a17fb0a8679979b937ed04a123b9d9f99993302e9eb
- SHA512
  
  8912f75e2d4c67aaa6eb30d3653974edc11910540b172a4abf1936583e26a7dd2b47458d07f9f28d772b0c39ab0a2e2fb5593bef9e7e5a3c5f9b873896a34a07
- SSDEEP
  
  1536:TGKnRy4DLShqDz7jy7g/wahvET/IZGsjqCV92kpwRqZreyBTzd:TxRy4DLrnGgYSEccmL2I5B/d
Score

7^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  server[php]/cp.php
- Size
  
  54KB
- MD5
  
  4f092a3993c30c0f152e9ce5e888a8bd
- SHA1
  
  b06e0d68cb309a35a6bfa3678295fa086a8e4b52
- SHA256
  
  43cb41902d20189de76e9106bc0d486345f448e8754cd7e2946511f4017f1145
- SHA512
  
  dc9cdfa27484cc972db0baac098709f8af11dc7c5148a9e7f708fe713e47bb3f3172369ee735d502e670b7311b3b6e0388916744275da398fe05d39262e03be1
- SSDEEP
  
  768:V+fxXNQL1zuda57hcFJ0Hum4PN1ctKqYH9dWuKgYzMvpE7fiiMNCZUF+PqtaNqE:V+fhN4XWEHumEctTaWH0iRZm+SgEE
Score

3^/10

execution
behavioral5 behavioral6
- Target
  
  server[php]/system/jabberclass.php
- Size
  
  9KB
- MD5
  
  d46ea7e0d9a60101c4d713c81bd6bf01
- SHA1
  
  4865aabb32a200cfae0c0313b807b0fb16488baa
- SHA256
  
  3853d6f7dcc5eda551267524cdc5bf5a3cf2120c15a534a11ff400cefb38ef20
- SHA512
  
  0c6be7a78b7367db10597508aee9fee48018b233cfd687c8c14b58f1d6e1484dbb1e3c2a40ded0b28a86f2f370a41667f69532d65f11bf4877457bd3a609380e
- SSDEEP
  
  192:bQ7M4YbWDafQUD7JsqJXpsMapsMiQNVIQehqwkQDpgV5QWeHtRgQ8ZsK/4BP2QLs:EDeHJ07xwbyV10BPpDhUFMEpW2V
Score

3^/10

execution
behavioral7 behavioral8
- Target
  
  server[php]/system/reports_db.php
- Size
  
  35KB
- MD5
  
  44dd114a58f16f487d37721e8efa076c
- SHA1
  
  df8b574223ab35edde29b55ce61fdff470063c8f
- SHA256
  
  5612864760a625413d76b09d29068667accd6fa7c7b1b096288753a5757e5f0b
- SHA512
  
  6024ac282c4dbe83349cfd42e6f74f3894fb2de3d21c309bd6648953c9cc17b5d4b2425786d13f25db816f6b3337ef584c47c357b9887479576519a4e9ea7ce7
- SSDEEP
  
  768:AN540kNZfaszjd4SR/UNvyTHT/T6TFDoNvzjowfEhc88:/Zfaszjd4x5uD
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  server[php]/system/reports_files.php
- Size
  
  25KB
- MD5
  
  b068946cee6a626fafc66d1b7b56edca
- SHA1
  
  f8d0d9d63460e1b28b5503cbbe1935f3eef5022b
- SHA256
  
  64b204bbaae678481f669c2ace4338ceec9bd30a1df600f698210fe2ce90f9cc
- SHA512
  
  0ad0fecbce8747131278146d2d7acfff02753548074eba75ebc11f33990b7794d1bf34930f51e280bc311056fd640a0a8035e8dcf12a3d3b3b38f3d6e01f6ef8
- SSDEEP
  
  384:RQki93zqD/T4TX/4xG1gbhQZJzn6x84pCtgixQtIi2PA6Im4CgNr:RViMbT4TXgM1gbhQc84kaiiyi2BImiNr
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  server[php]/theme/footer.html
- Size
  
  32B
- MD5
  
  9930a6f5b310ee74d9355ffa7aa0d4be
- SHA1
  
  519e63f7bd08d45ec7b5ff20f3fb1e6c660b4a47
- SHA256
  
  65e80cc250792b5714b07e0a42260b162beb03a937808e6b918a5c67e54abb4f
- SHA512
  
  23114c7affea669f917780887ecff7473b6d59047fdf63cf5a96ce6fe15bf2f9f9459eb457f5a6b46720ab2f7b18e5cb216cbe5bc67f1c1d06014fe894eeeba6
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  server[php]/theme/header.html
- Size
  
  940B
- MD5
  
  d84db18b21d515e8aefc69a0a9c7c677
- SHA1
  
  c2c36ec611b9b8629e81e0532871595145174ebc
- SHA256
  
  ba2261aae5475e4ba460f9cdbbbfc8479825d3afcca0fbe0ec0a6a4cbd8d5af9
- SHA512
  
  de8713606e98cb7c51f0ea00c11983bc5b485a7c2b14dab846b8463643665595d3c150947f5717232610afbc63cbe436802e69bd39133630eb94f126d6d2a3fe
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  server[php]/theme/index.php
- Size
  
  20KB
- MD5
  
  9f5a33bbc823619215ddd5db58dd70e7
- SHA1
  
  133105476bfc33de11b914d0fd9ba527ff1936bf
- SHA256
  
  8718d335a7f7b787b4e7b6ba17790fd6467c98aa4679c3bb6052fcb0ddc018de
- SHA512
  
  42deea7ded4ce2c6e78aac7e1b6ac56dcd644f50ff8ce0081bf374315c30facdefebc4f47da4e3b51e934486e39754d99b948a870508491e97dda3c61566edbd
- SSDEEP
  
  384:bTSbrPZERoQ7hYNOpQIUuEKWShwX6kjsh:bTSbrPZERoQ7hcOpQIMKW+x
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  server[php]/theme/popupmenu.js
- Size
  
  1KB
- MD5
  
  c87ac7a25168df49a64564afb04dc961
- SHA1
  
  e8adb866c4f4c05920d76088c888c3af6b9e5832
- SHA256
  
  e922a32ccf04a756c910d0601dadb45d59b6e5ba89bbbc861506fadd36ec5bf1
- SHA512
  
  6aff3aca157316f3346ce97f46759d6a5794339fc9a4d86ae3cff6e3480cb1b17b3bf9d4e700e3c88a5698bcdd3ed5fa0c350c67fb203c9aad98f1afd6f8be5b
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  server[php]/theme/small.html
- Size
  
  529B
- MD5
  
  4a37792461cfe27187b5d9f9a29ae43c
- SHA1
  
  97c04b747c2e11e24c7fee0f93cb0c98e7803325
- SHA256
  
  ad945266a275784cc8c711ff9fe2650da6587d851245e04a45db8af46b34db58
- SHA512
  
  10ebf4a1935f076ae9faba0434eb6dc9253bc3b96ad3ec8e0dda8d3de30bc20d674a10d0f4feefed1c6924145834349ae33efd33f0e9853d1721b864083b698f
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  Builder.Panel/webinjects.txt
- Size
  
  69KB
- MD5
  
  798f654ef8af8db3c44355d4bfda9ee4
- SHA1
  
  4eba8f81cd43cec138575e357d166e14bbafbce0
- SHA256
  
  234d7d11a0b0bc12e6bd6762411d27e19889d6fccaa7d7a4258a11e7331c1f4f
- SHA512
  
  1cf09220345ccea9180500f1e4cbeae3712c9cc02f40198d58701c8072a90eb17583ef0ea1105ffdcfcc4e109d182c8545daa4a51b533f705c8df45136fcd927
- SSDEEP
  
  384:EnXjehVhgLiNnZb+8oZW1/QeeSsyE/qXIidEB1oES4YiPEK1vZH/jfq0dPpq7YDs:eG9MWFVtSEK1vZH/L0+JpY
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  Builder.Panel/zeus.exe
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral25 behavioral26
- Target
  
  Builder.Panel/zsb.exe
- Size
  
  114KB
- MD5
  
  ea67f30e34edf7dfedc4e97c44adc6d5
- SHA1
  
  5ff147bf41ec70d13867663bd868042dd621711b
- SHA256
  
  6faf23e09610b497b4e54a17fb0a8679979b937ed04a123b9d9f99993302e9eb
- SHA512
  
  8912f75e2d4c67aaa6eb30d3653974edc11910540b172a4abf1936583e26a7dd2b47458d07f9f28d772b0c39ab0a2e2fb5593bef9e7e5a3c5f9b873896a34a07
- SSDEEP
  
  1536:TGKnRy4DLShqDz7jy7g/wahvET/IZGsjqCV92kpwRqZreyBTzd:TxRy4DLrnGgYSEccmL2I5B/d
Score

7^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral27 behavioral28