Overview

overview

10

Static

static

3

GoDm/.git/...sample

windows10-2004-x64

6

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/.git/...sample

windows10-2004-x64

GoDm/.git/...sample

windows10-2004-x64

6

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/.git/...sample

windows10-2004-x64

3

GoDm/source.exe

windows10-2004-x64

6

GoDm/src/c...ent.js

windows10-2004-x64

3

GoDm/src/c...per.js

windows10-2004-x64

3

GoDm/src/c...ls.vbs

windows10-2004-x64

1

GoDm/src/task/task.js

windows10-2004-x64

3

Resubmissions

01-02-2025 20:13

250201-yzt8razpaq 8

01-02-2025 18:19

250201-wymq6svjbs 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GoDm.zip

  • Size

    7.7MB

  • Sample

    250201-wymq6svjbs

  • MD5

    ce486f16b14240fa3c9da7dbf0883e35

  • SHA1

    9b2843811b7cee87138a675dead3d891a48b9be9

  • SHA256

    41f5035bd0070cd9b240d684e1b055d9d76140ab53196cac1a6172b9490a3063

  • SHA512

    fe35664b3fb8c1e4cee9a56b5f2c0963a55ffdfebe4b619c4070c70d6c6a316b08f410b1519cf3774762b28c5d3bd8895e831caedee89fba9ed961c02648e4ff

  • SSDEEP

    196608:EwW+LSbSSxaqah9Qo1bcBtC9cm2PQsZyCveLMRMg1fiH:A+mRwP91aE2PQsYCmMF6H

Score
10/10
wannacryaspackv2defense_evasiondiscoveryexecutionimpactmotwpersistencephishingransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

    • Target

      GoDm/.git/hooks/applypatch-msg.sample

    • Size

      478B

    • MD5

      ce562e08d8098926a3862fc6e7905199

    • SHA1

      4de88eb95a5e93fd27e78b5fb3b5231a8d8917dd

    • SHA256

      0223497a0b8b033aa58a3a521b8629869386cf7ab0e2f101963d328aa62193f7

    • SHA512

      536cce804d84e25813993efdd240537b52d00ce9cdcecf1982f85096d56a521290104c825c00b370b2752201952a9616a3f4e28c5d27a5b4e4842101a2ff9bee

    Score
    6/10
    discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

    • Target

      GoDm/.git/hooks/commit-msg.sample

    • Size

      896B

    • MD5

      579a3c1e12a1e74a98169175fb913012

    • SHA1

      ee1ed5aad98a435f2020b6de35c173b75d9affac

    • SHA256

      1f74d5e9292979b573ebd59741d46cb93ff391acdd083d340b94370753d92437

    • SHA512

      d6bb7fa747f4625adf1877f546565cbe812ca7dd4168f7e9068e6732555d8737eba549546cf5946649e3f38de82d173aaf9c160a4c9f9445655258b4c5f955eb

    Score
    3/10
    behavioral2

    • Target

      GoDm/.git/hooks/fsmonitor-watchman.sample

    • Size

      4KB

    • MD5

      a0b2633a2c8e97501610bd3f73da66fc

    • SHA1

      0ec0ec9ac11111433d17ea79e0ae8cec650dcfa4

    • SHA256

      e0549964e93897b519bd8e333c037e51fff0f88ba13e086a331592bf801fa1d0

    • SHA512

      5168643c1768ec83554a9066754507a781b6d14251a46a469222d462efc6ca87a72c90679154e8a723349c91e7772b32ac9b08dfe313cded0ee0a6f17885079e

    • SSDEEP

      96:GFCscBOvOFXDgRvi/3UCwN4ZlkRo/j5SpoNOBoi+geBIzCa:GFCsEOmWRa8CwN4ZqRo7geEk3IzCa

    Score
    3/10
    behavioral3

    • Target

      GoDm/.git/hooks/post-update.sample

    • Size

      189B

    • MD5

      2b7ea5cee3c49ff53d41e00785eb974c

    • SHA1

      b614c2f63da7dca9f1db2e7ade61ef30448fc96c

    • SHA256

      81765af2daef323061dcbc5e61fc16481cb74b3bac9ad8a174b186523586f6c5

    • SHA512

      473ad124642571656276bf83b9ff63ab1804d3c23a5bdae52391c6f70a894849ac60c10c9d31deff3938922ce83b68b1e60c11592bbf7ea503f4acd39968cefa

    Score
    3/10
    behavioral4

    • Target

      GoDm/.git/hooks/pre-applypatch.sample

    • Size

      424B

    • MD5

      054f9ffb8bfe04a599751cc757226dda

    • SHA1

      f208287c1a92525de9f5462e905a9d31de1e2d75

    • SHA256

      e15c5b469ea3e0a695bea6f2c82bcf8e62821074939ddd85b77e0007ff165475

    • SHA512

      cb78aa7e9b9c146e5db65d86dd83f04e2b6942a06fab50c704a0fd900683f3b6ad1164e74afe2f267f6da91cdff0b9ab07713e12cefc6f8d741b5df194f4fda6

    Score
    3/10
    behavioral5

    • Target

      GoDm/.git/hooks/pre-commit.sample

    • Size

      1KB

    • MD5

      305eadbbcd6f6d2567e033ad12aabbc4

    • SHA1

      a79d057388ee2c2fe6561d7697f1f5efcff96f23

    • SHA256

      f9af7d95eb1231ecf2eba9770fedfa8d4797a12b02d7240e98d568201251244a

    • SHA512

      7cfb0a58abed1915ee1b261a1c661c7e2deea4e9227f77f5875af1a25c82e19245ba12dcb2f5052d994d0e81a3465daf37f9d8c670e17f9c96742f60fdfaaa56

    Score
    3/10
    behavioral6

    • Target

      GoDm/.git/hooks/pre-merge-commit.sample

    • Size

      416B

    • MD5

      39cb268e2a85d436b9eb6f47614c3cbc

    • SHA1

      04c64e58bc25c149482ed45dbd79e40effb89eb7

    • SHA256

      d3825a70337940ebbd0a5c072984e13245920cdf8898bd225c8d27a6dfc9cb53

    • SHA512

      e4dc204494f5062efa3032b00c64707a4f38978040482501b3e085f071e3ee5a9737d537e6a52002ceb4ebe2bfe09e555c5d969581e80b3eba2a922015c67960

    Score
    3/10
    behavioral7

    • Target

      GoDm/.git/hooks/pre-push.sample

    • Size

      1KB

    • MD5

      2c642152299a94e05ea26eae11993b13

    • SHA1

      a599b773b930ca83dbc3a5c7c13059ac4a6eaedc

    • SHA256

      ecce9c7e04d3f5dd9d8ada81753dd1d549a9634b26770042b58dda00217d086a

    • SHA512

      cc98bbe0e3865e2023af04416e10689e3aecd3f3928cf90c2acc0d3d7306388886779025c8967c8ea198af1f4fe29d16c65d4e1d546c7a8fa513f5ba7df16850

    Score
    3/10
    behavioral8

    • Target

      GoDm/.git/hooks/pre-rebase.sample

    • Size

      4KB

    • MD5

      56e45f2bcbc8226d2b4200f7c46371bf

    • SHA1

      288efdc0027db4cfd8b7c47c4aeddba09b6ded12

    • SHA256

      4febce867790052338076f4e66cc47efb14879d18097d1d61c8261859eaaa7b3

    • SHA512

      00d21d5d72386c3d9b5a1c36ba85201f730556a8295d4353af54af7892ab81010d42aff209ec1fda61c54e4dda3737cea5fda64f09d40ce5004ae28239565025

    • SSDEEP

      96:vJ7EgXasqXq6zaqK1ep8m5MDVUT2bTEwEWDhG38deyig9yhCLtQH:vJ4gXasI1zaqKwUTHhzeyil4tm

    Score
    3/10
    behavioral9

    • Target

      GoDm/.git/hooks/pre-receive.sample

    • Size

      544B

    • MD5

      2ad18ec82c20af7b5926ed9cea6aeedd

    • SHA1

      705a17d259e7896f0082fe2e9f2c0c3b127be5ac

    • SHA256

      a4c3d2b9c7bb3fd8d1441c31bd4ee71a595d66b44fcf49ddb310252320169989

    • SHA512

      ee08c11fab7e896b2e09c241954ba7640338b12c75cd8040daf053c31b2f22236d7a0deac736f89d305236312fdb4f560a38d4d8debdcc9dcdd23b2d975907d5

    Score
    10/10
    wannacryaspackv2defense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Disables Task Manager via registry modification

      defense_evasion

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral10

    • Target

      GoDm/.git/hooks/prepare-commit-msg.sample

    • Size

      1KB

    • MD5

      2b5c047bdb474555e1787db32b2d2fc5

    • SHA1

      2584806ba147152ae005cb675aa4f01d5d068456

    • SHA256

      e9ddcaa4189fddd25ed97fc8c789eca7b6ca16390b2392ae3276f0c8e1aa4619

    • SHA512

      50ec8a0dd98427e80a82a8d8ce44462a845876e1594c9d0e89483ce9a8aaad616edea0e5c45c1bb69d8fe7f520c6f2260d6fa350d77b400899c3ae375e965bfb

    Score
    6/10
    discoverymotwphishing

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw
    behavioral11

    • Target

      GoDm/.git/hooks/push-to-checkout.sample

    • Size

      2KB

    • MD5

      c7ab00c7784efeadad3ae9b228d4b4db

    • SHA1

      508240328c8b55f8157c93c43bf5e291e5d2fbcb

    • SHA256

      a53d0741798b287c6dd7afa64aee473f305e65d3f49463bb9d7408ec3b12bf5f

    • SHA512

      586efb6a206f73d8a94561266153a624e2753830bc431a283bed998c46ac00a9df4995ddfd0aa852b1a22b4672c80f2c33cee3fe2e3321e392ff4cef26dbf75e

    Score
    3/10
    behavioral12

    • Target

      GoDm/.git/hooks/update.sample

    • Size

      3KB

    • MD5

      647ae13c682f7827c22f5fc08a03674e

    • SHA1

      730e6bd5225478bab6147b7a62a6e2ae21d40507

    • SHA256

      8d5f2fa83e103cf08b57eaa67521df9194f45cbdbcb37da52ad586097a14d106

    • SHA512

      be3780974589d06eddba6fa0aa15a3e3dfe390e2827a1a6ae5cb83d6ac47e79ef9b1bbb53f067372f8dc70db0350d3770e78537fd3cfe734200ff824eca4cada

    Score
    3/10
    behavioral13

    • Target

      GoDm/source.exe

    • Size

      13.5MB

    • MD5

      5df1ae0ac565c650821135785b158021

    • SHA1

      25d21ca9c049a6ab821734093a58c1b9fd7789e4

    • SHA256

      43f604cdb1bc8ceab09dfffe2198e7d7829712ab834a1c5c7fe5171c8c5368fb

    • SHA512

      fc734695cdc694e218675aeea07386e35a47b2f23a71608ef07be10f5a1e80dcc24b6177d28597a74a06cb4a65cab5506bfc5d197a3a420f61b6a52e29aa1da0

    • SSDEEP

      196608:sZhXsph78ipqLZINPMTQB6YoTu19lcviP1sfGbbU0:7L78BLZdTQB6Yok9lco1P3

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    behavioral14

    • Target

      GoDm/src/client/client.go

    • Size

      1KB

    • MD5

      8c5935665dadb125eeb400e1766820ef

    • SHA1

      c2b30d5e35c136f6e95cdab3848e152f55bc1ffe

    • SHA256

      330161f9e8d0e99532f15a3d62914380ef45184795956718627f6655216eae58

    • SHA512

      2ebe65e23e0050894424e0d786efb90f09637a0e3ef312b8731b2b6ad7d0de39173bc3f2916644f269ea39b4d26147b7e2d913c8fa6ea59fc0c7587221c54b4e

    Score
    3/10
    execution
    behavioral15

    • Target

      GoDm/src/client/roundtripper.go

    • Size

      5KB

    • MD5

      afa220d02518e90e8679432f3b6f8482

    • SHA1

      d9c0ece40b14730d12c4810e7cb1b1ceab5600d6

    • SHA256

      ce1e3652a89bec26a63ca7cb0c77db0a132de3769463f6d47018b9c131ea53a0

    • SHA512

      0d730a9bfdf65d063bcf2c4662dceaef67cf8d7d67e1f2bd5beac1a39fb3808d8b85fd38d4b51c43792fac1d1bc60f2e1744e34cc36c9f508b909c60c950531e

    • SSDEEP

      96:7VBl/0FoOqM/zT6+7r7Q2KuxMBULUe4smLK0clPHgjrXu9g133:GdVn+ULU610oPgSg9

    Score
    3/10
    execution
    behavioral16

    • Target

      GoDm/src/client/utils.go

    • Size

      8KB

    • MD5

      d463de437df7290c672c3782d76e3641

    • SHA1

      e16e8e8c692edb08f2e4242f6f3acc342793e03d

    • SHA256

      708bfe6da9694b40eaedf51395da61138505cc5260055cccb47d6619b71ef8b2

    • SHA512

      c0abc9718da0acb669478b1407a83fd2143e2ef036a029adb6006b38ff0783bdbcf37953e8fbf213243f8900e4ccbcfa0e227468d99e96443eb4d3420119254e

    • SSDEEP

      192:W3piHeTNiebJmehZziojsacdZ6aT77Ze/irn:W3IKrJmkWosP7Ze/ir

    Score
    1/10
    behavioral17

    • Target

      GoDm/src/task/task.go

    • Size

      7KB

    • MD5

      9ac2207ecd2162bf517d85cfc0d077f7

    • SHA1

      2a76f10d250962ce09a1ffa7892e904bd8483c85

    • SHA256

      d4b1f6e9301bf7466c40a53065445fc90635e7702ff0adec80bda34a82822590

    • SHA512

      b05bb5304a75f404ffd313fedebb56d64f41646ab016fed47d0d8d3d0389953045a13f4a57a2ed54bbb350d8a5b296cb925deeb9c2e4af847638fc3ea1d6b203

    • SSDEEP

      96:Lz1mJO9++eJlPQGXUfqRZTyqjzKbkKAmG+BC+8gbusqKbkUlYZBJGPpzd9++BJoy:YiOTPf3ZRjZt+IoxbxOjNjm

    Score
    3/10
    execution
    behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Tasks