Overview

overview

10

Static

static

3

fotos/Thumbs.exe

windows7-x64

10

fotos/Thumbs.exe

windows10-2004-x64

10

fotos/foto1.lnk

windows7-x64

10

fotos/foto1.lnk

windows10-2004-x64

10

fotos/foto2.lnk

windows7-x64

10

fotos/foto2.lnk

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    87b1a87121d9cff070e9f2a004df78c2_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240531-vedhqaee6x

  • MD5

    87b1a87121d9cff070e9f2a004df78c2

  • SHA1

    7d0c750e3d85c1d1a46301042432a5568e59b8ee

  • SHA256

    668f4d750f26504348477e32cb73aff0cd68d8a0997619f2d1402338d3011f03

  • SHA512

    6c65c06d9d814bda71e89d2c0f7f581f418709f7c822a59aa037609c45a98bce2223c99042bc2e6a0653746cd7896ba13508da186d288200b8f5124a758bd4aa

  • SSDEEP

    24576:Kgb5evea/uZViytg5/sRkHYbR9StHT55bjAVf5gDaQ0JIsziQAJLGNgjWYzGth:Kgk5EBMsRkHYbRcpVDaryZzJSNdbh

Score
10/10
xoristexecutionpersistenceransomwareupx

Malware Config

Targets

    • Target

      fotos/Thumbs.db

    • Size

      1.5MB

    • MD5

      7b6b62a073d6eccd911a4c6a4712c14c

    • SHA1

      7f4af629ea1a62e74ba039e5b7163a7144257448

    • SHA256

      d9b75d82e6374a165ce1d4c6440292ea81d7fe29a037a7fff25478aef57bf553

    • SHA512

      7bdcd151fb90b906e9ec8c230c1d8aeec3f7b9bbdf51dfbeb87441214a193ba81f84f0c58bb3cc3d8f4f8bb37c92404e9e7ab6eea78aca46fe224d0d03673a36

    • SSDEEP

      24576:IkWAAuqeAg2x/cBWeeDYc9uuE7Hmo0baLWdnhMDW+H56FoGqTWPeB8S+GsZNpz7:IHg2x/cc9DlQGzWLW1hMDRH5cJK8S+Jt

    Score
    10/10
    xoristexecutionpersistenceransomwareupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Renames multiple (2044) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      fotos/foto1.lnk

    • Size

      1KB

    • MD5

      dd3735c04fd4134d97f38b34b5544e3b

    • SHA1

      d250a2a1b545e51c3b3dffaa90b5cb0b2f30f090

    • SHA256

      23ee733b758eb9c05061cd93fe7856e7ae9cea68702b6d833ee3778419ba6b02

    • SHA512

      b574e4347ac9272ed2b9a0b0f373085acc58a08500b81713385d0fe85907fbf62eb0e5741246cb9fb9c0ac5301d953f6b5e8e189faf5d85f7ea6e49545380add

    Score
    10/10
    xoristexecutionpersistenceransomwareupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Renames multiple (2049) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      fotos/foto2.lnk

    • Size

      1KB

    • MD5

      dd3735c04fd4134d97f38b34b5544e3b

    • SHA1

      d250a2a1b545e51c3b3dffaa90b5cb0b2f30f090

    • SHA256

      23ee733b758eb9c05061cd93fe7856e7ae9cea68702b6d833ee3778419ba6b02

    • SHA512

      b574e4347ac9272ed2b9a0b0f373085acc58a08500b81713385d0fe85907fbf62eb0e5741246cb9fb9c0ac5301d953f6b5e8e189faf5d85f7ea6e49545380add

    Score
    10/10
    xoristexecutionpersistenceransomwareupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Renames multiple (2044) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks