xorist | 37892b106151d95d58ba7709e4e742720b72d33dc65763be51b49f18b9c9da50

Reason

Machine shutdown

General

Target

093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe
Size

540KB
MD5

093fc6529d2e14e9a39bf7eccd93996e
SHA1

7de0a9ff175cd2074cd53ac6554715deab9d8455
SHA256

37892b106151d95d58ba7709e4e742720b72d33dc65763be51b49f18b9c9da50
SHA512

03cbba9db5e730ff293a718bea5673885aa60bf6b46ba72bd28063490cd2411eb5703b3720ff3efc124b0e56bd9dc617428572856a05ec9a41cbb494601b008a
SSDEEP

3072:mhaV4SMBTNEMvTHVmulZoZVz93FT36MkIhMz+nmMS:mE4SMB6MvTHVmuPoZ3FT36wVnmM

Score

10^/10

xorist bootkit discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/2608-69-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Executes dropped EXE 3 IoCs

pid	Process
2640	saverbl.exe
2608	blockk.exe
2656	sys3.exe

Loads dropped DLL 6 IoCs

pid	Process
1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe
1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe
1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe
1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe
2640	saverbl.exe
2640	saverbl.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014216-25.dat	upx
behavioral1/memory/2608-34-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2608-69-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f05G223qnsuh438.exe"	blockk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	saverbl.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HGGLRPWRBURGDWF	blockk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HGGLRPWRBURGDWF\ = "CRYPTED!"	blockk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HGGLRPWRBURGDWF\DefaultIcon	blockk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HGGLRPWRBURGDWF\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f05G223qnsuh438.exe,0"	blockk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.PoPaDaLoVo	blockk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.PoPaDaLoVo\ = "HGGLRPWRBURGDWF"	blockk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HGGLRPWRBURGDWF\shell\open\command	blockk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HGGLRPWRBURGDWF\shell	blockk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HGGLRPWRBURGDWF\shell\open	blockk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HGGLRPWRBURGDWF\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f05G223qnsuh438.exe"	blockk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2656	sys3.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2640	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2640	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2640	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2640	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2608	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2608	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2608	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2608	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2716	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2716	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2716	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2716	1724	093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2656	2640	saverbl.exe	31
PID 2640 wrote to memory of 2656	2640	saverbl.exe	31
PID 2640 wrote to memory of 2656	2640	saverbl.exe	31
PID 2640 wrote to memory of 2656	2640	saverbl.exe	31

C:\Users\Admin\AppData\Local\Temp\093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\saverbl.exe
  "C:\Users\Admin\AppData\Local\Temp\saverbl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- C:\Users\Admin\AppData\Local\Temp\blockk.exe
  "C:\Users\Admin\AppData\Local\Temp\blockk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\093fc6529d2e14e9a39bf7eccd93996e_JaffaCakes118.exe" >> NUL
  2⤵
  PID:2716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
1023B

MD5
0a21b17f4a555ac725899f5ca5c25ad3

SHA1
25be1b261943f9685fa4511bdfc373c7f17bf0b6

SHA256
8a99230a60ffd59b95e0b7f0ebf20aba0a43ccf5ada675c4d9adb138d57bede1

SHA512
9cc18c44bb7b8cf12cca8f80e2cb7499cef5433fba7cd4ad5e48d68d3ade8d3e0ea30a839b1f78d48557380e1d82497c6786cdd5e7d244f741d4b3669dd70e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_24-06-2024_15-12-08-7E6F69B3-AABB.bin

Filesize
1KB

MD5
9f1153efb109e43d80888e89f1677cbf

SHA1
86c20c5d7f8154b12f29d17f1f29f79430e0bfbb

SHA256
3ff0ac1ef6dad4ed72733c65d8c2dc49407030466b845447e8fd1d7599ec29c1

SHA512
f9f539667bf1a59422a085ee3b7818e062ffac35d9171c897682c3e4e40baa4cc2c1b1d944b8e550927d67fbf987786aef56c7ccafddb7d4cb5a613280973fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\saverbl.exe

Filesize
10KB

MD5
f14e212d976dc625bd21f49b84419846

SHA1
11e9f9c1ef4601bb6243aafb365a921e36e4d9a9

SHA256
1e3e93cc8fdb08a9712829d9b1bc2bc88acddc9e05daeb7c69c65421fb653bfe

SHA512
4172f1b9ea87806b67403313a9540fddeaeb3e60037e75fb4367700ba64e6c21a6bd629db6d009a73e1b4131679e9939990ed94318332f05cf3b6df7a424baf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
45B

MD5
a65ae7589c003776677e39afab99bfb0

SHA1
96df2e7f36a623efbf9ea2a522a72f41632bb262

SHA256
3423754ba097beeedcb209e436c543046ddd7c7b28b3a64bfcd7e1dd3896a52f

SHA512
7372eafc20acdd9744d22f15626c853a780864a7ddb9133cee7f8a73c14b4b8cb0e05c08b18fb88d5393078323d6d04f2d340c0e1adc9213464d5abc12bfc1d5

Download Submit
\Users\Admin\AppData\Local\Temp\blockk.exe

Filesize
8KB

MD5
5eee66a8bd72026d2131ef0b8ab3a617

SHA1
e1b049c2cea82f2c422c55b31a25f7be34cfaa0b

SHA256
cbd9fb7ee373ceffe599ebc726b6bdd2bd9cc66270b6b526ee6cf04b563dd3ef

SHA512
2282bc8367359fa04004a546a52b8771d3b4d9e266d93704c8d6b109b08654ea521b281a5e37abd39fa7360f53fc3ba007467ba19baa9bad26e5413b621028b7

Download Submit
memory/1724-22-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/1724-23-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/1724-33-0x0000000004730000-0x000000000473C000-memory.dmp

Filesize
48KB

Download
memory/1724-32-0x0000000004730000-0x000000000473C000-memory.dmp

Filesize
48KB

Download
memory/1724-40-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1724-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1724-5-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2608-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2608-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2640-24-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/2640-49-0x0000000000240000-0x0000000000245000-memory.dmp

Filesize
20KB

Download
memory/2640-46-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads