Extracted

• • Target

    38ada7385b9b2dd24325556405aab67e_JaffaCakes118

  • Size

    287KB

  • MD5

    38ada7385b9b2dd24325556405aab67e

  • SHA1

    3b526fb132265a045f2d382ac4ab93a9fb090105

  • SHA256

    4878188d81ff6fd5465b58fbb0b05fe7a33b0cd455211236e116d084e4f9fd5d

  • SHA512

    a22d7a94ec252d380da7c3142627d11b43014eddf6e4ccd4ccc68ec58dd22ba4c081215362446002e0ba640d073dd9684bc6b66f0fe5349bc58785419a564433

  • SSDEEP

    384:B6+yKcFkZocuQT2HSR27cCadBk2ujc1Oe+h1+4mser+EoA4M8itIGFbxDNJKD56d:BgvFEoc9507cHB+ML+hbmoDY8iRpJcQ

  Score

  10^/10

  gozixoristbankerdiscoveryisfbpersistenceransomwarespywarestealertrojanupx

  • Detected Xorist Ransomware

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi

  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

    ransomwarexorist

  • Renames multiple (2157) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2