Overview

overview

10

Static

static

3

414d06a8dc...18.exe

windows10-2004-x64

10

Resubmissions

13-10-2024 18:29

241013-w44lwa1dpd 10

13-10-2024 18:05

241013-wn94qazelh 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    414d06a8dca67540149d09179683c4f8_JaffaCakes118

  • Size

    516KB

  • Sample

    241013-w44lwa1dpd

  • MD5

    414d06a8dca67540149d09179683c4f8

  • SHA1

    0782d21a8f45b1e5ba2d981db5b3e5cff23822c4

  • SHA256

    43694a890d49248ef9336363dad7c2eb1ff1acba24a8f25cb4cc4181213a0495

  • SHA512

    d1b9b13ed10e1d26333a75949a0dab298f5df5cda533344e0f91dcb3246bdca687d5ebae25380a620704d94877db2385eb1274c670d3460f72f115859fd867a8

  • SSDEEP

    12288:tfhpwRVXqP5EKso+DVce8vu+HVY1LrStUkPdESN:tkRdqP5E8YVRkVorDeN

Score
10/10
xoristdiscoverypersistenceransomwarespywarestealerupx

Malware Config

Targets

    • Target

      414d06a8dca67540149d09179683c4f8_JaffaCakes118

    • Size

      516KB

    • MD5

      414d06a8dca67540149d09179683c4f8

    • SHA1

      0782d21a8f45b1e5ba2d981db5b3e5cff23822c4

    • SHA256

      43694a890d49248ef9336363dad7c2eb1ff1acba24a8f25cb4cc4181213a0495

    • SHA512

      d1b9b13ed10e1d26333a75949a0dab298f5df5cda533344e0f91dcb3246bdca687d5ebae25380a620704d94877db2385eb1274c670d3460f72f115859fd867a8

    • SSDEEP

      12288:tfhpwRVXqP5EKso+DVce8vu+HVY1LrStUkPdESN:tkRdqP5E8YVRkVorDeN

    Score
    10/10
    xoristdiscoverypersistenceransomwarespywarestealerupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Renames multiple (6374) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks