Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2024 09:18

General

  • Target

    61797409f8b005b6cacf5e59851b5dbe_JaffaCakes118.exe

  • Size

    91KB

  • MD5

    61797409f8b005b6cacf5e59851b5dbe

  • SHA1

    5536bd41d054abbdbc40610d6a0a136243e08cc7

  • SHA256

    c141071bbe9887987205704086574b923a8f9d1197458e7298025d0c8dd2d36e

  • SHA512

    4fa58c509459edd2b29c17c8a7906c00d2fdef33383495ff908ac8aa08e189d4e0f883b03efab281dbb24b7103dea9c88b64900f3f3e3aebbe31a73f182d668d

  • SSDEEP

    1536:rr4NzX0Xt75M2V2f+ffGQzRbtFO8616Cs:rriEd75M2V2fS+QtbtG

Malware Config

Signatures

  • Detected Xorist Ransomware 3 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

  • Renames multiple (682) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 64 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61797409f8b005b6cacf5e59851b5dbe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\61797409f8b005b6cacf5e59851b5dbe_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

    Filesize

    2KB

    MD5

    7fa2a02c2c1699330fdd2b01829424be

    SHA1

    52e7983b01bb82c20d902e428377c870561c9d06

    SHA256

    8391a2e106085d21ce7803f08c05d8c86c5fc1034cc0a9ad196e5f22fd5b0e50

    SHA512

    21bac50e490eb017cf0875ec5c5bce662ce36c97592a7f52c008b885ca61f8478ddf468e0bc692d4c553c02711b594ccc1ad93d054de99ea338fe2ea262bc63f

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

    Filesize

    6KB

    MD5

    754ceb8f2ad9e9de7a98a60dce03cd2d

    SHA1

    905640db439cf27871d722ca8647b50e21b7f972

    SHA256

    68cea62c3de690f94503db839a5f288c08d4cbd7dda6181660ced567c098ad6e

    SHA512

    a087fca7750581232855de9093d3bfe99aad10fe221071e9b64ad0b33ff6346d5db4cb9882d19d3ba690c25f2b93bb3539285792ada3fcd2b3d17f811c3054ec

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

    Filesize

    3KB

    MD5

    e560f3a02a4c1cb5ce5af799deb33584

    SHA1

    25b3da07d67dac0be81ce1715ba8bd63574516c2

    SHA256

    d0b40a9e6067adc340a8ae3f0422ca513e261eed6dc9b92b0dc3e6ec94830438

    SHA512

    eaf8fb6aec5f5236c5e078327ba8747c400a9ad47cdafdc0fd658c2475bf22b89d44ee8f27c360d25662a54945bbc9ffeae47bc671744423e4c1771867f1e418

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

    Filesize

    5KB

    MD5

    313c7a4643a0048f455cdab6e971b70a

    SHA1

    14309dc219c5dedd3f17a8bd72144cccd384f9da

    SHA256

    3a8b8570c76bbeb9a50564756e3c50597068235f7723a7f211f9d3e15ef3955b

    SHA512

    7ffd6e8edd2aa271386ea1cb72b2ced9a182d32e3cd299bb06876ac054b529677d90e6c04a2e4370f0d6e577d444072592b8cc96cb4cb3980e95745c0fbad211

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    bcaa63c30380c92c373c591124ddff0e

    SHA1

    8a48287df78c7f84452fd1c68fa6985664c4980b

    SHA256

    a2052fe76bab5defbf4d7955175164a398844da028fbfb88ea84f896a01bd0dd

    SHA512

    95eee86c7768a0c0e92829285bab031f01ca5ea0e7fc461b16f4c72b6889d1703c6b6afc44dc7aa9f0516a4d6e9998a175e24c045145b89cde35c8fecab2fe20

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    ac1e562ec8567de7aa21424714dbd3af

    SHA1

    be71c90d7da448feb0b96f32f57372db8000499a

    SHA256

    be12741f48efe2e7677837b1b9e60bda6f9db21bcc6f6ffd4f8ff722e5959fa8

    SHA512

    24e0cec4af14e76b991aa7c05b277ca0d0e1039ef429b355addfc990964b4bb784092e0d27d82eaf44a9e86ea4ebaef50698d84368ba40a0d251d5e108b244cf

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    172KB

    MD5

    361995fc874e3ebbe9597461af955755

    SHA1

    e7494d2db0ee477110559c5603c94f83f5781535

    SHA256

    2df9ed0d8e19e5ae0a4cfd58eea54e38f043bab78c1ea8276e2fe4ff8e880470

    SHA512

    46c0e0cf28f32db474c988641993ec7e5cd463b8424897a90ba8e8ed0266fa67c6b9da3fec659a2d9d98d14438e29e8fbc15fb1b349ece812d482e28a388fc30

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

    Filesize

    21KB

    MD5

    edda91b246d82df280ae7dbad7709c70

    SHA1

    3fd6a39ce0a06ca3e65cf453b34b4dea141c1f83

    SHA256

    8c2c958ecb7e3ae1645489fcb97148d99d81e76f7bc894f5d0282f928c61399e

    SHA512

    f45e36434d5fd0c11cc96ab2f967671b48c274d41497380e131f96bca440d00ab289508408353453c8d6f976cec735a30c20268b5c5cc45214c2fe80ef0cdea0

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

    Filesize

    8KB

    MD5

    a4dc5ebe45f42cecd6a21f522ea6a3d1

    SHA1

    3298e93098e9d8e88cb5c07a99bcc18de2ef0ab2

    SHA256

    c20a6071059a0e0f67ab55991448bb7a364b008d5d8b5a3889a46f2959d9e3a5

    SHA512

    2084be2872118ec7c4296e50945090909a9e8d1548337e3ebe612c7006b9928fe2a1f72240fc28d75e313b81d17cc6221297bcf220b949c59b2a9b2b8719f104

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

    Filesize

    1KB

    MD5

    7383755058e0cd2a01bb411c165cde58

    SHA1

    c30dedb05a35afd7e03b682f6d9a0ad16a9c7201

    SHA256

    b972016874d51a812bc675aca085bcb08e460e09c58fcdaf70243387bca44dc1

    SHA512

    6d17962bc334e869c937727cbf4d29d95359f259733f38263ef7881cba0207de6c534c6b0a947803b5b1ec192f904134708731191b647a7ceb7b9b192846e1f2

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

    Filesize

    8KB

    MD5

    690aead534cd824f57fab35b1193a777

    SHA1

    9f87b9d594454aed0d9e3627cf5e6352675871ed

    SHA256

    900b9c9eaac551d937b0b6322bea29561da31422ee955b22c52c45bbc8ac326a

    SHA512

    f3cadb755eb51c32ab212f7ba7eb428ec13ec5d72bfe7ba45cdbd4974491d0cf8fde0d348a3faaec8aa6043580bcbedc200008d9fabe09c3a20ec8429e04c61e

  • memory/2672-2-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/2672-1343-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/2672-1344-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/2672-1346-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB