Overview

overview

10

Static

static

3

267.exe

windows7-x64

8

267.exe

windows10-2004-x64

8

300.exe

windows7-x64

10

300.exe

windows10-2004-x64

10

308.exe

windows7-x64

7

308.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    83be6e6f8bf13c0872715c6ff04e5f20_JaffaCakes118

  • Size

    243KB

  • Sample

    241031-3b3bnsvdln

  • MD5

    83be6e6f8bf13c0872715c6ff04e5f20

  • SHA1

    3f024e20dcd7ccdd462b238482462c40559755fa

  • SHA256

    c9718b8354f67e040917ac8519dc2f286d53889e6ed7f513cc71e468a3bb3492

  • SHA512

    4cec28af53d018493df15aebb6dc9f9ab813cd11efd98e700fbbd571e7b98c3625562fc04595d71c5232a6461aeaf796537b25e6b70fd65b11c44be256169b16

  • SSDEEP

    6144:8vwFTrZvYeyN/nZhIqYS6yuv2jsAxEbMPNO/w8FJ+uYd8B:8v6rxY7NZhBKvmRxESJ8FMu2m

Score
10/10
xoristdiscoverypersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      267.exe

    • Size

      146KB

    • MD5

      068400d929db33e9991f4188f74a3c96

    • SHA1

      d57c6efe65e8d1d60e98acbd5536daa065037011

    • SHA256

      9ffe6cb3a60d37f590e4448c9fdfda66ccf4aa045b727c262d33866fea6ba802

    • SHA512

      6cacd0096a6ccb5486f44b4c1889613a8f0db0075db45ae34577f5dc95c0184f60f3cc992219675faecce47980bf154388eb2403b792db21f26a0c190ce4ada8

    • SSDEEP

      3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0htpcZVrJ6:3bXE9OiTGfhEClq9GOHrJ6

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      300.exe

    • Size

      21KB

    • MD5

      0dcdb939e8524ce89fdfb91a2e675e93

    • SHA1

      a68934aed2b0a430dab8f7ef3a960218faebe583

    • SHA256

      b7aefaf5b83cb8ad0dcb2a5b88d727e1375f54239c009a921a40145952d35573

    • SHA512

      92626161d11c09c8b1fd97fd0ac5185ba981f75ea09b5f205fefbb00e3127ec14d47d28ec3da5f471005ce676cb78ce263e1ad16fc994749a8fb02587665daf1

    • SSDEEP

      384:R4oZDeeumrKCZ1swbbVC2aJ2mO1yq314ZBfprXo0uLpRgMcBi8e/tmBciGN:R9Qe1sIbwOIq3GprXoTLpMeFIctN

    Score
    10/10
    xoristdiscoverypersistenceransomwarespywarestealer

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • Renames multiple (2211) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      308.exe

    • Size

      55KB

    • MD5

      2c39c6018f9aa2c07d1dfa55652ece49

    • SHA1

      30bfd3fe6530657ff257c17e2fb74fd10e1a5aba

    • SHA256

      77e36970aef8cf7a90ea922c3fb8a9c209a1aaf317f26943b6eab5f412e415ae

    • SHA512

      22d5c89b4e3a027595784e851a2eb564efc865a5b5087f9efbb83917627469acabdf5fbbd827eb9d6f904a70f8569282f174c566861ef95882a7de5a5c0e08b8

    • SSDEEP

      768:PdRmDAZhhh6fi/zU2hep/t3hczOXtUcriz:PdgI0i/qv3hgCf

    Score
    7/10
    discoverypersistence
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks