Overview

overview

10

Static

static

10

8901e13e8e...18.exe

windows7-x64

10

8901e13e8e...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8901e13e8e01a6f9223c78a903d8fb46_JaffaCakes118

  • Size

    1.4MB

  • Sample

    241103-b252ps1dnh

  • MD5

    8901e13e8e01a6f9223c78a903d8fb46

  • SHA1

    a015f096d431e42e0df67b21c4eabe4ebf2f476a

  • SHA256

    c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4

  • SHA512

    f7ae948f33fb2270c5ea5bd150c039592edb8d1511dce1077739f17b4f91c6b43c9075a71f15248f7f94f0c159be3e5dcd189c93b7bcbc99847a8185f374ff08

  • SSDEEP

    24576:q9WQitvyUilzOUxaOWk01G4fbu/F41jen6KXYzkEEknJS7DFN4L3GmPA705sCvsF:q9WDAUozOUxaOyGau6I6WPDvlAAoefk1

Score
10/10
xoristdiscoveryevasionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      8901e13e8e01a6f9223c78a903d8fb46_JaffaCakes118

    • Size

      1.4MB

    • MD5

      8901e13e8e01a6f9223c78a903d8fb46

    • SHA1

      a015f096d431e42e0df67b21c4eabe4ebf2f476a

    • SHA256

      c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4

    • SHA512

      f7ae948f33fb2270c5ea5bd150c039592edb8d1511dce1077739f17b4f91c6b43c9075a71f15248f7f94f0c159be3e5dcd189c93b7bcbc99847a8185f374ff08

    • SSDEEP

      24576:q9WQitvyUilzOUxaOWk01G4fbu/F41jen6KXYzkEEknJS7DFN4L3GmPA705sCvsF:q9WDAUozOUxaOyGau6I6WPDvlAAoefk1

    Score
    10/10
    xoristdiscoverypersistenceransomwarespywarestealerevasion

    • Detected Xorist Ransomware

    • Modifies firewall policy service

      evasion

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • Renames multiple (1912) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks