Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 05:13
Static task
static1
Behavioral task
behavioral1
Sample
89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe
-
Size
175KB
-
MD5
89c9bb3b2f5c86aa3ae11a34cee355a4
-
SHA1
4ef641aa51ab1fe02bfb7c549c374d47a1f1a839
-
SHA256
40416427bc32281159f82cb95a0b5a4c4efa6f8f23aa5b5248001413f0c541cf
-
SHA512
c096150ca59a2cacb5f9717ae62751e90478af1bbd192dbbef14b5356c4e1ed3642041382ca039fc56f4227614f1f9177e2efdcdc1f6f7a4921110ad9eee417a
-
SSDEEP
3072:TVITmOqyaEgpN3OiPxj3Tr1tPTHhvAAjawYVJXuw824bKIVtDmzoUrAdJZbasj7h:TVI7q/EgpN+cxjPLbZAAebur2qyzoldb
Malware Config
Signatures
-
Detected Xorist Ransomware 1 IoCs
resource yara_rule behavioral1/memory/580-62-0x0000000000400000-0x0000000000477000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Xorist family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vkobmen_premium.exe -
Executes dropped EXE 4 IoCs
pid Process 2816 VkObmen Patcher.exe 2368 vkobmen_id.exe 320 sys3.exe 580 vkobmen_premium.exe -
Loads dropped DLL 11 IoCs
pid Process 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 2816 VkObmen Patcher.exe 2816 VkObmen Patcher.exe 2816 VkObmen Patcher.exe 2816 VkObmen Patcher.exe 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 2368 vkobmen_id.exe 2368 vkobmen_id.exe 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 vkobmen_id.exe File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VkObmen Patcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkobmen_id.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkobmen_premium.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 580 vkobmen_premium.exe 580 vkobmen_premium.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2816 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2816 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2816 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2816 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2816 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2816 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2816 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2368 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 31 PID 2840 wrote to memory of 2368 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 31 PID 2840 wrote to memory of 2368 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 31 PID 2840 wrote to memory of 2368 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 31 PID 2368 wrote to memory of 320 2368 vkobmen_id.exe 32 PID 2368 wrote to memory of 320 2368 vkobmen_id.exe 32 PID 2368 wrote to memory of 320 2368 vkobmen_id.exe 32 PID 2368 wrote to memory of 320 2368 vkobmen_id.exe 32 PID 2840 wrote to memory of 580 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 33 PID 2840 wrote to memory of 580 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 33 PID 2840 wrote to memory of 580 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 33 PID 2840 wrote to memory of 580 2840 89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe 33 PID 580 wrote to memory of 2952 580 vkobmen_premium.exe 35 PID 580 wrote to memory of 2952 580 vkobmen_premium.exe 35 PID 580 wrote to memory of 2952 580 vkobmen_premium.exe 35 PID 580 wrote to memory of 2952 580 vkobmen_premium.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Roaming\VkObmen Patcher.exe"C:\Users\Admin\AppData\Roaming\VkObmen Patcher.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\vkobmen_id.exe"C:\Users\Admin\AppData\Local\Temp\vkobmen_id.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:320
-
-
-
C:\Users\Admin\AppData\Local\Temp\vkobmen_premium.exe"C:\Users\Admin\AppData\Local\Temp\vkobmen_premium.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\vkobmen_premium.exe" >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD583ad733f20165a49fad8619f428e9417
SHA1aebf2973392c6286d9a580d16b9ede57e18c0429
SHA2565f96d18e38adebe0c922e8720e78590f70bc6ac10f77241cafcbaf316cbcf38d
SHA5124a1afc7acdfb7701df3dacd831759275b32bc2bce0c3e0dcc3ee1be6868f89130e42ba4b3cae1e153fba8135c63a34f803bc473221d15d3ac4d4ed069a5d6c86
-
Filesize
10KB
MD5809f838c00138beae8f2b441b867201b
SHA1b8f90438dd7aa5dafdc6e200a6944a10b51ecaf0
SHA25688d63ba49eb59bc4ba81d4ee0a872ac3b5fd108f103d27cdf8f2f966dfef9874
SHA512db8905397fab205090286a4c0c8a5eecefbf3a9118908f71442445bea7d0ca9be21f450a14f3125d5c751712c6b247aa7c07dc0c2019a86a9ee565b8a5d815bc
-
Filesize
6KB
MD571cb13ab9d7d4aa7d0f4a0e5ffe5551e
SHA13429a07f83d28075fd648ddc356825e96997f9f3
SHA2567045cace4cc9baee015de0a89fc28b4356b743ebcd1e85a781cf76f9ced17dde
SHA5125931ea63f92761d45f06f460e3ecf92594c8de7c1a4b14af01dafce935a0e1b3338a86d0a85b4318f96b48c56c955e5fa165893ac7d75366b1ec267f35994b22
-
Filesize
96KB
MD5d2ae9d7b17d116fc420ab2884046e511
SHA1bf8d4be156aab90e56ba446d2f826d11c10f7a68
SHA2564cdfad8c8ef09a8bae492306065ad1fe3862855e71194c82815710b02fad750f
SHA512e5091538ae894b6002eed63b1b24f534dda9bac6ef9f6abdab72013a4dc3572e202df5b4fd96e69274714d821f0dde60cf0d910d600cf74d65aa5cd4c90d6035
-
Filesize
56KB
MD51daa18bdcaaae2c874b39613f809c9d5
SHA1abe5059ba8175c2d17f23519fe367bfeea087377
SHA256936ad8700c8f4d785cf0267d85d9cfbf10213f2bcc673a852d8c9aad6da96491
SHA512dd9fc63febfb90d51d8fb57c2c1a14a9b58f8bbd8213c19782f40c0a0189fc0bdf434a0db1c1966df2dafc8c77eb56eaf4cc7fce5da3b1cabf7acd7436626fc4