Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 05:13

General

  • Target

    89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe

  • Size

    175KB

  • MD5

    89c9bb3b2f5c86aa3ae11a34cee355a4

  • SHA1

    4ef641aa51ab1fe02bfb7c549c374d47a1f1a839

  • SHA256

    40416427bc32281159f82cb95a0b5a4c4efa6f8f23aa5b5248001413f0c541cf

  • SHA512

    c096150ca59a2cacb5f9717ae62751e90478af1bbd192dbbef14b5356c4e1ed3642041382ca039fc56f4227614f1f9177e2efdcdc1f6f7a4921110ad9eee417a

  • SSDEEP

    3072:TVITmOqyaEgpN3OiPxj3Tr1tPTHhvAAjawYVJXuw824bKIVtDmzoUrAdJZbasj7h:TVI7q/EgpN+cxjPLbZAAebur2qyzoldb

Malware Config

Signatures

  • Detected Xorist Ransomware 1 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

  • Xorist family
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89c9bb3b2f5c86aa3ae11a34cee355a4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Users\Admin\AppData\Roaming\VkObmen Patcher.exe
      "C:\Users\Admin\AppData\Roaming\VkObmen Patcher.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2816
    • C:\Users\Admin\AppData\Local\Temp\vkobmen_id.exe
      "C:\Users\Admin\AppData\Local\Temp\vkobmen_id.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\sys3.exe
        C:\Users\Admin\AppData\Local\Temp\\sys3.exe
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        PID:320
    • C:\Users\Admin\AppData\Local\Temp\vkobmen_premium.exe
      "C:\Users\Admin\AppData\Local\Temp\vkobmen_premium.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\vkobmen_premium.exe" >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\systm.txt

    Filesize

    48B

    MD5

    83ad733f20165a49fad8619f428e9417

    SHA1

    aebf2973392c6286d9a580d16b9ede57e18c0429

    SHA256

    5f96d18e38adebe0c922e8720e78590f70bc6ac10f77241cafcbaf316cbcf38d

    SHA512

    4a1afc7acdfb7701df3dacd831759275b32bc2bce0c3e0dcc3ee1be6868f89130e42ba4b3cae1e153fba8135c63a34f803bc473221d15d3ac4d4ed069a5d6c86

  • C:\Users\Admin\AppData\Local\Temp\vkobmen_id.exe

    Filesize

    10KB

    MD5

    809f838c00138beae8f2b441b867201b

    SHA1

    b8f90438dd7aa5dafdc6e200a6944a10b51ecaf0

    SHA256

    88d63ba49eb59bc4ba81d4ee0a872ac3b5fd108f103d27cdf8f2f966dfef9874

    SHA512

    db8905397fab205090286a4c0c8a5eecefbf3a9118908f71442445bea7d0ca9be21f450a14f3125d5c751712c6b247aa7c07dc0c2019a86a9ee565b8a5d815bc

  • \Users\Admin\AppData\Local\Temp\TMP65D5.tmp

    Filesize

    6KB

    MD5

    71cb13ab9d7d4aa7d0f4a0e5ffe5551e

    SHA1

    3429a07f83d28075fd648ddc356825e96997f9f3

    SHA256

    7045cace4cc9baee015de0a89fc28b4356b743ebcd1e85a781cf76f9ced17dde

    SHA512

    5931ea63f92761d45f06f460e3ecf92594c8de7c1a4b14af01dafce935a0e1b3338a86d0a85b4318f96b48c56c955e5fa165893ac7d75366b1ec267f35994b22

  • \Users\Admin\AppData\Local\Temp\vkobmen_premium.exe

    Filesize

    96KB

    MD5

    d2ae9d7b17d116fc420ab2884046e511

    SHA1

    bf8d4be156aab90e56ba446d2f826d11c10f7a68

    SHA256

    4cdfad8c8ef09a8bae492306065ad1fe3862855e71194c82815710b02fad750f

    SHA512

    e5091538ae894b6002eed63b1b24f534dda9bac6ef9f6abdab72013a4dc3572e202df5b4fd96e69274714d821f0dde60cf0d910d600cf74d65aa5cd4c90d6035

  • \Users\Admin\AppData\Roaming\VkObmen Patcher.exe

    Filesize

    56KB

    MD5

    1daa18bdcaaae2c874b39613f809c9d5

    SHA1

    abe5059ba8175c2d17f23519fe367bfeea087377

    SHA256

    936ad8700c8f4d785cf0267d85d9cfbf10213f2bcc673a852d8c9aad6da96491

    SHA512

    dd9fc63febfb90d51d8fb57c2c1a14a9b58f8bbd8213c19782f40c0a0189fc0bdf434a0db1c1966df2dafc8c77eb56eaf4cc7fce5da3b1cabf7acd7436626fc4

  • memory/580-62-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/580-58-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/2368-46-0x000000002AA00000-0x000000002AA05000-memory.dmp

    Filesize

    20KB

  • memory/2816-16-0x00000000002B0000-0x00000000002D1000-memory.dmp

    Filesize

    132KB

  • memory/2816-12-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2816-64-0x00000000002B0000-0x00000000002D1000-memory.dmp

    Filesize

    132KB

  • memory/2816-19-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

  • memory/2816-63-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2816-60-0x0000000010000000-0x000000001003C000-memory.dmp

    Filesize

    240KB

  • memory/2816-17-0x00000000002B0000-0x00000000002D1000-memory.dmp

    Filesize

    132KB

  • memory/2816-18-0x00000000002B0000-0x00000000002D1000-memory.dmp

    Filesize

    132KB

  • memory/2816-23-0x0000000010000000-0x000000001003C000-memory.dmp

    Filesize

    240KB

  • memory/2840-59-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2840-55-0x0000000003520000-0x0000000003597000-memory.dmp

    Filesize

    476KB

  • memory/2840-57-0x0000000003520000-0x0000000003597000-memory.dmp

    Filesize

    476KB

  • memory/2840-0-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2840-6-0x00000000027E0000-0x0000000002801000-memory.dmp

    Filesize

    132KB

  • memory/2840-32-0x000000002AA00000-0x000000002AA05000-memory.dmp

    Filesize

    20KB

  • memory/2840-27-0x000000002AA00000-0x000000002AA05000-memory.dmp

    Filesize

    20KB