Overview

overview

10

Static

static

3

ae4eb822f0...18.exe

windows7-x64

10

ae4eb822f0...18.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ae4eb822f0b5c6114199e8174370639e_JaffaCakes118

  • Size

    282KB

  • Sample

    241129-cyvl8szkh1

  • MD5

    ae4eb822f0b5c6114199e8174370639e

  • SHA1

    a2cd16307fcb7e2d1bc5a417dec826c367b139ed

  • SHA256

    4289668e6b33c7b84946696081ee7867bc59346a9d10faf1ec95019e4efd54a9

  • SHA512

    e63baba9565297b9e404f4cd9e651d58358dc44ba9b26b1f4d49b350b30fce628834403e9ff6eec0650fdd524c373920a2a8c923343fb723dc9a5ca5d35c6820

  • SSDEEP

    6144:/Vr9OUGS0M3WAh7l7DlEiznRTSi1pDsoV5VUAuV37zYAVM:rO9sWwDlEizZSi1xse5VUAO4AVM

Score
10/10
modiloaderxoristdefense_evasiondiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Targets

    • Target

      ae4eb822f0b5c6114199e8174370639e_JaffaCakes118

    • Size

      282KB

    • MD5

      ae4eb822f0b5c6114199e8174370639e

    • SHA1

      a2cd16307fcb7e2d1bc5a417dec826c367b139ed

    • SHA256

      4289668e6b33c7b84946696081ee7867bc59346a9d10faf1ec95019e4efd54a9

    • SHA512

      e63baba9565297b9e404f4cd9e651d58358dc44ba9b26b1f4d49b350b30fce628834403e9ff6eec0650fdd524c373920a2a8c923343fb723dc9a5ca5d35c6820

    • SSDEEP

      6144:/Vr9OUGS0M3WAh7l7DlEiznRTSi1pDsoV5VUAuV37zYAVM:rO9sWwDlEizZSi1xse5VUAO4AVM

    Score
    10/10
    modiloaderxoristdefense_evasiondiscoverypersistenceransomwarespywarestealertrojanupx

    • Detected Xorist Ransomware

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • ModiLoader Second Stage

    • Renames multiple (370) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks