Overview

overview

10

Static

static

3

ae4eb822f0...18.exe

windows7-x64

10

ae4eb822f0...18.exe

windows10-2004-x64

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe

  • Size

    282KB

  • MD5

    ae4eb822f0b5c6114199e8174370639e

  • SHA1

    a2cd16307fcb7e2d1bc5a417dec826c367b139ed

  • SHA256

    4289668e6b33c7b84946696081ee7867bc59346a9d10faf1ec95019e4efd54a9

  • SHA512

    e63baba9565297b9e404f4cd9e651d58358dc44ba9b26b1f4d49b350b30fce628834403e9ff6eec0650fdd524c373920a2a8c923343fb723dc9a5ca5d35c6820

  • SSDEEP

    6144:/Vr9OUGS0M3WAh7l7DlEiznRTSi1pDsoV5VUAuV37zYAVM:rO9sWwDlEizZSi1xse5VUAO4AVM

Score
10/10
modiloaderxoristdefense_evasiondiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Detected Xorist Ransomware 4 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

    ransomwarexorist
  • Xorist family
    xorist
  • ModiLoader Second Stage 2 IoCs
  • Renames multiple (370) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 64 IoCs
  • Drops startup file 34 IoCs
  • Executes dropped EXE 5 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\Musor.exe
      "C:\Users\Admin\AppData\Local\Temp\Musor.exe"
      2⤵
      • Drops file in Drivers directory
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      PID:2864
    • C:\Users\Admin\AppData\Local\Temp\Udalenie.exe
      "C:\Users\Admin\AppData\Local\Temp\Udalenie.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2692
    • C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe
      "C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: RenamesItself
      PID:2600
    • C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
      "C:\Users\Admin\AppData\Local\Temp\WinLocker.exe"
      2⤵
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2580
    • C:\Users\Admin\AppData\Local\Temp\Stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
      2⤵
      • Executes dropped EXE
      PID:692
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:1972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Musor.exe
      Filesize

      22KB

      MD5

      e2e474a6a53209630133f0e54d200123

      SHA1

      724b23fefd284c89e9b5f0425e549440e4bc300d

      SHA256

      558dbb329803ba0e8ed5519cc340d087e7d89a5502d8d2a466eaa95f9cd6753c

      SHA512

      19f8211fc263361a957cd133fc28a5e5ed9f451ab25dad7ec5d559ded7afbae2642e481a17f8c93ad0188922a60ae5f5779ce0ea5ade0677dd83e64617fecc6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Stealer.exe
      Filesize

      45KB

      MD5

      ae1cdc77973b1a1f0c8e993135964ec2

      SHA1

      cfce4a30d53d612a9ba2771e9ac29e09b7112794

      SHA256

      3c9c4114d3706518351e36a16a63b2df3e9ab5d61c686d451503273b488ee26a

      SHA512

      efb638a58336fc6a3ff72d20bd51f4dca2c68fc9781630009f4b63afbc8023ba26494b23e4fea8cb3dff34135d1cd4b137c3c833a4f9d7e719188cbb2322d5b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Udalenie.exe
      Filesize

      27KB

      MD5

      db22edc6ff5b65343fd6c2cf35261261

      SHA1

      4f7364013b614520feaa45f255fbae7419cb01f0

      SHA256

      80178eab1a5701c4704cecc589b50696d107c2d011c7474c14884a8349e04b19

      SHA512

      fe208f09bf797529a30f4295443e057e433f5ee5c2b0ec260019342f7daca720790b8cb57f65751d2659eb1f90e550e187e282bed287a664fdd1d18a1dac2aed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
      Filesize

      175KB

      MD5

      c8f45c5e1d7fc243b6d858ae35336126

      SHA1

      2791bf91cc06f2adc1d9cd5d1368cd99c85a7359

      SHA256

      4742f4a0a01da75e4454ef99c7af484b469366e21b187ed1c53b0bbb6e503060

      SHA512

      241464a3d2cfdb7985f9f44d54547813c5cbe5b96bfc233417beaffd50cba9f7f1e770a6ada866eb5af06cb3f2a8d0902479d81393e3b5e6d3704cde0aeebf11

      Download Submit

    • C:\Users\xuzlbkkwgow.upu
      Filesize

      100B

      MD5

      bb55216eaf41ecca241d403d5435615d

      SHA1

      f5e297c062d0ea36232c40b368cfbbedabfb68c3

      SHA256

      51a273a2a08aad40272393d71fc316710e68ec7695e75b0b0d2731b7067e75bf

      SHA512

      29f912aba2dadd4e973692c5f88e44ed4a06cccd4024056801fcc4696fce376fdff1a563af0a82191229f5581377c48efab55977031fd2c90c360d91f5fe25e1

      Download Submit

    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
      Filesize

      32KB

      MD5

      d40e89c4f45bbe3143d48f99867a0ef1

      SHA1

      4e8624f2416124cc5f2dec86b64c8d47b9598502

      SHA256

      f470a9e5563616e3177463d18c16de755fbb03d2f3a31527144553c0547aec9f

      SHA512

      42c8bb0d5fbef49ed6c4f7413d68c89140f429b3caf6aece83aa7b086e0cdf3b3d5fb06b22289fcae8cf812e3068abf7fbcdb687bd3c93e1b27d29c968d4c4f9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Shifrovka.exe
      Filesize

      25KB

      MD5

      1ea86c964aa0df385062bd56a086c739

      SHA1

      4ecb08abf06114678d6edd3aacf6017538ab5ff8

      SHA256

      6d785caa26de7ab40e534876edd3365595df2086ea667ad74e511600f6205dc8

      SHA512

      f99b42f259e2d4a752c4ea9fc860b58cb2c8f3cc62b1f87d590bfe17e50f5052fba8f5400afb080cb6ed8bbad6b20a741a6c784187d8c36e6810f1a51d74f1d6

      Download Submit

    • memory/692-288-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/692-77-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/2580-68-0x0000000000400000-0x0000000000477000-memory.dmp

      Filesize

      476KB

      Download

    • memory/2580-7854-0x0000000000400000-0x0000000000477000-memory.dmp

      Filesize

      476KB

      Download

    • memory/2600-66-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2600-7853-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2600-7877-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2600-11275-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2704-45-0x00000000022E0000-0x00000000022F4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2704-67-0x0000000003350000-0x00000000033C7000-memory.dmp

      Filesize

      476KB

      Download

    • memory/2704-34-0x00000000022E0000-0x00000000022F4000-memory.dmp

      Filesize

      80KB

      Download