xorist | 8a7c6ae143a867e7689d23b6f9f71cc06387026eccd75247466da569cd2fe1d4 | Triage

Sharing

General

Target

c3066d3a50ac699c018baacc2eba38c7_JaffaCakes118
Size

12KB
Sample

241204-r4n4zatnfm
MD5

c3066d3a50ac699c018baacc2eba38c7
SHA1

10fc03945741936af5c3392bd5f77b47ebc23c44
SHA256

8a7c6ae143a867e7689d23b6f9f71cc06387026eccd75247466da569cd2fe1d4
SHA512

f80e44e362649aa0daae3f0c531e9e75f59dd4c458775b08ffa334ee7944a3f8f3d9649aa193a00c9d9e29ed4fcc659b29dcff011b7bef16a6f9c443759bb7b5
SSDEEP

192:p/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjaGpsHcxUw4h+lfPtRM8iuamJGr:pebFNw4Pk1itKkpAjjJs6B40W8i

Score

10^/10

xorist discovery persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  c3066d3a50ac699c018baacc2eba38c7_JaffaCakes118
- Size
  
  12KB
- MD5
  
  c3066d3a50ac699c018baacc2eba38c7
- SHA1
  
  10fc03945741936af5c3392bd5f77b47ebc23c44
- SHA256
  
  8a7c6ae143a867e7689d23b6f9f71cc06387026eccd75247466da569cd2fe1d4
- SHA512
  
  f80e44e362649aa0daae3f0c531e9e75f59dd4c458775b08ffa334ee7944a3f8f3d9649aa193a00c9d9e29ed4fcc659b29dcff011b7bef16a6f9c443759bb7b5
- SSDEEP
  
  192:p/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjaGpsHcxUw4h+lfPtRM8iuamJGr:pebFNw4Pk1itKkpAjjJs6B40W8i
Score

9^/10

discovery persistence ransomware spyware stealer
- Renames multiple (2214) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceransomwarespywarestealer

behavioral2

discoverypersistenceransomwarespywarestealer