xorist | d5f089b24f91f71ea717f61439ef7d22a7428d3ed8afc153a42a4f6f1d3bd034 | Triage

Submit
Reports

Overview

overview

Static

static

f5f6153525...18.exe

windows7-x64

f5f6153525...18.exe

windows10-2004-x64

Sharing

General

Target

f5f61535258ba0a7120a34ea5fda5b70_JaffaCakes118
Size

40KB
Sample

241215-13wxvs1mbk
MD5

f5f61535258ba0a7120a34ea5fda5b70
SHA1

10b03d523b4342e659d1a6fcc3cd442576be52cc
SHA256

d5f089b24f91f71ea717f61439ef7d22a7428d3ed8afc153a42a4f6f1d3bd034
SHA512

6a55e1d44468e913a0311e0862030136ec2f8f9dee6cf417c07bb141064c4a4a8ad6c8ae4da22c39ab6642f16426e104e419116eacc20b426f730994bdf35b4c
SSDEEP

384:6ebFNw4Pk1itKkpAjjalrbL1cqqYvjSzkDCgStzRfMB:60FmBkpKjsZchY7bDCdz2

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

f5f61535258ba0a7120a34ea5fda5b70_JaffaCakes118.exe

Resource

win7-20241010-en

xorist persistence ransomware upx

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

f5f61535258ba0a7120a34ea5fda5b70_JaffaCakes118.exe

Resource

win10v2004-20241007-en

xorist discovery persistence ransomware spyware stealer upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  f5f61535258ba0a7120a34ea5fda5b70_JaffaCakes118
- Size
  
  40KB
- MD5
  
  f5f61535258ba0a7120a34ea5fda5b70
- SHA1
  
  10b03d523b4342e659d1a6fcc3cd442576be52cc
- SHA256
  
  d5f089b24f91f71ea717f61439ef7d22a7428d3ed8afc153a42a4f6f1d3bd034
- SHA512
  
  6a55e1d44468e913a0311e0862030136ec2f8f9dee6cf417c07bb141064c4a4a8ad6c8ae4da22c39ab6642f16426e104e419116eacc20b426f730994bdf35b4c
- SSDEEP
  
  384:6ebFNw4Pk1itKkpAjjalrbL1cqqYvjSzkDCgStzRfMB:60FmBkpKjsZchY7bDCdz2
Score

10^/10

xorist persistence ransomware upx discovery spyware stealer
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- Renames multiple (3327) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xoristpersistenceransomwareupx

behavioral2

xoristdiscoverypersistenceransomwarespywarestealerupx

© 2018-2024

Terms | Privacy