Analysis

  • max time kernel
    134s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2024 04:29

General

  • Target

    5f06de6cd265602078d3c93a521b75bd_JaffaCakes118.exe

  • Size

    174KB

  • MD5

    5f06de6cd265602078d3c93a521b75bd

  • SHA1

    78aafa5842e03c9fd673fc23c24eafdb7316642c

  • SHA256

    5a9d7ca5bbe8eb534d191b1ff4cf714284eb0256b7f2541fb5f73d850849bc7a

  • SHA512

    ea080eb615e20d937cc9c59f0f6c27e65d39f47bd1bd452554b340944472561f796c56d27945a918137b9aad93a08ddf4ec36147e87339858787cd6c1d68ab92

  • SSDEEP

    3072:or8WDrCDdBw75g+rh0O9toRaonK0ND64H08S2E:IuB45g+OqtoRaSe

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f06de6cd265602078d3c93a521b75bd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5f06de6cd265602078d3c93a521b75bd_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

    Filesize

    2.4MB

    MD5

    21aac3bdbfeb9ae7068b53ec151be76a

    SHA1

    97151f84ac0a4ddb46f9ba9e8df32836addd409a

    SHA256

    842d8071a347015703da4ad9806e9a4ac72a9d09b0d542116d871374e49d8b49

    SHA512

    501644d7b92a1c2cae99932e55721aa787a41bacafabf546692afdc9311fcca42fcd8b291a2808a0014c70da989868a8d73e0b326e2dabcc4607daaa31e16df9

  • C:\Users\Admin\AppData\Local\Temp\3582-490\5f06de6cd265602078d3c93a521b75bd_JaffaCakes118.exe

    Filesize

    133KB

    MD5

    01327ae0866f0e5246ab1ebe512301e8

    SHA1

    df07d7e0c54f77685df42b90c21b3d464c3dc512

    SHA256

    1101c6c3b331947204548b80ee29d98ecd0ca26d0c5d48e458d2d723192b65a3

    SHA512

    ce53d8710ace0760e07af12036585f833edbe1eea316531dcf7ba3cf43b8ab4be88bc97ad10d4aff74191dd57cdf1190e009795e8265ea01d6db3ec82fcba471

  • memory/2660-95-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2660-96-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2660-98-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB