Analysis

  • max time kernel
    139s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 01:16

General

  • Target

    6591e29b761deabceee7812896409747_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    6591e29b761deabceee7812896409747

  • SHA1

    293ec78307db2c89770039c4c7782f706912a6f6

  • SHA256

    b47c786eddf654fa4577f02b1ac902064c568f370d5312d011e979ce476c802c

  • SHA512

    173803c7badf4c32fdea16923fa831b1118638b3676f09ea22f6bbd5a6061e64d014b2a1d9d75b47f3784cb68ca604360fa8f9e5f920fd7d3b218e2f89c48599

  • SSDEEP

    24576:Q8BHUKY964CO3EsaeqCe6Nwi3LVBPlnN6OBKW/WP76HQVi1e8K298x:VBHUgunae+qwALVhlN6KZ/GqQVi1eW

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6591e29b761deabceee7812896409747_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6591e29b761deabceee7812896409747_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Users\Admin\AppData\Local\Temp\3582-490\6591e29b761deabceee7812896409747_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\6591e29b761deabceee7812896409747_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      PID:2600
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 428
        3⤵
        • Program crash
        PID:3460
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2600 -ip 2600
    1⤵
      PID:3876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

      Filesize

      86KB

      MD5

      3b73078a714bf61d1c19ebc3afc0e454

      SHA1

      9abeabd74613a2f533e2244c9ee6f967188e4e7e

      SHA256

      ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

      SHA512

      75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    • C:\Users\Admin\AppData\Local\Temp\3582-490\6591e29b761deabceee7812896409747_JaffaCakes118.exe

      Filesize

      1.3MB

      MD5

      bbe560c3ba3e8621a12d411c210e7b46

      SHA1

      6aeb5f5fb0df2512f9cd183c7f66077a5e829c17

      SHA256

      b835c6f3049b7794caea35ca2435662e9a683f326b63d4613df3d1884470efeb

      SHA512

      80278baec94bb81a91a2450b0aed071016ecd0464ee9eb15acf588b37e9a002a6111b1d551764c81ac248bb7ae60078ba1c759a1b405d9559f260dfbb9a5f913

    • memory/2600-9-0x0000000000400000-0x000000000058E000-memory.dmp

      Filesize

      1.6MB

    • memory/2600-11-0x0000000000400000-0x000000000058E000-memory.dmp

      Filesize

      1.6MB

    • memory/2752-96-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2752-97-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2752-99-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB