Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 03:40

General

  • Target

    65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    65fda9d498ea814cd952167dcf175353

  • SHA1

    65434c10b454627ec6e72fda161cf9442ea34485

  • SHA256

    93036a31d57bb484184a6e56f3c85e028421c2c895859bb6ff8b0d7b50eb9c9d

  • SHA512

    e949c8ed63379e0c40894470423738424ba17fb6e334f3f64dcf1e7223233017427f796ec48ec8778997c79dabb89e9f6299e2052d24c62bd84cfad246ca6e64

  • SSDEEP

    1536:yxqjQ+P04wsZLnDrCTcICnouy8jPcVo6r7S/rab+Ee6S9GcUxW:zr8WDrCTchoutU7cWb6EcUg

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Drops file in Drivers directory 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\3582-490\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\435.tmp\end.bat" "
        3⤵
        • Drops file in Drivers directory
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\chcp.com
          chcp 1251
          4⤵
            PID:2752
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -r -h C:\Windows\system32\drivers\etc\hosts
            4⤵
            • Views/modifies file attributes
            PID:2756
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s -r +H C:\Windows\system32\drivers\etc\hosts
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:2640
          • C:\Windows\SysWOW64\attrib.exe
            attrib +r +s -H C:\Windows\system32\drivers\etc
            4⤵
            • Views/modifies file attributes
            PID:2656
          • C:\Windows\SysWOW64\attrib.exe
            attrib +r +H +s C:\Windows\system32\drivers\etc\hosts
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:2820
          • C:\Windows\SysWOW64\attrib.exe
            attrib +r +s C:\Windows\system32\drivers\etc\hоsts
            4⤵
            • Views/modifies file attributes
            PID:2856
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "button" /t REG_SZ /d "C:\Windows\system32\button.bat" /f
            4⤵
            • Adds Run key to start application
            PID:2552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

      Filesize

      859KB

      MD5

      754309b7b83050a50768236ee966224f

      SHA1

      10ed7efc2e594417ddeb00a42deb8fd9f804ed53

      SHA256

      acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

      SHA512

      e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

    • C:\Users\Admin\AppData\Local\Temp\435.tmp\end.bat

      Filesize

      267KB

      MD5

      7587b2b0a5fc82e9e4cc74ce46ace872

      SHA1

      ca819f39b8ad8e94fdf21dc9df86df47ba637d53

      SHA256

      8a9dd393be84dcd564241a4f277605c91c237147ac5db202bc4b5536e2e1dce4

      SHA512

      328f0613548c6014a072c7772d4822cea14b2637f009dc948271f19bc56d4b52af5b9f5c1767b686b6c31e2855a0520dacbb0f6868753a2c6aef53592f17a096

    • C:\Windows\System32\drivers\etc\hosts

      Filesize

      1KB

      MD5

      ee78bd138aebea10902115d93a9ac62f

      SHA1

      f380000215fda9a1978669a16b2d4d041c186f12

      SHA256

      8c8c206ec7fcccd5b86ea8026b21649988cdb4cbea4af346029737552b6e381b

      SHA512

      09a252dcfb572e3965c0d98e4593650f5105fd72bcbea25b7ff79f730dc8bec65207a73fbb91b974534b4e84ef9722e71808ffd1e0a8edd70a981271a78e16c9

    • C:\Windows\System32\drivers\etc\hosts

      Filesize

      4KB

      MD5

      04085f0fc8a04703aa8d9d616726f0fc

      SHA1

      86ec391a6928845e6a67d91b2234a5cda1b51378

      SHA256

      6d8a3b6c60e361aadce048f41bc0cdc69a8e41b0b8c322986e8baeffe0e33394

      SHA512

      8b786d82e92af10ddf9e9fe059ca062a93c3adf2ec8d228d3cbb2b25ce664c741944de40cd0ca67c92cb80f90fd2db697e5c94a8f51a69834210c8d5bf991916

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    • \Users\Admin\AppData\Local\Temp\3582-490\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe

      Filesize

      55KB

      MD5

      c6f1b034bffaf62bc1254e72c9aa1662

      SHA1

      83725b60cfd544154ef71e78a0ebf777885a92b2

      SHA256

      a19351ba29d0b6ddb6bc0999d8c52a6440ffeb09eb7b02f614b3c2f4a816f671

      SHA512

      ff789248d206697665a61d3ed781e4f797641c3f81aaf94e3d24801b384b4780b7b546c3e61f73b8166735cbfc1d342216c1c5910858ef8db1255cefc5c5504f

    • memory/2292-4-0x0000000002790000-0x00000000027E6000-memory.dmp

      Filesize

      344KB

    • memory/2292-755-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2292-756-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2292-757-0x0000000002790000-0x00000000027E6000-memory.dmp

      Filesize

      344KB

    • memory/2292-758-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2292-759-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2292-761-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2876-11-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/2876-743-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB