Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 03:40

General

  • Target

    65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    65fda9d498ea814cd952167dcf175353

  • SHA1

    65434c10b454627ec6e72fda161cf9442ea34485

  • SHA256

    93036a31d57bb484184a6e56f3c85e028421c2c895859bb6ff8b0d7b50eb9c9d

  • SHA512

    e949c8ed63379e0c40894470423738424ba17fb6e334f3f64dcf1e7223233017427f796ec48ec8778997c79dabb89e9f6299e2052d24c62bd84cfad246ca6e64

  • SSDEEP

    1536:yxqjQ+P04wsZLnDrCTcICnouy8jPcVo6r7S/rab+Ee6S9GcUxW:zr8WDrCTchoutU7cWb6EcUg

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Drops file in Drivers directory 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\3582-490\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\830B.tmp\end.bat" "
        3⤵
        • Drops file in Drivers directory
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4360
        • C:\Windows\SysWOW64\chcp.com
          chcp 1251
          4⤵
            PID:4328
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -r -h C:\Windows\system32\drivers\etc\hosts
            4⤵
            • Views/modifies file attributes
            PID:2400
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s -r +H C:\Windows\system32\drivers\etc\hosts
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:2784
          • C:\Windows\SysWOW64\attrib.exe
            attrib +r +s -H C:\Windows\system32\drivers\etc
            4⤵
            • Views/modifies file attributes
            PID:2984
          • C:\Windows\SysWOW64\attrib.exe
            attrib +r +H +s C:\Windows\system32\drivers\etc\hosts
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:4980
          • C:\Windows\SysWOW64\attrib.exe
            attrib +r +s C:\Windows\system32\drivers\etc\hоsts
            4⤵
            • Views/modifies file attributes
            PID:2620
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "button" /t REG_SZ /d "C:\Windows\system32\button.bat" /f
            4⤵
            • Adds Run key to start application
            PID:5096

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

      Filesize

      2.4MB

      MD5

      d9e8a1fa55faebd36ed2342fedefbedd

      SHA1

      c25cc7f0035488de9c5df0121a09b5100e1c28e9

      SHA256

      bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

      SHA512

      134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

    • C:\Users\Admin\AppData\Local\Temp\3582-490\65fda9d498ea814cd952167dcf175353_JaffaCakes118.exe

      Filesize

      55KB

      MD5

      c6f1b034bffaf62bc1254e72c9aa1662

      SHA1

      83725b60cfd544154ef71e78a0ebf777885a92b2

      SHA256

      a19351ba29d0b6ddb6bc0999d8c52a6440ffeb09eb7b02f614b3c2f4a816f671

      SHA512

      ff789248d206697665a61d3ed781e4f797641c3f81aaf94e3d24801b384b4780b7b546c3e61f73b8166735cbfc1d342216c1c5910858ef8db1255cefc5c5504f

    • C:\Users\Admin\AppData\Local\Temp\830B.tmp\end.bat

      Filesize

      267KB

      MD5

      7587b2b0a5fc82e9e4cc74ce46ace872

      SHA1

      ca819f39b8ad8e94fdf21dc9df86df47ba637d53

      SHA256

      8a9dd393be84dcd564241a4f277605c91c237147ac5db202bc4b5536e2e1dce4

      SHA512

      328f0613548c6014a072c7772d4822cea14b2637f009dc948271f19bc56d4b52af5b9f5c1767b686b6c31e2855a0520dacbb0f6868753a2c6aef53592f17a096

    • C:\Windows\System32\drivers\etc\hosts

      Filesize

      1KB

      MD5

      9d86d0ef016df89edd6ac30c48ed5418

      SHA1

      b97909e0e810c18df521f20759af43241c8700d2

      SHA256

      5369a346a83a46e176e85a39ea14489f949514dc85b7f81d936fc243d71a4233

      SHA512

      a25c77afb10f0ed0adc1c9a59f40bc53dd4e0d54b49a53fcf4a7f22a57ac84025321bcf137641a1a1818d49a0e4c2f443f83ee83ac7a6ec9500c50d1fd0b24f9

    • C:\Windows\System32\drivers\etc\hosts

      Filesize

      4KB

      MD5

      f84f78b89cbb5aeb42768b8e153b004e

      SHA1

      d55251caa6c88cd07c70bb3be6948204f94ee33f

      SHA256

      f9d304d34520daf475f8bda3bf3c8918071c1ddb829526a2b2ec50253e6b9d58

      SHA512

      d87f30fd7ff7aa879b7bc93a61f8d2ef4ee3573620805e6d03f91db9e8a266dbf70388df7c251c244a069b2039326775d293da465e95f1ce4d1e3cf2e73b39e7

    • memory/2456-757-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2456-758-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2456-760-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4244-13-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/4244-690-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB