General

  • Target

    6b65d16819c11909c173bc739400e51b_JaffaCakes118

  • Size

    6.4MB

  • Sample

    240724-na1dcswfnb

  • MD5

    6b65d16819c11909c173bc739400e51b

  • SHA1

    f5e07e441b1e09134a7bb86181794257a84f5da9

  • SHA256

    dff7f1c7e54ab1435f0a6fcfca94f41f13366eceef5075de882a9aa26480bb04

  • SHA512

    f3bee6239304819d1a896b4aa032f01d37aad0dcf6f287aab337b54109751397a6b8eb8e8249fa0a12fb6729c4f78dc58cb8267f41e0b976c3124d24a6952574

  • SSDEEP

    98304:arPpaGIqh8wOlPoF9P/3FRgWtrB6tgF/Hmvj/b1yJcmPlJCrJYi749QbdRhFRRLw:aIByF1PgdtgF/Hmvl9mLCWgGQbzhdUyk

Malware Config

Targets

    • Target

      VHE/Valve Hammer Editor/UNWISE.EXE

    • Size

      201KB

    • MD5

      c27234be4b7317b9fb346aeb673604c4

    • SHA1

      fc0ebd6d39c3077a3425dfa5095359e24cd90ad0

    • SHA256

      fc5425db28df7d0bd1216cc8227fb0c42fe643c7952b1a14b230d084ad74d34e

    • SHA512

      23dc6b3a434e0eb9b9324cc67f2fa771a33d4c55fc57dde175c6d513bf07ca83ff2b3c6858be096e36624737974962e696f45fcb67105e2e5b3d63ed352724a8

    • SSDEEP

      1536:JxqjQ+P04wsmJC5iAuSifjPRcU27+YoFnWtoXLJYHAUso4emQiBW4K:sr85C5iAsF27+YoFnWyJYHAUv4eViA4K

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      VHE/Valve Hammer Editor/ZHTL/CCXX32.dll

    • Size

      76KB

    • MD5

      8cd2717b45e837b9f23809b8dacd0426

    • SHA1

      0e58aa0e1b185163046b5a90601589ffd55f5259

    • SHA256

      df2df1fcc55aecec20d3fd0ae77d9881f25f3b27b6e723b593385a45070bd064

    • SHA512

      4c9c5e8486992b9ff7b747842016054850b2590c4674281c2e0ca05b04ce6a9fe1b4aa7b0de9a6dae1ad62eca86cfee0dabbfe7896b2482cb20e14185be152dd

    • SSDEEP

      1536:f9TZ3/WLhuujC8VP08LT6gsdtlW/ldqWTXqJ:1Tt/+4uu8VP08xsdubqeXq

    Score
    3/10
    • Target

      VHE/Valve Hammer Editor/ZHTL/ZHLTIntro.html

    • Size

      3KB

    • MD5

      c2d718a36af106f382704a21c4da9c6a

    • SHA1

      c40e3c8401aa9ef833146ca8a4091320c314b139

    • SHA256

      10344c85287505a062cbf6c0d5eb36ce804936a4c3cb22576b1dc37bf9e30880

    • SHA512

      71fb7842b6ea1accf7354780d646d577d490cf7138cf4a70342bbcfa780b0022e9cc8e46e8f13097e4510fec93cfce6ee1f126fb62576fe2cdf5dabe4f339d79

    Score
    3/10
    • Target

      VHE/Valve Hammer Editor/ZHTL/ZHLTProblems.html

    • Size

      13KB

    • MD5

      d3f721c1a7b969990758029c2217b97a

    • SHA1

      d4d52105ad15b2b74b4205f1a64333da0dcaf5d0

    • SHA256

      b2d69e8bfbaa42951ee2be377b417c89fbff47371af6c36be0c56470de673f38

    • SHA512

      1de0e0e87f32333d899604b07d982b369e35e581060058e5b991ba39b5f341658520a2396db84b590805bf456dd362954c260b728f07e3a402f39a0e4120099f

    • SSDEEP

      384:n9CTc5kF67bRKgrWznupNZrv/I9JZo7j8F:nvk4Rlr0uvZDd8F

    Score
    3/10
    • Target

      VHE/Valve Hammer Editor/ZHTL/ZHLTReference.html

    • Size

      23KB

    • MD5

      ae2a0f297228e2a7351e326cfe984f6f

    • SHA1

      b19ad1ee59c8d00afc854f71893bac17caeab98f

    • SHA256

      be90de60315eb6abb9eecef345cf100a4e5e53fa59f171efa9e7c8bf040ec9a1

    • SHA512

      68982d6a67de0897997ae28371ec74d2427fd4eb980fa06b75c2fd5fc609df5ad2f8b5b183b4af85810560b4e6ff5acefc818ef50a762222255754b4ee094768

    • SSDEEP

      192:KT0I7x3NCqfMYdI3oX12okJyjzqv/EpD0oOPVEX3JjTgQpmGVGhcarNs4HTTgQKx:Ivy5uIO17MEV0LeZ0akfcQ52fD

    Score
    3/10
    • Target

      VHE/Valve Hammer Editor/ZHTL/ZonersHalflifeTools.html

    • Size

      48KB

    • MD5

      80680dd58eb4672c10176443bddf20d7

    • SHA1

      7dbdb38e2b55184ce006145db5f2edfe890f3e71

    • SHA256

      c9f460e770f6983a91e48fd3f33a998f6ad1ff0ee0e9d34bcf815d5d8a4a3c9c

    • SHA512

      87d27fa0975f5dbb550379d8f7d4af6f04e27ae93d5ee2a66bcb5dfb9c441013d0ba8b66780b69c2208b336baf90a47eb6d93c221b031f45499871c4ec775a3d

    • SSDEEP

      768:oh18mKFt8rsP/F4EZZmlVABvmYLSKJ4gD4tHwev2qexyzEfsrI:oh18mKFt8rsP/F46mlVhYLSKqgDSSffz

    Score
    3/10
    • Target

      VHE/Valve Hammer Editor/ZHTL/hlbsp.exe

    • Size

      196KB

    • MD5

      0cbd5ef39d80a9c48d54edf57f9c02d6

    • SHA1

      2a86fee2964add2534e0bf99e9f28877a9e75954

    • SHA256

      99085ecc4293969ce59384c54514088123939265722d9ea74b8fbad44c459345

    • SHA512

      3713b5166b745df8bf3cba17c19487f0781e5cddad00a1932bac024c4d433344c185dd7c252793d53c0da1c065eb5e494bd22ddfc00bf0e3b300b67c5cb9eb35

    • SSDEEP

      3072:sr85CCrcTiVJrhm+l2DKUpB0O44O83LbvwXIjq:k9HTchL0pKSZ3LbvwV

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      VHE/Valve Hammer Editor/ZHTL/hlcsg.exe

    • Size

      224KB

    • MD5

      185c648f3b42d4878900662ee63f2166

    • SHA1

      ab25f5c849d2f0ed3bdf756d623768fe7161b5ab

    • SHA256

      c0ccb026f2eb3edda0702e31d96705164604e0cc47fcd836948fabe9c840b06c

    • SHA512

      03114f46952ea0013804551af010295fe2673dfa6042ff7970edac6e478229babed130740a8b3bfaf8245ceb5a10aa19728b115b4390595f0773b61be9eb3edb

    • SSDEEP

      3072:sr85C20QZgcfd4CpCTZeWSFK7bF+CWWCkyK6BwFXcXTgcV+tKuu/J:k92l1f2GCTZeWSk75zUJScXTNuux

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      VHE/Valve Hammer Editor/ZHTL/hlrad.exe

    • Size

      264KB

    • MD5

      0b2df245edf658d735b9479fa36c5ed6

    • SHA1

      2b15cb890543c0320893d841836af7abfd65f73c

    • SHA256

      632d8ef27651d923d83c72f54a0688793b61f012f38cb916308ec7748c030064

    • SHA512

      02210ae97074e76985c51a914ceadbc9e37b7dee06c9357e6b47de613fe79c027ebec6e827d253511501a836fcb27294b7ea6e61fe0a188eb78cc459b50bc1a6

    • SSDEEP

      6144:k9SSD8wRLhHFbHG5UwcyCa/0p0ynDt7U3ST:TSDbRfcUwch2ku3ST

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      VHE/Valve Hammer Editor/ZHTL/hlvis.exe

    • Size

      180KB

    • MD5

      8d6e1a5c95062b0d5ac3fd7f782e0e9d

    • SHA1

      11191e348198b580df9b8b19c670c7d58d553ad9

    • SHA256

      7a26c0046de87345be5bcfa199feb379c61ee3f0c88cb2a47f43c2b16cb76635

    • SHA512

      36cd83cebe9500367deb3a887eb8e93f55b70d0adea4c64f0a7ccc1a7c6cbd26729206cd8db54ac5c4f09ced5fc32b30c0be9f6374e80ac6c52a912b923217e5

    • SSDEEP

      3072:sr85CQQyUINbF2RPcKAD3pXdxnnrCs8sO3BqPOEVNM:k9hwbwep/GfxqGaNM

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      VHE/Valve Hammer Editor/ZHTL/instructions.html

    • Size

      18KB

    • MD5

      bec2c9869da3564cbefc95b9e32323ff

    • SHA1

      c78dcbe0db2c88a902e6f6859afc62151cf3cbee

    • SHA256

      112b3f702ce5d7fa8121064b84998f17d382a52d45759713818d704f490e47d2

    • SHA512

      779cb3f4274b8164ea98821f306fe111831ff8b91bad53b3ff052680837c3d5872b46d81cb9eb68a3af82e59f97e17b4b967e161236add1dfb05df77fb43b979

    • SSDEEP

      192:uodxlYIsupR7L9IzbeOOCHxZHyVv8VJgsNrviGz3NiLH0tQ14z6hAzpQ79yWq6xv:Xxo8h6OC3VCOhzgb0+irzeD

    Score
    3/10
    • Target

      VHE/Valve Hammer Editor/ZHTL/netvis.exe

    • Size

      284KB

    • MD5

      836adfd22e029b5036f92f801a1a46de

    • SHA1

      0d244a89a65fb7a89c75daa79b1b8be092bfd657

    • SHA256

      65886c57faea089ea517783d7f644c00af2f85816bc474271427546d0d7d6f83

    • SHA512

      ad6bd18231a09441af0e8b62ee29339c838cfb33272ab13bd5e6a7159769a297d8c0925d1ba21ccf512defa2906206a282f7c21c1305ef2e19f5ff7e5b7ee8fa

    • SSDEEP

      6144:k92HgcGh5iwuoUMhbgLmqOYvy1caHJ8dVQhcIs:JLGuoUMhamqOGIjujIs

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      VHE/Valve Hammer Editor/ZHTL/netvis.html

    • Size

      2KB

    • MD5

      c6440d271c17047cfc8e3750ab0ccc08

    • SHA1

      fc9597e2403d3d5104ad648ea81df17993c81245

    • SHA256

      e5260ec58d66e566a6369bc40e4484841aae73adb975e77bec89303c28dca29b

    • SHA512

      ee03650f726aa141a5b75eca9afdfab43da0d1f3929db60ac28c637e76b4d950c3b77c9f4904a875a1b26fef9c7967e9ccd1c7ff2a8ef08668b01f41c0481cb3

    Score
    3/10
    • Target

      VHE/Valve Hammer Editor/ZHTL/numberbrush.pl

    • Size

      1KB

    • MD5

      092c9f665af263062ef413eb87905d5d

    • SHA1

      2bc00c3259a88ca1469dd45cccfc79b8309e81bc

    • SHA256

      06033f9583aabe56326afe0b427a6a01185d53333ed548ef5eabdd1fd5ec1d3c

    • SHA512

      db8a9a12177d30713f782b3ea5815d34d9d9bec79f1d8146ebed7246a92e1e2f54c7e2c97fc7d67a5e4c1f47af3fc43bab661a769988c93c376ba29181d19365

    Score
    3/10
    • Target

      VHE/Valve Hammer Editor/ZHTL/ripent.exe

    • Size

      120KB

    • MD5

      c3176ee2a438bb615339b8e28fd34ff0

    • SHA1

      548e78c6bcbd2193ae377535c0e4edd483f81f8f

    • SHA256

      0acff5ad93219431eb14e4e5007bbc6853ea91f7d0b2e44f6d5e834e8f45a89b

    • SHA512

      56229b95676cea3fa76f96fd5404595a8b6143a461d1444674869ae7e2821d1628f0dfe53bf797a2bfeeb642d3d0366f5696c4eb52be53b0b0cab14095b047fc

    • SSDEEP

      1536:JxqjQ+P04wsmJCNA+tNGsKoqvRRZl9+PSQ1BTsPEOpC3Afw8:sr85CNBtNGsKpRHl9+PjslpU8

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      VHE/Valve Hammer Editor/ZHTL/ru.bat

    • Size

      289B

    • MD5

      058239ae87781e61579c0bc7bfeadb0c

    • SHA1

      ef4f803446c1a287b8751957d7bea99a11cdfbc6

    • SHA256

      346f869a023ebbdca2fc532fe68784cec4df0d84fa22bf6dbe746ca9af1469fe

    • SHA512

      3bb44bd03622f09c473907f4b376298ee29d1c7fe67f5ef2eaf7787f003638016396620013f19245202c9dbc7ad4574436db651a864a8ab9fb167d1fbc8c14ec

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

MITRE ATT&CK Enterprise v15

Tasks

static1

neshta
Score
10/10

behavioral1

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral2

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral14

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral15

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral16

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral17

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral18

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral19

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral20

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral24

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

Score
3/10

behavioral28

Score
3/10

behavioral29

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral30

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral31

neshtadiscoverypersistencespyware
Score
10/10

behavioral32

neshtadiscoverypersistencespyware
Score
10/10