Analysis
-
max time kernel
149s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-11-2024 14:27
General
-
Target
9c123a09cb57f3b95f8e51a9fc2579a9_JaffaCakes118.exe
-
Size
976KB
-
MD5
9c123a09cb57f3b95f8e51a9fc2579a9
-
SHA1
8db03484918b05e7c7b0d000aab2220dd4490564
-
SHA256
d1da6ec1ad358e81b983f7fd9aefd36fcdbbd8beaee7b0b81827de2596fa9f2a
-
SHA512
b1937ed3c182794d03292f76eb76deb4bc5bb1428462ded1675be8d0abdd140e9216e2e828dd514884c61ad794583f56f58aede0b96e70f242e56ca1eaa51c0b
-
SSDEEP
24576:Ngc1riyXHE/S1GNiLNjlGDcw30bboJ4ZHPTV9XF7A7:Ngc1uMHB1SiLNpGDcjYJ4ZvPF
Malware Config
Signatures
-
Detect Neshta payload 8 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c123a09cb57f3b95f8e51a9fc2579a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c123a09cb57f3b95f8e51a9fc2579a9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CFPRO.exe"C:\Users\Admin\AppData\Local\Temp\CFPRO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CFPRO.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\CFPRO.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5c01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD52f6ecb53e1afc9a2452195cc3271b55d
SHA10a6d79b1ea009057db409a6792ab85e56689deea
SHA256925c807598109bc0f81d5c9d18046c601b298ff1f14c0e175fd5ef35c9cbac74
SHA512dbf8b80030bb2be89f54b2118db54a635f953d888e843e77dfbfa0fa7452024f22f98204f521cb02f552277894525ce30bfee5ee1ce716e87f870a310008651a
-
Filesize
676KB
MD5839a9f73728a06d85213f93e188feb4b
SHA101525dcfde54702ecebaa807dc02d1b8a770119d
SHA256f2ad907999b2ef16ee6a7bde95750e15c7da0dc97f6dd96c626bf64f5e7ccab9
SHA512cba36b05e8dc0da00aa03ea1080301fd00b5b71e1081bc482d249cf5aa8b892ad74bc03675ee9e5dbe897b86fb7197fcd6b0c3f3430924ae1d04352eb915afa1
-
Filesize
3KB
MD53f821ada778691e677aef2cea8c4b4f6
SHA1643e7b729b25c2f800469623191dc837798e9d50
SHA2567510035d553a99fbf93eb67737b2df057ce096fa1ed7aad83cfd559e11f2320d
SHA5128993a8ad28ed4035a022d1b7274c77a97b8235b2ddcd5e6d29f7230d375851539900d4ace652c94c4be8a8284ffd86501df420385a6e680df4222c162deff4d5
-
Filesize
900KB
MD5fb48bc20cf4bcf8c2961a7049e59754a
SHA1dc89ab96ad07d2cdeda425d2024552c6783165b9
SHA25628f446ab447ea82d0c2165f4a474177ed654fbc069e01e2d56235922cbbcd8a7
SHA5128e7d434c36785f09bf8a87ad3f6867fbc8b9efc6625effcb51f2918092262a2addecd6fe6a6e64e3e3907b4c705f5560b583898c0a2a8638e0b7a0ea5fcf5b6b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
860KB
MD5539d1008308475ddeea16a5b1cf6f0b1
SHA1ace91263ff5566929f320370a24e987de4b39228
SHA256dd7d13dd866b994d6fe64d34b61d7e6511c12cd3bfed9a85223472697a960468
SHA51211772f4fef2ac08b918c5ab927034cd4859cff7f5cc478b04e622a3e3622289c5b774e285b551120016d5d9577ddd0c9dc641ce8bd9f8a98a931836a2f4e5027
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.8MB
-
Filesize
16.4MB
-
Filesize
8KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB