Overview

overview

10

Static

static

10

b78011a22c...18.exe

windows7-x64

10

b78011a22c...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b78011a22cc4226acf52abd21e62f47a_JaffaCakes118

  • Size

    210KB

  • Sample

    241202-jaxj9avqfv

  • MD5

    b78011a22cc4226acf52abd21e62f47a

  • SHA1

    103729da12ada8d53c9bfb36096f73eb258e3683

  • SHA256

    f57655066ebcdaf2124891f3eb14cc6e0a03b82f49343a9ce342bb8d5727df44

  • SHA512

    00ed133830a37357eea70bef9c25f885f92cb4d29bbe8a47c2a543d6c8dc4fd8a9666b70b2a00e36e29cafe25105e8c4ceda16875217ec2bc20004a1c9c6df65

  • SSDEEP

    3072:sr85CEIHIjsTee3hYzmEG69rTeQ4yMx/gfytY0ss2pn7sW7tiosehb1:k9QspRYDZ9NHa6/0sTp7sWZ/h5

Score
10/10
neshtacredential_accessdiscoverypersistencespywarestealerupx

Malware Config

Targets

    • Target

      b78011a22cc4226acf52abd21e62f47a_JaffaCakes118

    • Size

      210KB

    • MD5

      b78011a22cc4226acf52abd21e62f47a

    • SHA1

      103729da12ada8d53c9bfb36096f73eb258e3683

    • SHA256

      f57655066ebcdaf2124891f3eb14cc6e0a03b82f49343a9ce342bb8d5727df44

    • SHA512

      00ed133830a37357eea70bef9c25f885f92cb4d29bbe8a47c2a543d6c8dc4fd8a9666b70b2a00e36e29cafe25105e8c4ceda16875217ec2bc20004a1c9c6df65

    • SSDEEP

      3072:sr85CEIHIjsTee3hYzmEG69rTeQ4yMx/gfytY0ss2pn7sW7tiosehb1:k9QspRYDZ9NHa6/0sTp7sWZ/h5

    Score
    10/10
    neshtacredential_accessdiscoverypersistencespywarestealerupx

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks