Analysis
-
max time kernel
149s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 22:21
Static task
static1
Behavioral task
behavioral1
Sample
ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe
-
Size
276KB
-
MD5
ecfcbc023a38101cb72ccdb9415f0f30
-
SHA1
44bc603abaa9645bf92bcd66bc4082857a650d02
-
SHA256
e9dd2db83f306bea4bdec8c3b742463e8402cbf8fa97bdd1e4b29705459b327a
-
SHA512
c2d94e6d65b66dc803692fdc9c063a3617c5442b1f936a1bb2679485115df6a6e8f9107e5b9b6a3766b28ba46f416dc32d42007961c03864b8b93ee8b8d67557
-
SSDEEP
6144:f0mlvQ0gZfVDEy+OzSQumHIi3Vum7QckbA2Adg7JtrKit05X:tV1aNE1YSl/G900GN5f05X
Malware Config
Extracted
Protocol: ftp- Host:
31.170.165.18 - Port:
21 - Username:
u194291799 - Password:
80997171405
Signatures
-
Detect Neshta payload 5 IoCs
resource yara_rule behavioral1/files/0x00080000000197fd-13.dat family_neshta behavioral1/memory/2380-116-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2380-118-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2380-120-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2380-122-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 4 IoCs
pid Process 2200 rusold1.exe 2380 LOIC.exe 2868 LOIC.exe 2136 RSBS.exe -
Loads dropped DLL 6 IoCs
pid Process 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 2380 LOIC.exe 2380 LOIC.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LOIC.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE LOIC.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE LOIC.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE LOIC.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE LOIC.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\ufr_reports RSBS.exe File opened for modification C:\Windows\svchost.com LOIC.exe File opened for modification C:\Windows\RSBS.exe rusold1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSBS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rusold1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOIC.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LOIC.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe Token: SeIncBasePriorityPrivilege 2868 LOIC.exe Token: 33 2868 LOIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2200 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2200 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2200 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2200 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2380 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 31 PID 2104 wrote to memory of 2380 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 31 PID 2104 wrote to memory of 2380 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 31 PID 2104 wrote to memory of 2380 2104 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 31 PID 2380 wrote to memory of 2868 2380 LOIC.exe 32 PID 2380 wrote to memory of 2868 2380 LOIC.exe 32 PID 2380 wrote to memory of 2868 2380 LOIC.exe 32 PID 2380 wrote to memory of 2868 2380 LOIC.exe 32 PID 2200 wrote to memory of 2136 2200 rusold1.exe 33 PID 2200 wrote to memory of 2136 2200 rusold1.exe 33 PID 2200 wrote to memory of 2136 2200 rusold1.exe 33 PID 2200 wrote to memory of 2136 2200 rusold1.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\rusold1.exe"C:\Users\Admin\AppData\Local\Temp\rusold1.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\RSBS.exeC:\Windows\RSBS.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2136
-
-
-
C:\Users\Admin\AppData\Local\Temp\LOIC.exe"C:\Users\Admin\AppData\Local\Temp\LOIC.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5330f312046222872a7976e575c033b5d
SHA1ff0f741a4d35c5653702f466f7bb62669aa2d8b8
SHA2568d9e06526f7ab2418625ac62382186e3db1d0e45fa8156bdc2bb914e818f00cc
SHA512c53abcfe1efab6a13a2cf577c8fa611021449a547ecffaea20e0fc374467d10cb730de760f489e3700ae5b95af14117f64b4289deac8fe613e4cae7634977b93
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
197KB
MD554a4ccfecce789344ff858a85839c531
SHA134da29214d2391ad2c6096be800dd6e966ec0f85
SHA25616690686608f3eb33181de43f193f421414f992c6b9df1dc1694ab3ac2e684ba
SHA512595611ff24cc98e360ee31af69c016e9d33a718e4bd18eaad066602d4cfa8f333f363f39096f00762216482e35b626e3512138abe09b942af9331164f175b5b1
-
Filesize
238KB
MD51544a6cccb1f1349ac8719da2fc2a7ce
SHA1d0bde236b797026187db30533f597f8cce66060c
SHA25615cdd85c3448fbcdf7b81a01c69fabef83da2ba92467a2ee06d36a4575edc14b
SHA5126c50d4733fb58ee2d469148d493ba3aa2d74d43db03f7f3c7fa2762861316f469ffaede1598c758de555f9bb077f5ada1957b57e418b9f9f5c34cf2abc826f99
-
Filesize
149KB
MD577ad5a83aa732d0486f2f0fdf8efd760
SHA1641d0df7f7b476e765f1f87f1f78cd698ee90389
SHA2567302b9ec016b9dd307329d6f721170ea8d9621aa65e857ac21036b2313594498
SHA512dd41a111ced6ca4d68b26b5624a28356fd8a638465be2a6e78e2e49d600a7f8f0936e4e569f66124e576bc0ad18ec69e3ac0d81cfb7869046610e12b85f351c2