Analysis

  • max time kernel
    149s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 22:21

General

  • Target

    ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    ecfcbc023a38101cb72ccdb9415f0f30

  • SHA1

    44bc603abaa9645bf92bcd66bc4082857a650d02

  • SHA256

    e9dd2db83f306bea4bdec8c3b742463e8402cbf8fa97bdd1e4b29705459b327a

  • SHA512

    c2d94e6d65b66dc803692fdc9c063a3617c5442b1f936a1bb2679485115df6a6e8f9107e5b9b6a3766b28ba46f416dc32d42007961c03864b8b93ee8b8d67557

  • SSDEEP

    6144:f0mlvQ0gZfVDEy+OzSQumHIi3Vum7QckbA2Adg7JtrKit05X:tV1aNE1YSl/G900GN5f05X

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    31.170.165.18
  • Port:
    21
  • Username:
    u194291799
  • Password:
    80997171405

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Local\Temp\rusold1.exe
      "C:\Users\Admin\AppData\Local\Temp\rusold1.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\RSBS.exe
        C:\Windows\RSBS.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2136
    • C:\Users\Admin\AppData\Local\Temp\LOIC.exe
      "C:\Users\Admin\AppData\Local\Temp\LOIC.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\RSBS.exe

    Filesize

    24KB

    MD5

    330f312046222872a7976e575c033b5d

    SHA1

    ff0f741a4d35c5653702f466f7bb62669aa2d8b8

    SHA256

    8d9e06526f7ab2418625ac62382186e3db1d0e45fa8156bdc2bb914e818f00cc

    SHA512

    c53abcfe1efab6a13a2cf577c8fa611021449a547ecffaea20e0fc374467d10cb730de760f489e3700ae5b95af14117f64b4289deac8fe613e4cae7634977b93

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe

    Filesize

    197KB

    MD5

    54a4ccfecce789344ff858a85839c531

    SHA1

    34da29214d2391ad2c6096be800dd6e966ec0f85

    SHA256

    16690686608f3eb33181de43f193f421414f992c6b9df1dc1694ab3ac2e684ba

    SHA512

    595611ff24cc98e360ee31af69c016e9d33a718e4bd18eaad066602d4cfa8f333f363f39096f00762216482e35b626e3512138abe09b942af9331164f175b5b1

  • \Users\Admin\AppData\Local\Temp\LOIC.exe

    Filesize

    238KB

    MD5

    1544a6cccb1f1349ac8719da2fc2a7ce

    SHA1

    d0bde236b797026187db30533f597f8cce66060c

    SHA256

    15cdd85c3448fbcdf7b81a01c69fabef83da2ba92467a2ee06d36a4575edc14b

    SHA512

    6c50d4733fb58ee2d469148d493ba3aa2d74d43db03f7f3c7fa2762861316f469ffaede1598c758de555f9bb077f5ada1957b57e418b9f9f5c34cf2abc826f99

  • \Users\Admin\AppData\Local\Temp\rusold1.exe

    Filesize

    149KB

    MD5

    77ad5a83aa732d0486f2f0fdf8efd760

    SHA1

    641d0df7f7b476e765f1f87f1f78cd698ee90389

    SHA256

    7302b9ec016b9dd307329d6f721170ea8d9621aa65e857ac21036b2313594498

    SHA512

    dd41a111ced6ca4d68b26b5624a28356fd8a638465be2a6e78e2e49d600a7f8f0936e4e569f66124e576bc0ad18ec69e3ac0d81cfb7869046610e12b85f351c2

  • memory/2136-70-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2200-38-0x0000000000290000-0x00000000002ED000-memory.dmp

    Filesize

    372KB

  • memory/2200-115-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

  • memory/2380-116-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-118-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-120-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-122-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB