Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 22:21

General

  • Target

    ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    ecfcbc023a38101cb72ccdb9415f0f30

  • SHA1

    44bc603abaa9645bf92bcd66bc4082857a650d02

  • SHA256

    e9dd2db83f306bea4bdec8c3b742463e8402cbf8fa97bdd1e4b29705459b327a

  • SHA512

    c2d94e6d65b66dc803692fdc9c063a3617c5442b1f936a1bb2679485115df6a6e8f9107e5b9b6a3766b28ba46f416dc32d42007961c03864b8b93ee8b8d67557

  • SSDEEP

    6144:f0mlvQ0gZfVDEy+OzSQumHIi3Vum7QckbA2Adg7JtrKit05X:tV1aNE1YSl/G900GN5f05X

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    31.170.165.18
  • Port:
    21
  • Username:
    u194291799
  • Password:
    80997171405

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\rusold1.exe
      "C:\Users\Admin\AppData\Local\Temp\rusold1.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\RSBS.exe
        C:\Windows\RSBS.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1596
    • C:\Users\Admin\AppData\Local\Temp\LOIC.exe
      "C:\Users\Admin\AppData\Local\Temp\LOIC.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe"
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3980

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.165.170.31.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.165.170.31.in-addr.arpa
    IN PTR
    Response
    18.165.170.31.in-addr.arpa
    IN PTR
    srv585723hstgrcloud
  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.179.89.13.in-addr.arpa
    IN PTR
    Response
  • 31.170.165.18:21
    ftp
    RSBS.exe
    443 B
    335 B
    9
    6
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    18.165.170.31.in-addr.arpa
    dns
    72 B
    107 B
    1
    1

    DNS Request

    18.165.170.31.in-addr.arpa

  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    8.179.89.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    8.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe

    Filesize

    197KB

    MD5

    54a4ccfecce789344ff858a85839c531

    SHA1

    34da29214d2391ad2c6096be800dd6e966ec0f85

    SHA256

    16690686608f3eb33181de43f193f421414f992c6b9df1dc1694ab3ac2e684ba

    SHA512

    595611ff24cc98e360ee31af69c016e9d33a718e4bd18eaad066602d4cfa8f333f363f39096f00762216482e35b626e3512138abe09b942af9331164f175b5b1

  • C:\Users\Admin\AppData\Local\Temp\LOIC.exe

    Filesize

    238KB

    MD5

    1544a6cccb1f1349ac8719da2fc2a7ce

    SHA1

    d0bde236b797026187db30533f597f8cce66060c

    SHA256

    15cdd85c3448fbcdf7b81a01c69fabef83da2ba92467a2ee06d36a4575edc14b

    SHA512

    6c50d4733fb58ee2d469148d493ba3aa2d74d43db03f7f3c7fa2762861316f469ffaede1598c758de555f9bb077f5ada1957b57e418b9f9f5c34cf2abc826f99

  • C:\Users\Admin\AppData\Local\Temp\rusold1.exe

    Filesize

    149KB

    MD5

    77ad5a83aa732d0486f2f0fdf8efd760

    SHA1

    641d0df7f7b476e765f1f87f1f78cd698ee90389

    SHA256

    7302b9ec016b9dd307329d6f721170ea8d9621aa65e857ac21036b2313594498

    SHA512

    dd41a111ced6ca4d68b26b5624a28356fd8a638465be2a6e78e2e49d600a7f8f0936e4e569f66124e576bc0ad18ec69e3ac0d81cfb7869046610e12b85f351c2

  • C:\Windows\RSBS.exe

    Filesize

    24KB

    MD5

    330f312046222872a7976e575c033b5d

    SHA1

    ff0f741a4d35c5653702f466f7bb62669aa2d8b8

    SHA256

    8d9e06526f7ab2418625ac62382186e3db1d0e45fa8156bdc2bb914e818f00cc

    SHA512

    c53abcfe1efab6a13a2cf577c8fa611021449a547ecffaea20e0fc374467d10cb730de760f489e3700ae5b95af14117f64b4289deac8fe613e4cae7634977b93

  • memory/1596-41-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/1596-75-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/3552-129-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3552-133-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3552-131-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3980-30-0x0000000074202000-0x0000000074203000-memory.dmp

    Filesize

    4KB

  • memory/3980-127-0x0000000074200000-0x00000000747B1000-memory.dmp

    Filesize

    5.7MB

  • memory/3980-126-0x0000000074202000-0x0000000074203000-memory.dmp

    Filesize

    4KB

  • memory/3980-32-0x0000000074200000-0x00000000747B1000-memory.dmp

    Filesize

    5.7MB

  • memory/3980-31-0x0000000074200000-0x00000000747B1000-memory.dmp

    Filesize

    5.7MB

  • memory/4856-128-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.