Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 22:21
Static task
static1
Behavioral task
behavioral1
Sample
ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe
-
Size
276KB
-
MD5
ecfcbc023a38101cb72ccdb9415f0f30
-
SHA1
44bc603abaa9645bf92bcd66bc4082857a650d02
-
SHA256
e9dd2db83f306bea4bdec8c3b742463e8402cbf8fa97bdd1e4b29705459b327a
-
SHA512
c2d94e6d65b66dc803692fdc9c063a3617c5442b1f936a1bb2679485115df6a6e8f9107e5b9b6a3766b28ba46f416dc32d42007961c03864b8b93ee8b8d67557
-
SSDEEP
6144:f0mlvQ0gZfVDEy+OzSQumHIi3Vum7QckbA2Adg7JtrKit05X:tV1aNE1YSl/G900GN5f05X
Malware Config
Extracted
Protocol: ftp- Host:
31.170.165.18 - Port:
21 - Username:
u194291799 - Password:
80997171405
Signatures
-
Detect Neshta payload 4 IoCs
resource yara_rule behavioral2/files/0x0008000000023cb2-13.dat family_neshta behavioral2/memory/3552-129-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3552-131-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3552-133-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation LOIC.exe -
Executes dropped EXE 4 IoCs
pid Process 4856 rusold1.exe 3552 LOIC.exe 3980 LOIC.exe 1596 RSBS.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LOIC.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini LOIC.exe File opened for modification C:\Windows\assembly\Desktop.ini LOIC.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe LOIC.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe LOIC.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE LOIC.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com LOIC.exe File opened for modification C:\Windows\assembly LOIC.exe File created C:\Windows\assembly\Desktop.ini LOIC.exe File opened for modification C:\Windows\assembly\Desktop.ini LOIC.exe File opened for modification C:\Windows\RSBS.exe rusold1.exe File opened for modification C:\Windows\ufr_reports RSBS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSBS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rusold1.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LOIC.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeDebugPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe Token: 33 3980 LOIC.exe Token: SeIncBasePriorityPrivilege 3980 LOIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4888 wrote to memory of 4856 4888 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 83 PID 4888 wrote to memory of 4856 4888 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 83 PID 4888 wrote to memory of 4856 4888 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 83 PID 4888 wrote to memory of 3552 4888 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 84 PID 4888 wrote to memory of 3552 4888 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 84 PID 4888 wrote to memory of 3552 4888 ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe 84 PID 3552 wrote to memory of 3980 3552 LOIC.exe 85 PID 3552 wrote to memory of 3980 3552 LOIC.exe 85 PID 3552 wrote to memory of 3980 3552 LOIC.exe 85 PID 4856 wrote to memory of 1596 4856 rusold1.exe 86 PID 4856 wrote to memory of 1596 4856 rusold1.exe 86 PID 4856 wrote to memory of 1596 4856 rusold1.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecfcbc023a38101cb72ccdb9415f0f30_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\rusold1.exe"C:\Users\Admin\AppData\Local\Temp\rusold1.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\RSBS.exeC:\Windows\RSBS.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1596
-
-
-
C:\Users\Admin\AppData\Local\Temp\LOIC.exe"C:\Users\Admin\AppData\Local\Temp\LOIC.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.165.170.31.in-addr.arpaIN PTRResponse18.165.170.31.in-addr.arpaIN PTRsrv585723hstgrcloud
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.179.89.13.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 107 B 1 1
DNS Request
18.165.170.31.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
8.179.89.13.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD554a4ccfecce789344ff858a85839c531
SHA134da29214d2391ad2c6096be800dd6e966ec0f85
SHA25616690686608f3eb33181de43f193f421414f992c6b9df1dc1694ab3ac2e684ba
SHA512595611ff24cc98e360ee31af69c016e9d33a718e4bd18eaad066602d4cfa8f333f363f39096f00762216482e35b626e3512138abe09b942af9331164f175b5b1
-
Filesize
238KB
MD51544a6cccb1f1349ac8719da2fc2a7ce
SHA1d0bde236b797026187db30533f597f8cce66060c
SHA25615cdd85c3448fbcdf7b81a01c69fabef83da2ba92467a2ee06d36a4575edc14b
SHA5126c50d4733fb58ee2d469148d493ba3aa2d74d43db03f7f3c7fa2762861316f469ffaede1598c758de555f9bb077f5ada1957b57e418b9f9f5c34cf2abc826f99
-
Filesize
149KB
MD577ad5a83aa732d0486f2f0fdf8efd760
SHA1641d0df7f7b476e765f1f87f1f78cd698ee90389
SHA2567302b9ec016b9dd307329d6f721170ea8d9621aa65e857ac21036b2313594498
SHA512dd41a111ced6ca4d68b26b5624a28356fd8a638465be2a6e78e2e49d600a7f8f0936e4e569f66124e576bc0ad18ec69e3ac0d81cfb7869046610e12b85f351c2
-
Filesize
24KB
MD5330f312046222872a7976e575c033b5d
SHA1ff0f741a4d35c5653702f466f7bb62669aa2d8b8
SHA2568d9e06526f7ab2418625ac62382186e3db1d0e45fa8156bdc2bb914e818f00cc
SHA512c53abcfe1efab6a13a2cf577c8fa611021449a547ecffaea20e0fc374467d10cb730de760f489e3700ae5b95af14117f64b4289deac8fe613e4cae7634977b93