Analysis Overview
SHA256
84f6033d1f4767dc4544e773f06e71c4fa1d2de857092c2fa143ad19ec2cab91
Threat Level: Known bad
The file 60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Neshta
Neshta family
Detect Neshta payload
Modifies system executable filetype association
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-21 13:15
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-21 13:15
Reported
2024-07-21 13:18
Platform
win7-20240704-en
Max time kernel
101s
Max time network
19s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe
| MD5 | 864074e34e989000d73d51ae4bf40e7b |
| SHA1 | a4e59bffe86ba5216349fec162c872fef3775427 |
| SHA256 | 089a57c66ca916390731098d4a78518cc7b8bac54462c5bc330dd477932666d0 |
| SHA512 | 2d01d3465bf11a7eb96da466463bf0c45bb6c624831895d94f207e782e17316f7798d60cb549d541ebae932372942d05bd0e9f5af9142f13a81bd72b1f72df1b |
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | cf6c595d3e5e9667667af096762fd9c4 |
| SHA1 | 9bb44da8d7f6457099cb56e4f7d1026963dce7ce |
| SHA256 | 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d |
| SHA512 | ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80 |
\Users\Admin\AppData\Local\Temp\nsj4AE6.tmp\UAC.dll
| MD5 | 88ad3fd90fc52ac3ee0441a38400a384 |
| SHA1 | 08bc9e1f5951b54126b5c3c769e3eaed42f3d10b |
| SHA256 | e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42 |
| SHA512 | 359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb |
\Users\Admin\AppData\Local\Temp\nsj4AE6.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
C:\Users\Admin\AppData\Local\Temp\nsj4AE6.tmp\post-install.ini
| MD5 | 5cbd975eff0d3763f634263f9cda0755 |
| SHA1 | d1f8e9500d796f34e45c68689d6813c949387ae7 |
| SHA256 | 6855949dd366fb0432686963d90e2db363d2cab0697217984d8e4d60331bb022 |
| SHA512 | c6d4e490ee8840d54f9665e404068119b3b97b160c8d99781f23c93fba1a872647bbdc47c9697fc6a70c6b6de9e178daf43ccff63e74b62e5963691ee4a56b84 |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
C:\Users\Admin\AppData\Local\Temp\nsj4AE6.tmp\ioSpecial.ini
| MD5 | f93dc1f3e8fcd7442f989c1d707cdcd6 |
| SHA1 | 47811741370d97127c2a1a2b37a46ca8000a443f |
| SHA256 | c85f8841459970ba335d87ae9ff42a6d924e10d08b92767084610a3b4396fe8b |
| SHA512 | 8f0776202afb1c42ce91a434eedd0004dd19280270546ad8d0bd86f0182543447c6671ebd6d35e82fe8d481e9a966c7b60e776deca80eccd6c67234945d26690 |
\Users\Admin\AppData\Local\Temp\nsj4AE6.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsj4AE6.tmp\ioSpecial.ini
| MD5 | be9ff76c47e07e6473b38340c8775404 |
| SHA1 | d35d49022ec8398f99c54344a84262a217641baa |
| SHA256 | 7d5dbe5332fc3518fe071e722e2ea548268c4ea66b219c12543896c9450db833 |
| SHA512 | 99fcc9b749ed584df41ddf5efa19ac39825463b21f192519847481e553b3755b19c256544fd881ead2f10b7eacc1f7003f964a44eb131f19acc95ee7417cbc19 |
memory/2164-175-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2164-176-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2164-177-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2164-178-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2164-180-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-21 13:15
Reported
2024-07-21 13:18
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 860 wrote to memory of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe |
| PID 860 wrote to memory of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe |
| PID 860 wrote to memory of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\60a40a0cc0f20c02c58dfdb2fa636d77_JaffaCakes118.exe
| MD5 | 864074e34e989000d73d51ae4bf40e7b |
| SHA1 | a4e59bffe86ba5216349fec162c872fef3775427 |
| SHA256 | 089a57c66ca916390731098d4a78518cc7b8bac54462c5bc330dd477932666d0 |
| SHA512 | 2d01d3465bf11a7eb96da466463bf0c45bb6c624831895d94f207e782e17316f7798d60cb549d541ebae932372942d05bd0e9f5af9142f13a81bd72b1f72df1b |
C:\Users\Admin\AppData\Local\Temp\nse46B9.tmp\UAC.dll
| MD5 | 88ad3fd90fc52ac3ee0441a38400a384 |
| SHA1 | 08bc9e1f5951b54126b5c3c769e3eaed42f3d10b |
| SHA256 | e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42 |
| SHA512 | 359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb |
C:\Users\Admin\AppData\Local\Temp\nse46B9.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
C:\Users\Admin\AppData\Local\Temp\nse46B9.tmp\ioSpecial.ini
| MD5 | 547b683bd1ece921ce6aa9e41d8aa4cd |
| SHA1 | 92bb3a33283f0c6063f3c8a78d35e2848397595e |
| SHA256 | 57d1a14517d91ae305e230866962d4b23cd4b8c2e96f739228778b38a848131c |
| SHA512 | 9d1c3dfcfc9beac2a5c09e3280fc917903513e276cfecb5377937905e614af0f30acc50d17b1383bec1136046f36992e557b7ec3794bc3216240f0ab2a36ebdb |
C:\Users\Admin\AppData\Local\Temp\nse46B9.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nse46B9.tmp\ioSpecial.ini
| MD5 | 3fc0f7753d98abe71c157debd2e58c4c |
| SHA1 | 52c30bc218c4b610b3d91c91763b3b3cd295dca6 |
| SHA256 | 9613dad005c9a45eaaeaede8bc30ca63be308eda2e3ae02314508db50b2aee8a |
| SHA512 | ee78fc3c8f2138ea27d73349f2ea521a3b50936df2ab0437809c777b010134af20cc8490ae557dfdefd169d3e267ff4ccedc91739dd3f4dcdb9dd1b31d61b2cd |
memory/860-187-0x0000000000400000-0x000000000041B000-memory.dmp
memory/860-188-0x0000000000400000-0x000000000041B000-memory.dmp
memory/860-189-0x0000000000400000-0x000000000041B000-memory.dmp
memory/860-191-0x0000000000400000-0x000000000041B000-memory.dmp