Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 23:37
Static task
static1
Behavioral task
behavioral1
Sample
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe
-
Size
3.4MB
-
MD5
654499039bf1ff42517df80838fe99ab
-
SHA1
118944e70f2eba872846012c0324a0123d770ad8
-
SHA256
929942325fc37a4effef061a7533af2696012025f59fda842805dd1b57b89fe5
-
SHA512
c4e9a1704af43c1b235c03312e3b1f989a370306c301fdba85aaa299ad50b1ba7cfc9318ae0d40ff64f0ee0272d46764d67a0de442bd2c8ebcff027480a9bb11
-
SSDEEP
49152:K1nOg6TICIjf5NppOZBv3CMVGwBlxaOfJd7h/eyDPngBy8I7YlWq4c4RveLAaSc/:inaof9s1Iw7VJ9h/J7nai+vGR2Lqcse
Malware Config
Signatures
-
Detect Neshta payload 8 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-6-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3600-4-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3600-3-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3600-2-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3600-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3600-101-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3600-102-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3600-104-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exedescription pid process target process PID 4236 set thread context of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\svchost.com 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exepid process 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
654499039bf1ff42517df80838fe99ab_JaffaCakes118.exedescription pid process target process PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe PID 4236 wrote to memory of 3600 4236 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe 654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\654499039bf1ff42517df80838fe99ab_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\654499039bf1ff42517df80838fe99ab_JaffaCakes118.exe2⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5d0db0ba1489b86709ec85e3e169af310
SHA153f45f16b5f391529ee2e2acae2988322faed109
SHA256d8231bf8a8979e9478e26f9cf5eb154bc9c51d5df667133dc8672b7b1d9cc4c8
SHA5127ad4ecc87a0ad6328cc86621be10bda5c88168a6880cff228e85adebe0d30933193c5cd3889c45a808befdd8623da6dee50ae0c12df2efac4fb048c7b1810d4b
-
Filesize
3.4MB
MD5d47ca1594d2780f0e736b244764e2e80
SHA1a15414dfd48343e9ce0c179fe211943e86c12820
SHA2564157c73809436b2214812f30cdc79c800562f08cc1ad1a0bcdf6d86bbf682d21
SHA512491f53c5ebce04e93a6f755a5fa4fe19fe34bd381278ab620baf4d68adc9684f6c5855859de9bb8d2c82b58938caedd2670fec5c8a35dbe04db55f8b859379ef