Overview

overview

10

Static

static

10

decf0da4ac...18.exe

windows7-x64

10

decf0da4ac...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 20:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    decf0da4acf5690dddf15e98c6d94561_JaffaCakes118.exe

  • Size

    875KB

  • MD5

    decf0da4acf5690dddf15e98c6d94561

  • SHA1

    e6ed655ac6df286641c748a8426f80ffd822c6af

  • SHA256

    89aa6ade5ed5525e2e0c6f181539bd24c36d8a633b9e48f00e81da637c881c80

  • SHA512

    3016c8f97046274ebb757bfdaef58f36ed99ad586ce3d69fe812ede142a0903bb5fc798eeedc077cae944dac8ce3483a99781e2b997f024c7f79362cbb078098

  • SSDEEP

    24576:AlDV36hGLc1KDUWyUjPUA5kjLic7xCRXD:IwfKDUWzTUA5k6G4D

Score
10/10
neshtaaspackv2discoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\decf0da4acf5690dddf15e98c6d94561_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\decf0da4acf5690dddf15e98c6d94561_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\3582-490\decf0da4acf5690dddf15e98c6d94561_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\decf0da4acf5690dddf15e98c6d94561_JaffaCakes118.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
          Filesize

          547KB

          MD5

          b86b0daf84ffdd2501d7ea2848775949

          SHA1

          0596856d3bfba0c60a91b203ffa6559663ed93b3

          SHA256

          9c0de45a85fa0d3f1a29a69a13f9c5c3e1e038ffe472e968c5277f2b3001fc47

          SHA512

          b08c2b7e91630e0ae097bf728065a5b15cc09ad84a6e9b11911e065bf29ed1b15630823022f5a4f0d8a60d7e4b68ae15d335d92154b4a967b6d40e96ad9d9be6

          Download Submit

        • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
          Filesize

          252KB

          MD5

          9e2b9928c89a9d0da1d3e8f4bd96afa7

          SHA1

          ec66cda99f44b62470c6930e5afda061579cde35

          SHA256

          8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

          SHA512

          2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

          Download Submit

        • \Users\Admin\AppData\Local\Temp\3582-490\decf0da4acf5690dddf15e98c6d94561_JaffaCakes118.exe
          Filesize

          835KB

          MD5

          966e104cdd70582e6700eacf9f07070a

          SHA1

          40551dc7961f29edb0ffdfc73f70f0e3124144ee

          SHA256

          4d54b228a6443ad53ea0b16c8773045b2e3de19ef7ce9b588d895d5415701864

          SHA512

          0695baeabe6d0adaeeee441d137482f31c78d75b1c8842222be93f7efe1d5ad43dad864b93985009093b4faacdce03f640b239a89080d821cd4a5b5e415d1d8d

          Download Submit

        • memory/2280-9-0x0000000002D50000-0x0000000003070000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/2280-98-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/2280-11-0x0000000002D50000-0x0000000003070000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/2280-93-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/2564-18-0x00000000035F0000-0x00000000035F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2564-19-0x0000000003A90000-0x0000000003A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2564-92-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2564-17-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2564-94-0x00000000035F0000-0x00000000035F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2564-96-0x0000000003A90000-0x0000000003A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2564-95-0x0000000000400000-0x0000000000720000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/2564-14-0x0000000000400000-0x0000000000720000-memory.dmp

          Filesize

          3.1MB

          Download