neshta | 385f5ca91b0a230a14f5d32c79d061a3af0f5533923ad62e1982d1327ed086a4

General

Target

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
Size

913KB
MD5

158d07c37f56412ce5f16891448e7b65
SHA1

87df1f1b527f28875ca1590543ca51ae12797b3a
SHA256

385f5ca91b0a230a14f5d32c79d061a3af0f5533923ad62e1982d1327ed086a4
SHA512

1929152e647609b9eb5cbba588163cf48388e7c3e3493d2c16038eed4b35465bd9842afa166cf73d4d6bfefe3590be622c81f55e164ca08d4f1a3d6e618e5de5
SSDEEP

24576:kPp9AR95SkXpgex+Bp+MN7N2y90rgF1oeQo:kPpKRSk7xup+kN21gFR

Score

10^/10

neshta xloader b6cu discovery evasion loader persistence rat spyware stealer

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6cu

Decoy

votreconseilfinancier.com

wholesaleplay.com

komfy.store

hsyunfan.com

tournamenttips.com

yourbusine.xyz

wrg-referrals.com

harmless-oily.com

whizdomtowealth.com

xusmods.com

cleanerstoday.com

finopscert.com

paerexpress.com

kankb.com

res-o.info

balonpantolon.com

freedownloadbiz.info

jeffegriffin.com

gobahis119.com

ourcalvinsarm.com

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
behavioral1/memory/2152-90-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral1/memory/324-104-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2956-112-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exesvchost.com158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

pid process

2308 158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
324 svchost.com
2956 158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

pid	process
2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
324	svchost.com
2956	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

pid	process
2152	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
2152	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	pid	process	target process
PID 2308 set thread context of 2956	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.com158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exesvchost.comschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies registry class 1 IoCs

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1528 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

pid process

2956 158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
2308 158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2308 158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

pid	process
1528	schtasks.exe

pid	process
2956	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exesvchost.com

description	pid	process	target process
PID 2152 wrote to memory of 2308	2152	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2152 wrote to memory of 2308	2152	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2152 wrote to memory of 2308	2152	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2152 wrote to memory of 2308	2152	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2308 wrote to memory of 324	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	svchost.com
PID 2308 wrote to memory of 324	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	svchost.com
PID 2308 wrote to memory of 324	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	svchost.com
PID 2308 wrote to memory of 324	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	svchost.com
PID 324 wrote to memory of 1528	324	svchost.com	schtasks.exe
PID 324 wrote to memory of 1528	324	svchost.com	schtasks.exe
PID 324 wrote to memory of 1528	324	svchost.com	schtasks.exe
PID 324 wrote to memory of 1528	324	svchost.com	schtasks.exe
PID 2308 wrote to memory of 2956	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2308 wrote to memory of 2956	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2308 wrote to memory of 2956	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2308 wrote to memory of 2956	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2308 wrote to memory of 2956	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2308 wrote to memory of 2956	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
PID 2308 wrote to memory of 2956	2308	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe	158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\3582-490\158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHBDpNzPl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp620D.tmp"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\xHBDpNzPl /XML C:\Users\Admin\AppData\Local\Temp\tmp620D.tmp
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\3582-490\158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
f259b5080665da2d9af12ca10648852a

SHA1
22749592c5151131f8479532598554499c0eb820

SHA256
856ed38c0b250834e97018e5106f960664bb1a34cac1cc6b6a816e60708e9b58

SHA512
bf4b8ca6fb492929842fffa6169ef81c7ea385098d9bfa7277545ec49dcd9ad954d05e514f213c720310061a4bdaf34f4642f7728301ab58495e8c6c0486eacf

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\158d07c37f56412ce5f16891448e7b65_JaffaCakes118.exe

Filesize
873KB

MD5
e87195f4daff005015ee540693c1a373

SHA1
64502c119e9d4807f2ed8fde8d528f840c0e471f

SHA256
509dec0d81afd4184e215b8e979e6e3e32dd41f04a6bdcfb3ff800991157066c

SHA512
a42c17141cd8964dae192fbd5eb403fe71023289ef3414a90e82389df7e0e2498945fa656e03dd5ee4614e4718928aa227dab6a915bb8a4c19ab3b250ea6ea7d

Download Submit
memory/324-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2152-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2308-92-0x0000000005020000-0x00000000050BA000-memory.dmp

Filesize
616KB

Download
memory/2308-88-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/2308-91-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-48-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/2308-93-0x0000000000A00000-0x0000000000A2E000-memory.dmp

Filesize
184KB

Download
memory/2308-14-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-13-0x0000000000AA0000-0x0000000000B80000-memory.dmp

Filesize
896KB

Download
memory/2308-12-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/2308-114-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2956-112-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2956-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2956-109-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2956-107-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads