Overview

overview

10

Static

static

10

49e5775509...18.exe

windows7-x64

10

49e5775509...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2024 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    49e5775509e2938dfc0a00dbb6678d92

  • SHA1

    7925f60e82cdfc055dde1160e73375ab0f86fa32

  • SHA256

    6cde26900b59d3aec1d3c6ba9f581a96a76b23534e5b113ce020910671f69da3

  • SHA512

    f23c3405523258eb6dcf85f3a28eff7c5a7ef9490cbdf7880c2f06924cd2e78bb22f84e4a9b7d85a0afaff5e1e3d974c00acba53bc6e7ed09404b3b78e96676e

  • SSDEEP

    24576:rppOGVbiLXkRG9pudmXf/P49oGpOElnf/1p5V2TJjs:n0Vpudmv/hGpO6nf9pD2TNs

Score
10/10
neshtadiscoveryevasionpersistencespywarestealerupx

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\3582-490\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
        uTorrent.exe /STARTAPP /NOINSTALL /BRINGTOFRONT
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2108
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:908
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
    Filesize

    1.0MB

    MD5

    590b6b4eb21dbff4b30ee61dd267e857

    SHA1

    11006326b0f30743bd49e37e22822d0658e1af48

    SHA256

    c246ddc07c98e512ac7f923d6dadcd15d18bcbc02e1a26a853a4c519dbd56a3a

    SHA512

    64471f0aaf3e9dbcc980ceabebf20290167c7b305044ff02b041cb2cc6e46ffe140aef183c6bb4f1ea5294dbbe09c7a4a52ada1428a943a73c61a4ce34c4231d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab83E1.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2039016743-699959520-214465309-1000\1f91d2d17ea675d4c2c3192e241743f9_d58f30ce-7498-4544-8c46-d67b11e386bc
    Filesize

    1KB

    MD5

    2f0c242d6dc12edbbbfa6387e9db1777

    SHA1

    e3e120901413e73711f8f1a93591de33017abf14

    SHA256

    ecc0709d52392893acd383c24836434f7e53e8bccfd4e1ccc74d2e4573bf8e79

    SHA512

    01d5eefcf2e160763210e7fce1dea9a967718963fc318a5f594e8c73c5cbad3fbff4ebe4c99ef75baa054eda3dcc5237831e892429e9ecbac95f623154f626e0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RF5BM5G0.txt
    Filesize

    89B

    MD5

    de080a48fef87c9b8677a19c7c7d48ef

    SHA1

    a4534dd3aab5e1fa9863b3bf21469d97aa86953e

    SHA256

    17584be1054f9a4eadb4d39fc8ef6760f47c65efbf79df8baf83c7e6a0a49112

    SHA512

    2c4a20d057f119db36f6539b0e3dd10aa4b7812ec38e4f350e80bff1a0d7abfe8e1eb3a61644fe59be8a9b52f7dadaeb660b28edf5ed3375591ccfe8f7f7dd0b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uTorrent\apps\featuredContent.btapp
    Filesize

    243B

    MD5

    202851b4ac10eabb696f01dd54b8f6a8

    SHA1

    6e5fe7a2381de351acc313df85447e36010538a9

    SHA256

    4bb841e062bb5ca0710c9c8c864ab5fb1bd8caa4cfe3f3b62d8899954de94e0a

    SHA512

    67aa6786e70d6a9a1ceb353600d4c02deeceb6c2061b0876438b576216f95d10ac59c0c2a6c4380f2186ed24d3020e148aa39487c813531777e221b171287769

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uTorrent\apps\player.btapp
    Filesize

    243B

    MD5

    84bf94f60b7834e320c4a042a0a516ce

    SHA1

    32f86a187637d65d2573e6a19157c263d4feca4c

    SHA256

    f3bdbc7d08f9e7eb19e7160e616786bbf67a81f69c23cd4eafe977f05d257234

    SHA512

    613a3ed14aa62ebeb52868b913462f0f2592afde3a56b25789f1306fa0c9a58537d265dc4c01fb4abe4b55858ad82d0f4567fffdcde5c631190bd8c1eb8c557e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uTorrent\apps\player.btapp.new
    Filesize

    243B

    MD5

    e8287c0129fd9c39dfea1d5e5bece379

    SHA1

    d0504943bf36a5779d96c4742896e821e73621c1

    SHA256

    cba86f7add3ec149fe7e86bd9fec4abc966868072100037311699b57e711c60d

    SHA512

    7f8fcc29548fe1d78aa9a9a293b37f80ec78afbbbbd0bf0aef4e0d796ea1117d77d85e71fdc059c16714567f2e177b17acf72fb8212acd03dcbc5e82af7b38ac

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uTorrent\apps\plus.btapp
    Filesize

    243B

    MD5

    7a1a3ffb7cba7629c3473f49e7ae2c96

    SHA1

    19bbe6cb0883c265a07d7b54d357f7c98d94fe07

    SHA256

    2a4f7065bdbcda4e5c486d38f2572f3c328df85b3d560dae3f56f022e25462bc

    SHA512

    b4f20bf27e6786ccdc3f54d36befac7ff1b053440874ffd4832079172b05d62020658c2781e694a0c6892cdb2d588b523b2629e65c33ae5bff042709125309e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uTorrent\apps\welcome-upsell.btapp
    Filesize

    243B

    MD5

    98ef2271196ad08c5acf0120f6535605

    SHA1

    44391274410df3a343f3b92bff3a19d9fce0994e

    SHA256

    dec9b482ecbf56c919c10908c036f467ce90747ebee41c8aa8032b2a0bae8aa8

    SHA512

    ef9806f3ac2acc2714e20751e1fd1cccb58f2e024ffe426ad984cca34240bee0c863051d32775b88b9f7bfd01c68516b15e4aa9d92a3b73a8852fd93dab904b1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uTorrent\apps\welcome-upsell.btapp
    Filesize

    243B

    MD5

    d5244dcfdb45d4cb0dd9d7a09659ace5

    SHA1

    d98bc6f8b8f77350d232f912e1c663921f4601d8

    SHA256

    07c48017b0f89a8093d287d99a1a4010e41770a90efbe556ca4802b1e90c03ba

    SHA512

    9db8d560119a15e2853a73aa44281312c2041f4393636256e8e63fd5fb6cfdf5672c10b5a0064fff531f44148c05b100e2990a6bc7a548c85874ea4d8973c5dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat
    Filesize

    5KB

    MD5

    d5b222577b6c664c0c5fbece854ef7de

    SHA1

    f99235e7d03ef8895511f6fb6667c0be90cca8d5

    SHA256

    c99686a659748af523d58e816578606ad7537bea7cb2de2c866813d251a9f44c

    SHA512

    944190a6fa01dad34951a6dcb5779fde839b9ad1958e2a9818e162b1373206de20a69b8e4873e10c46f7c67e69fb2e943a6c2e66b32e07b01b585b4884b1769f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old
    Filesize

    5KB

    MD5

    d5d25e76d167b43cc28d05f2d48df4d2

    SHA1

    9a8f13dc827b6e83a346f0aba6561808e78ce348

    SHA256

    dc78ed7fafe72fbb68b197396f6685144b86c209243cf5d33c49540fcdb58c42

    SHA512

    cbee14e4cb2fc2ca50ce53d50a72c17773403e0aa38681a3b8fd0e2aa8b14bfe04d2e730adee0e0c904b641e30c7cdf62c7467deaf9eef57704966a58a1538f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.new
    Filesize

    36KB

    MD5

    a72ccec655860656bcdbac0f6a6f3038

    SHA1

    1947d5edbd771c466ecb2bda5696242e1987afca

    SHA256

    be9cbcb92ebd9283276857a4151b04fefd56acbd94f19deab3c7da44b5e66d65

    SHA512

    c0eb22b71859905331827a09b4b672eb885a03f43dc9104d9b7fd4cbb5547edcb0e265886f0ed3a481c76823c3adfdddbea35135de6a7fe012789db1da4f84d1

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • memory/1748-101-0x0000000002E10000-0x00000000030C5000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1748-106-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1748-102-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1748-11-0x0000000002E10000-0x00000000030C5000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2108-174-0x0000000000400000-0x00000000006B5000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2436-129-0x0000000000400000-0x00000000006B5000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2436-130-0x0000000005BA0000-0x0000000005E55000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2436-131-0x0000000000400000-0x00000000006B5000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2436-104-0x0000000000400000-0x00000000006B5000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2436-12-0x0000000000400000-0x00000000006B5000-memory.dmp

    Filesize

    2.7MB

    Download