neshta | 6cde26900b59d3aec1d3c6ba9f581a96a76b23534e5b113ce020910671f69da3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Size

1.1MB
MD5

49e5775509e2938dfc0a00dbb6678d92
SHA1

7925f60e82cdfc055dde1160e73375ab0f86fa32
SHA256

6cde26900b59d3aec1d3c6ba9f581a96a76b23534e5b113ce020910671f69da3
SHA512

f23c3405523258eb6dcf85f3a28eff7c5a7ef9490cbdf7880c2f06924cd2e78bb22f84e4a9b7d85a0afaff5e1e3d974c00acba53bc6e7ed09404b3b78e96676e
SSDEEP

24576:rppOGVbiLXkRG9pudmXf/P49oGpOElnf/1p5V2TJjs:n0Vpudmv/hGpO6nf9pD2TNs

Score

10^/10

neshta discovery evasion persistence spyware stealer upx

Malware Config

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000600000002023a-23.dat	family_neshta
behavioral2/memory/2952-110-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2952-113-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2952-116-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exeuTorrent.exe

pid	Process
3224	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
3092	uTorrent.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exeuTorrent.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	uTorrent.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	uTorrent.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b88-5.dat	upx
behavioral2/memory/3224-12-0x0000000000400000-0x00000000006B5000-memory.dmp	upx
behavioral2/memory/3224-112-0x0000000000400000-0x00000000006B5000-memory.dmp	upx
behavioral2/memory/3092-137-0x0000000000400000-0x00000000006B5000-memory.dmp	upx
behavioral2/memory/3224-147-0x0000000000400000-0x00000000006B5000-memory.dmp	upx
behavioral2/memory/3092-184-0x0000000000400000-0x00000000006B5000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exeuTorrent.exeDllHost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uTorrent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

uTorrent.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	uTorrent.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	uTorrent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	uTorrent.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	uTorrent.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

uTorrent.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\uTorrent.exe = "8000"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	uTorrent.exe

Modifies registry class 64 IoCs

Processes:

uTorrent.exe49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Magnet\Content Type = "application/x-magnet"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btinstall	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btsearch	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Applications\uTorrent.exe	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\uTorrent\shell\open	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\uTorrent\Content Type	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Magnet\ = "Magnet URI"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btinstall\Content Type = "application/x-bittorrent-appinst"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btsearch\OpenWithProgids\uTorrent	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Applications\uTorrent.exe\shell\open	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\uTorrent\shell	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\uTorrent\Content Type\ = "application/x-bittorrent"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btsearch	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btsearch\ = "uTorrent"	uTorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-app	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-appinst	uTorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-key	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-key	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.torrent\ = "uTorrent"	uTorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml\Extension = ".btsearch"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Magnet\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\",0"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btapp	uTorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.torrent\OpenWithProgids	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.torrent	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\uTorrent\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\""	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Magnet	uTorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-appinst\Extension = ".btinstall"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btkey\Content Type = "application/x-bittorrent-key"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Applications\uTorrent.exe\shell\ = "open"	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml\Extension = ".btsearch"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Magnet\DefaultIcon	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-skin	uTorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst\Extension = ".btinstall"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\uTorrent\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\",0"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.torrent\Content Type = "application/x-bittorrent"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btskin	uTorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-key\Extension = ".btkey"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.torrent\OpenWithProgids\uTorrent	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\uTorrent	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\uTorrent\shell\open\command	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Magnet\shell\ = "open"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btapp\Content Type = "application/x-bittorrent-app"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btskin\Content Type = "application/x-bittorrent-skin"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btinstall\ = "uTorrent"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-key\Extension = ".btkey"	uTorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\FalconBetaAccount\remote_access_client_id = "7655849984"	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Magnet\shell\open\command	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\FalconBetaAccount	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.torrent	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\uTorrent\shell\ = "open"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Magnet\URL Protocol	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Magnet\shell\open	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-skin\Extension = ".btskin"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.btsearch\OpenWithProgids	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Applications	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exeuTorrent.exe

pid	Process
3224	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
3224	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
3092	uTorrent.exe
3092	uTorrent.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exeuTorrent.exe

pid	Process
3224	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
3092	uTorrent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exeuTorrent.exe

description	pid	Process
Token: SeManageVolumePrivilege	3224	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3092	uTorrent.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

uTorrent.exe

pid	Process
3092	uTorrent.exe
3092	uTorrent.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

uTorrent.exe

pid	Process
3092	uTorrent.exe
3092	uTorrent.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2952 wrote to memory of 3224	2952	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe	84
PID 2952 wrote to memory of 3224	2952	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe	84
PID 2952 wrote to memory of 3224	2952	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe	84
PID 3224 wrote to memory of 3092	3224	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe	96
PID 3224 wrote to memory of 3092	3224	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe	96
PID 3224 wrote to memory of 3092	3224	49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\3582-490\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
    uTorrent.exe /STARTAPP /NOINSTALL /BRINGTOFRONT
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3092

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
- System Location Discovery: System Language Discovery
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\49e5775509e2938dfc0a00dbb6678d92_JaffaCakes118.exe

Filesize
1.0MB

MD5
590b6b4eb21dbff4b30ee61dd267e857

SHA1
11006326b0f30743bd49e37e22822d0658e1af48

SHA256
c246ddc07c98e512ac7f923d6dadcd15d18bcbc02e1a26a853a4c519dbd56a3a

SHA512
64471f0aaf3e9dbcc980ceabebf20290167c7b305044ff02b041cb2cc6e46ffe140aef183c6bb4f1ea5294dbbe09c7a4a52ada1428a943a73c61a4ce34c4231d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4050598569-1597076380-177084960-1000\1f91d2d17ea675d4c2c3192e241743f9_cca0d105-8260-4611-8c12-bd85a7208b9f

Filesize
1KB

MD5
3e82288910cded8c5d2893c172657a9b

SHA1
2245a7aaf7748b59e6554b89c08db78c23de274e

SHA256
e676bb5dcfc0b830d1098aaec222c40f30fec40e8d67c4ac3048e9616a3813f0

SHA512
de0ee59d669bc558b6c79291c8e9b6ea927779fb0c8f98bf612cf7ed7b39c41146923483c28e2563ff43cd58f334999de0c7597cde9fce879b046befd5f0f0da

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\apps\featuredContent.btapp

Filesize
243B

MD5
202851b4ac10eabb696f01dd54b8f6a8

SHA1
6e5fe7a2381de351acc313df85447e36010538a9

SHA256
4bb841e062bb5ca0710c9c8c864ab5fb1bd8caa4cfe3f3b62d8899954de94e0a

SHA512
67aa6786e70d6a9a1ceb353600d4c02deeceb6c2061b0876438b576216f95d10ac59c0c2a6c4380f2186ed24d3020e148aa39487c813531777e221b171287769

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\apps\player.btapp

Filesize
243B

MD5
4b2d13e269311ffe40ed01a109e39f46

SHA1
7430945a0a18f92294003ffbbdf02045c61a9eb6

SHA256
a072355db634c599fadabdf50afe9edaccbf7942de13a77d273169b2b5a9e453

SHA512
bc9a62cf0c42ee2850cc2642926c72446f8df071f3cdc0823880a159fe8a1c161b265fb17962672a547940832aa4c686b761965ff44c8d97ad6a5d341d9100c6

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\apps\player.btapp.new

Filesize
243B

MD5
fe6969af0dee08b8e51e41418624eb6b

SHA1
ae4ace5f8135d52806b1e697a25010a7beb6f1bb

SHA256
4b126113a86039f72eb0eff1fafbbe0e35d903dfe02609a882ba26bec1e7598d

SHA512
a9cac6c21dff34e91f495f75cf10394a7649edb607c678a07745d07fa0475b799c638e8936b5aa1ff50f74fda11cf70d85a7fd9454ec7372de01991cd9824b97

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\apps\plus.btapp

Filesize
243B

MD5
7a1a3ffb7cba7629c3473f49e7ae2c96

SHA1
19bbe6cb0883c265a07d7b54d357f7c98d94fe07

SHA256
2a4f7065bdbcda4e5c486d38f2572f3c328df85b3d560dae3f56f022e25462bc

SHA512
b4f20bf27e6786ccdc3f54d36befac7ff1b053440874ffd4832079172b05d62020658c2781e694a0c6892cdb2d588b523b2629e65c33ae5bff042709125309e8

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\apps\welcome-upsell.btapp

Filesize
243B

MD5
62445e64394de56d282d11ed23060818

SHA1
527cba5626bfab7565c85c5a77ddb98cde8c104c

SHA256
bcc77d7eab8ec356af3b1e5f6d9a6228df19b6f2d5ff02deb0b2d7fe863a5e70

SHA512
f5452654dda09c973d3d261c1a98caa84174bd7ca2e4f511228566f5dc2a14829200d98b1f19432b183f5ff89df90bd6afb5675fa399f0e3c62c793c64926df7

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\apps\welcome-upsell.btapp.new

Filesize
243B

MD5
24901c8e6802b7a1e46d44588217972d

SHA1
50543b5753a9f35a78ce087ff3a2329fd9d7b2b8

SHA256
8473f915a6ee64f02d86193ab0c5909d01b528d684e5b1b204491015d7607080

SHA512
2bdc6dce3f70dde8113e5c1621d3b442d60bbd08bfbe9a6a65c9aa752fe48b12d380ca4fdfa436a06f790be2e64731fe6fdc79dae5410312d010e820045e47d5

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat

Filesize
5KB

MD5
72c5f3e8b99cf4826e8ca82f72ba032a

SHA1
7ff2d821ae2034b60514ea98068d644ddbf83a27

SHA256
6f16a912c831321d7cc0f2c5504c99e200c63fc41f182aabbdf97af2adeeac20

SHA512
fc1b97d658af5b1ef0609cccdefe02bf11b32105ee19513f75db7a53aee33554148b46f6e73dc0570991f7c44a8d26a7cab6f664a88e072952605eb30fb8d3f8

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old

Filesize
5KB

MD5
38bbba08184f16b8e64c37a0721d489f

SHA1
29245095805684ad12d4a931e4ff43d61580dcfe

SHA256
2886ca43b508ef5d0dbe62bb41343765815c5f578faca51c99de22f729d2e995

SHA512
23ed21dc77ca2553d10567ceb7bbd66d24901d81f4e629ac6c509598f2e5498585e1c7562d7fc1c5240792a862127dd15a2e287d7d6015590fcb0eb86e923249

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.new

Filesize
36KB

MD5
0d1a9bb38ba18fabf78dc736e9446129

SHA1
2d637ca88f49002afb8da3ee7076c7ad2547e6c5

SHA256
d3cf5ebf6fce93c2de6886dbbdbdf3ffbf02b0e8b4c66211e99d22a3f208c8a9

SHA512
22c07663618de538bc62939f1698216f86341a1b2c6e074ab224befad8c2612c4182d80f22aed9a900df207172f9a112e6ad105c69b2bcf9f8e9d3b2922194eb

Download Submit
memory/2952-116-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3092-137-0x0000000000400000-0x00000000006B5000-memory.dmp

Filesize
2.7MB

Download
memory/3092-184-0x0000000000400000-0x00000000006B5000-memory.dmp

Filesize
2.7MB

Download
memory/3224-147-0x0000000000400000-0x00000000006B5000-memory.dmp

Filesize
2.7MB

Download
memory/3224-112-0x0000000000400000-0x00000000006B5000-memory.dmp

Filesize
2.7MB

Download
memory/3224-12-0x0000000000400000-0x00000000006B5000-memory.dmp

Filesize
2.7MB

Download