Overview

overview

10

Static

static

3

5d02893481...18.exe

windows7-x64

10

5d02893481...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe

  • Size

    235KB

  • MD5

    5d02893481bbd7a7cf0be949532e45bb

  • SHA1

    d68e6e40e484a5688195ab3bb90a1050806ce37f

  • SHA256

    d9a2a4eae9292fc6782abf67b158706bee53503370c46751f21d62b3694054e5

  • SHA512

    7de51392e20056b12afdda240234fe23eb8e12bc1ddf441ff0fcba51a4de21b64e425f6153705b5f93c270f077f8d01b39446fa479cafdff8556c9917fc17a75

  • SSDEEP

    6144:jyH7xOc6H5c6HcT66vlmrASraT1D8rgzPDkAVHSyH7xOc6H5c6HcT66vlmqAjUei:jazT1LMxa0Ieni

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3808
      • C:\Users\Admin\AppData\Local\Temp\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Users\Admin\AppData\Local\Temp\3582-490\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3352
          • C:\Windows\svchost.exe
            "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4308
            • C:\Users\Admin\AppData\Local\Temp\3582-490\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\3582-490\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:812
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:5108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
    Filesize

    328KB

    MD5

    39c8a4c2c3984b64b701b85cb724533b

    SHA1

    c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

    SHA256

    888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

    SHA512

    f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe
    Filesize

    159KB

    MD5

    4c1366320f27ddfcf6aa1b4266fc16fe

    SHA1

    1d14dfaba4495d77e99f1d4c0773177247dfce1d

    SHA256

    cd36df160a464ba3abcfc3d010aae9cc913f29f76878ae38e75eefe1e49c593e

    SHA512

    126b8edf27d9908b13cf90487fd66d3031dde842f5bc1063b6c57f3894c4ac1281f9b54614e75031be77dc9c6b149749003e9b568df9e5dd6bd15b41324cb149

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe
    Filesize

    124KB

    MD5

    52cc826a4cf23d5bbf7534f1b30d0bab

    SHA1

    663b42d847db8ee8ca4d23c7a6f7a5357e055a52

    SHA256

    7cfdae4ec5b8c4ab16ff1433fcc1a82d925dd79e36c5a01d24b47ca277f1ef55

    SHA512

    fc03d351cda0e7e5f6112b8a6b4e061df02b7117d0a4f5dcefe12fe5908b0c0c660338055d59ee8cfe70d82f55aa981dbe02dd5d14a70cc813426af6f7fa4eac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5d02893481bbd7a7cf0be949532e45bb_JaffaCakes118.exe
    Filesize

    200KB

    MD5

    38eead83b531a5b5f22d7ddc2264546a

    SHA1

    33548c66f43f4eb79e1abef0c9b132c55ca91b40

    SHA256

    4393a0032b1f3aed3c70947c79894132f5f5a85214d8bac9dfac90ee1a9ad13a

    SHA512

    2a73045ff2685789cbbc176169c9e54c67012b25f479cbea56395c25f11887ff7bd238a0a4ef17554aa3c73e537bbf3308e0b86322571094337dd701dab4f1cc

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • memory/1880-116-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1880-121-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1880-118-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3352-26-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3808-10-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4308-31-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4716-3-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/5108-117-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/5108-123-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download