Overview

overview

10

Static

static

3

676cc53b7a...18.exe

windows7-x64

10

676cc53b7a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe

  • Size

    13.2MB

  • MD5

    676cc53b7a5a82fae31a378d21a81bb5

  • SHA1

    e29470049a2a57409990e9b8d6c84f59f915647a

  • SHA256

    44e8a04b410256c9201da884a6582771e0c0394729f85ac6a7cc1ae96a4ab8fa

  • SHA512

    745b80524c2a2bb829e5aff480ef27c777b8d13848f08c3764a4b7a7468c46417094bd571b73987e364ee19ed0eacd27610d724f130de2d136c91540059e5800

  • SSDEEP

    393216:5wk1j7BMh3WP+vBXKvPcZe9DGHpld97fapVZBX:vfBMh3Z0M6OlWpVZBX

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 15 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsDoctor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsDoctor.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Users\Admin\AppData\Local\Temp\3582-490\WindowsDoctor.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\WindowsDoctor.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\WindowsDoctor.exe
    Filesize

    5.7MB

    MD5

    115b0f9604aae86ad1bcccf037ce21bc

    SHA1

    ecba2c9221ad930a979f3a2c1627de89581a5bd7

    SHA256

    bc693dead66949834bead259e2076fca6fc2ee3405228eb0c793d7b7b6bb3d0f

    SHA512

    fa91ec2020d461ce7c8fcae91c0d542ad06ae9a16662e95756d75964f44ada2c30eb5c9b37d9a45814b8fd514648c5667128817548758f8fcbf1088faf93ca37

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lang.dll
    Filesize

    624KB

    MD5

    4ed3bb75a1f78f8afabeedfaeb37c7a7

    SHA1

    34f36856c2a0f7974bf64cdc4a566125003da290

    SHA256

    99a09c3532875e89d4c1a414a98b967debba667068a08f3d948d13cfd079fabc

    SHA512

    90b683172e3f9d74bef51c5be088bedbc101ff17aaf76799790264db90bf30e46955cea6d716dd761c9e7dcba78e664f94f759c0a0df410ca929b9bd55cd3be6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PrivacyCleaner.dll
    Filesize

    670KB

    MD5

    8862e6ffad755d3e988068ad27131689

    SHA1

    6b6bfcf83f9401cb10e4c0e907d08b930bc02d4f

    SHA256

    7b8fd72598d854fbbf7227529e0cd4b9e1eabc2008c34d9d0d1c758c959f3147

    SHA512

    9738f8202a744f6d7ec3af5d2be42b9f3d0efa1617e3d02417c3a68d8437ad477c59e40677c3ee19bfe258cda4b1ee9638af1f31b28a8800954c947b074e3c0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ROListView.dll
    Filesize

    212KB

    MD5

    afd2cca9d569691e070ebc9efd0e2495

    SHA1

    e86d4bc885665ac149acc2c4dd8f5fe2b5e2645c

    SHA256

    8271f5207fe344fe24a051796efad9eec85d9873a7e360c6a85206a3f4e3e1e9

    SHA512

    c324f674879da42a66de311b602e9b92f481c863b40f2ee7add2bf78d6dd73c6507eacc94cadc5271880c3d938717a0099709f5bdda75e1fa7ee26569999047a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\RegScan.dll
    Filesize

    469KB

    MD5

    99c96614b68cfe9e4a7857c7fbea44bd

    SHA1

    0c5635f5db15190b0aae1dab471f4c6455d5779b

    SHA256

    3e4f391415804c2bf628e61bea5f4db82aa56652d4c4c36634ccae1ed9623495

    SHA512

    83d98f1146389748f3142e28810cf319d4c8cbaf67a3a57ca633fbd869ce4b926175af3541a00191794852c29b469ec0b4df70db9d8082f79c44b576249221ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\RegistryCleanerDll.dll
    Filesize

    528KB

    MD5

    ed42a565477ec8a86cb89ef2f758d725

    SHA1

    737d6a64d99859b64e2a3c338f7a750dee9a0558

    SHA256

    cd0739510d104d9c655963612d817ca9901bf16088f1cc5361a2324d800fe0c3

    SHA512

    502c1442c00a220523a6b6aab514501854f6fe3617016dc6a894ec214657c7923c635e31fe33b89ad6dbb20203fa417f6841915ca407fdf6eeff4c08fbee50cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SystemItemDll.dll
    Filesize

    396KB

    MD5

    5d7d5d96a066f50c1b077ade316a0eae

    SHA1

    fef636900828a2b1887cb3b5a11c6802d4a62b0d

    SHA256

    dba672c5c35835aa12a9146289de086cb928a2c7ea91ff9338a5fd7e02b3f02e

    SHA512

    92a38dabfdbea0329aec0a78cedbd54760e19fb1d8934d530a648bb1c7b6237b501dd35f34beaaaf967df40165bbd2ec18ee735a587dad6878d5d74b34759da2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsDoctor.exe
    Filesize

    5.7MB

    MD5

    4df91e23f166d05bb2a1cf0733324659

    SHA1

    eccb99b86233876b43724abb787336bde3872186

    SHA256

    b47a23642d4d4f0b485ee1875322f00536f8db587e4f3a2de85242c0af33a746

    SHA512

    b44fe2618ce03df3c4c84054e30cc7de37255bea4d295915faa5419b2b93bde2a67a3f187342f4d7d4ef1fb9d4f8a6ce882b9f8dc1b26db848f64c0b5575e6b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\common.dll
    Filesize

    277KB

    MD5

    b67e3f8474ec139fc500e60536b85ac8

    SHA1

    e7acdbf1796ccee497058e94d301903348f593cc

    SHA256

    97778cd760976dd2d5dc3e518468c7930b9ee142ed019d19822f7ffd6189975e

    SHA512

    765f441936ead9e9981982df027ea05260c62d208e942a5574fa8c196f4c0e31c596c4713811c38469cae7794be1537cce5c48732ced6fbe97c690efdb463bb4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wmsd.dll
    Filesize

    640KB

    MD5

    175d1c7ad2e5e666f5c008f016675c7b

    SHA1

    19496b86550e2277359b0d18e65d8816ad564a50

    SHA256

    9c3d290d98f1b078b7bbe7aa512d2d589bf19d14c542287a89076b0704fd77f7

    SHA512

    1911126e68b8c75a4a9239d96b2661f8e5be0e3834e0bd5419ea5ce824e14685c781e3c750d79ec1ca23398b99def74a7657289c7822d5e16ba9ef798b814983

    Download Submit

  • memory/900-380-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/900-324-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/900-373-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4116-229-0x00000000012B0000-0x000000000132F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4116-227-0x0000000001200000-0x00000000012B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/4116-232-0x0000000001330000-0x00000000013BE000-memory.dmp

    Filesize

    568KB

    Download

  • memory/4116-234-0x00000000013C0000-0x00000000013FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4116-327-0x0000000001330000-0x00000000013BE000-memory.dmp

    Filesize

    568KB

    Download

  • memory/4116-328-0x0000000001400000-0x00000000014B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4116-326-0x0000000001200000-0x00000000012B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/4116-325-0x0000000000400000-0x0000000000C14000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/4116-329-0x00000000014C0000-0x000000000159D000-memory.dmp

    Filesize

    884KB

    Download

  • memory/4116-237-0x0000000001400000-0x00000000014B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4116-374-0x0000000000400000-0x0000000000C14000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/4116-239-0x00000000014C0000-0x000000000159D000-memory.dmp

    Filesize

    884KB

    Download