Overview

overview

10

Static

static

3

9b2d426bc5...18.exe

windows7-x64

10

9b2d426bc5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2024, 11:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9b2d426bc57f9b99a0d4f9af9afd0f8c_JaffaCakes118.exe

  • Size

    304KB

  • MD5

    9b2d426bc57f9b99a0d4f9af9afd0f8c

  • SHA1

    5f9704a27425919e908c18a1e291329bc6c0260d

  • SHA256

    dfd047ceb85a0a2f9fd534c2a92e46c445f13c1ff070c3bac2e7f895c6c2e46e

  • SHA512

    4e34f5e65a9a6a5667e416dae40bc94e8e4d6a0157d50597687999ebeb69f0d6810e8423909d36da3cb08e903275f3569b665553c0ce0b3be1dc8e3029730dd2

  • SSDEEP

    6144:PuVY71GIAKyRWTL6PeULRjRL6ewhNhJDt2DG/LTwbc8:H1wBWTaZRjRuLhJJUGjTad

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1100
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1152
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1176
          • C:\Users\Admin\AppData\Local\Temp\9b2d426bc57f9b99a0d4f9af9afd0f8c_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\9b2d426bc57f9b99a0d4f9af9afd0f8c_JaffaCakes118.exe"
            2⤵
            • Loads dropped DLL
            • Modifies system executable filetype association
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2420
            • C:\Users\Admin\AppData\Local\Temp\3582-490\9b2d426bc57f9b99a0d4f9af9afd0f8c_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\3582-490\9b2d426bc57f9b99a0d4f9af9afd0f8c_JaffaCakes118.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:868
              • C:\Users\Admin\AppData\Roaming\Evuxa\suop.exe
                "C:\Users\Admin\AppData\Roaming\Evuxa\suop.exe"
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3004
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp570d2136.bat"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2848
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1264
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
            1⤵
            • NTFS ADS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:1532
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:2752
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:2688
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:2520

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Event Triggered Execution

                1
                T1546

                Change Default File Association

                1
                T1546.001

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Event Triggered Execution

                1
                T1546

                Change Default File Association

                1
                T1546.001

                Defense Evasion

                Modify Registry

                3
                T1112

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Unsecured Credentials

                2
                T1552

                Credentials In Files

                1
                T1552.001

                Credentials in Registry

                1
                T1552.002

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                1
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Lateral Movement

                Collection

                Data from Local System

                2
                T1005

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
                  Filesize

                  859KB

                  MD5

                  754309b7b83050a50768236ee966224f

                  SHA1

                  10ed7efc2e594417ddeb00a42deb8fd9f804ed53

                  SHA256

                  acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

                  SHA512

                  e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
                  Filesize

                  2.0MB

                  MD5

                  511f33be7390f997b24aac42a71a8a8e

                  SHA1

                  5fac8f755b0fea80e1b41b9284a34621c94672d3

                  SHA256

                  6336e20f8793cbd99181f81d1c70ba9ceefc73a95e2b220c9b62f38ffc303496

                  SHA512

                  77f993ed8a3c603149f73bdc8c196943f6e12c0c8502fdb2f63506b8c8b33dd529ddb2351288828d9929e521b63cde5da0b001f7b386258c432fa387fef345a6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmp570d2136.bat
                  Filesize

                  289B

                  MD5

                  179304b039294b3507a77bb8b4fc6c86

                  SHA1

                  4498ed7455ecf2d89a9ffb486e1a297037007941

                  SHA256

                  411c698552c0b606fe63c0390da27c2c48e2c6282e8dcf589fc7282f13a6f672

                  SHA512

                  bd5d8f405abd8bbd08df7465495687d03e24904fb087c718dfa313b89f9eac97a53ec2eeb003629e8b4e6f89f5efe8d6d3c546e13d9e9aa2708d2b274ba2df97

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Oqmu\ywev.nyt
                  Filesize

                  4KB

                  MD5

                  8a8ec85e5fd5cfecc23645549595aa68

                  SHA1

                  7540354802ac40adc19bb83d7a6a3d1319ba1ece

                  SHA256

                  1958189113263765b0cc4f3abbb799a795a2a6c9444043a2ec99e3059e3b6902

                  SHA512

                  37603fecdad2f64de2e67c24f5ddc958a81da58d53363085bbe57e0c3b66145096b0d419124ff3428371d0c39d33e79d4d54e3b41d08f7ee71c9db938cf8dd1e

                  Download Submit

                • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
                  Filesize

                  252KB

                  MD5

                  9e2b9928c89a9d0da1d3e8f4bd96afa7

                  SHA1

                  ec66cda99f44b62470c6930e5afda061579cde35

                  SHA256

                  8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                  SHA512

                  2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\3582-490\9b2d426bc57f9b99a0d4f9af9afd0f8c_JaffaCakes118.exe
                  Filesize

                  264KB

                  MD5

                  3dadd43c2e923846c1711033d11c0aaf

                  SHA1

                  c68d8ebaeb481d0bd5f42fec95565c8deb61ccfd

                  SHA256

                  29804382216ebb8a432b69b49ffd174f3ea9fd754f3a6babc2ae48edf47bd20d

                  SHA512

                  3dd200650b056e4f5caac8f9c3889e3e95fb03d181c8c480f451e7b58430f9dcf7c4bddce1a9e31df5684d2ecc827af79e6cb4307dd7ae9ed713307332140265

                  Download Submit

                • \Users\Admin\AppData\Roaming\Evuxa\suop.exe
                  Filesize

                  264KB

                  MD5

                  588097a0f8b7d49f355c09b6f675226d

                  SHA1

                  3a6be6defd400da0315c9ae15d33fdad535c1c77

                  SHA256

                  a82bab67d4139967eadb4926c6c741bf487629b985625d46b9ae921dd7a25f35

                  SHA512

                  ca91cc3e129b348a8ed3e311d32d7d8f5fa8e4218a6de52b8846bb4b8680e14d5a024aa6de2848b573efe7943b80c3a1a529ed29217eba428729510a5a78fe18

                  Download Submit

                • memory/868-18-0x0000000000340000-0x0000000000341000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/868-23-0x0000000000400000-0x0000000000443000-memory.dmp

                  Filesize

                  268KB

                  Download

                • memory/868-20-0x0000000000340000-0x0000000000341000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/868-465-0x0000000000400000-0x0000000000443000-memory.dmp

                  Filesize

                  268KB

                  Download

                • memory/868-780-0x0000000000400000-0x0000000000443000-memory.dmp

                  Filesize

                  268KB

                  Download

                • memory/868-17-0x0000000000400000-0x0000000000443000-memory.dmp

                  Filesize

                  268KB

                  Download

                • memory/868-16-0x0000000000400000-0x0000000000443000-memory.dmp

                  Filesize

                  268KB

                  Download

                • memory/868-15-0x0000000000427000-0x0000000000428000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1100-115-0x0000000000220000-0x0000000000259000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1100-119-0x0000000000220000-0x0000000000259000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1100-117-0x0000000000220000-0x0000000000259000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1100-113-0x0000000000220000-0x0000000000259000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1100-111-0x0000000000220000-0x0000000000259000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1152-130-0x00000000021C0000-0x00000000021F9000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1152-125-0x00000000021C0000-0x00000000021F9000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1152-127-0x00000000021C0000-0x00000000021F9000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1152-123-0x00000000021C0000-0x00000000021F9000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1176-137-0x0000000002480000-0x00000000024B9000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1176-133-0x0000000002480000-0x00000000024B9000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1176-139-0x0000000002480000-0x00000000024B9000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1176-135-0x0000000002480000-0x00000000024B9000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1264-143-0x0000000001E50000-0x0000000001E89000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1264-149-0x0000000001E50000-0x0000000001E89000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1264-145-0x0000000001E50000-0x0000000001E89000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/1264-147-0x0000000001E50000-0x0000000001E89000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/2420-155-0x0000000002500000-0x0000000002539000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/2420-153-0x0000000002500000-0x0000000002539000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/2420-166-0x0000000000240000-0x0000000000241000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2420-164-0x0000000000240000-0x0000000000241000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2420-157-0x0000000002500000-0x0000000002539000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/2420-159-0x0000000002500000-0x0000000002539000-memory.dmp

                  Filesize

                  228KB

                  Download

                • memory/2420-161-0x0000000002500000-0x0000000002539000-memory.dmp

                  Filesize

                  228KB

                  Download