neshta | fa04330d160ca5c7c72acbd25728e57bdfc434ca4e3b543b73542e3ea8ddd604

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
Size

324KB
MD5

a16a1326190655f327850b89d59080d9
SHA1

d47bc9d82053e69cd125b6209d206230ed4a4e4c
SHA256

fa04330d160ca5c7c72acbd25728e57bdfc434ca4e3b543b73542e3ea8ddd604
SHA512

77c17a2ccb8507dd12f04c77174437dd83b6de5e5408c9ded2bbdfd1b1317a03c2b8211bceff7e234d9113753b2442c050ed59b924727c293dbfc2e6ecfc543a
SSDEEP

6144:7jktq8QVV/Bi84xKmiuBzSyYPXetqEaq7HgbAqM0ZNvfzDVlGLF:7MsVV/BB4xKmKPuIEakHgbAYNjiL

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 34 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120ff-12.dat	family_neshta
behavioral1/files/0x0007000000017546-30.dat	family_neshta
behavioral1/files/0x005e000000010323-32.dat	family_neshta
behavioral1/files/0x0001000000010314-35.dat	family_neshta
behavioral1/files/0x0001000000010312-34.dat	family_neshta
behavioral1/files/0x0013000000010321-33.dat	family_neshta
behavioral1/memory/1804-39-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7d7-42.dat	family_neshta
behavioral1/files/0x000100000000f7e5-46.dat	family_neshta
behavioral1/files/0x0001000000010c12-62.dat	family_neshta
behavioral1/files/0x0001000000010f30-66.dat	family_neshta
behavioral1/files/0x00010000000118e3-71.dat	family_neshta
behavioral1/files/0x0001000000011876-70.dat	family_neshta
behavioral1/files/0x00010000000118ea-73.dat	family_neshta
behavioral1/files/0x00010000000103d4-78.dat	family_neshta
behavioral1/files/0x0003000000012143-85.dat	family_neshta
behavioral1/files/0x000300000001213f-87.dat	family_neshta
behavioral1/files/0x0003000000012144-92.dat	family_neshta
behavioral1/files/0x0001000000010f4d-124.dat	family_neshta
behavioral1/files/0x0001000000010f95-127.dat	family_neshta
behavioral1/files/0x00010000000118f7-128.dat	family_neshta
behavioral1/files/0x0001000000011b1f-140.dat	family_neshta
behavioral1/files/0x0001000000011b5a-145.dat	family_neshta
behavioral1/files/0x0001000000011288-148.dat	family_neshta
behavioral1/files/0x000b000000005986-163.dat	family_neshta
behavioral1/files/0x000d0000000056d4-175.dat	family_neshta
behavioral1/files/0x000400000000571f-174.dat	family_neshta
behavioral1/files/0x000300000000e6f5-173.dat	family_neshta
behavioral1/files/0x0003000000005ab6-172.dat	family_neshta
behavioral1/files/0x00050000000055e4-170.dat	family_neshta
behavioral1/memory/2792-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2796-178-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2792-183-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2796-180-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 3 IoCs

pid	Process
2796	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
2792	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
1804	svchost.com

Loads dropped DLL 7 IoCs

pid	Process
2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
2792	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
2796	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
2792	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\Windows\svchost.com	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2792	2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2792	2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2792	2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2792	2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2796	2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2796	2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2796	2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2796	2096	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	31
PID 2792 wrote to memory of 1804	2792	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	32
PID 2792 wrote to memory of 1804	2792	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	32
PID 2792 wrote to memory of 1804	2792	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	32
PID 2792 wrote to memory of 1804	2792	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	32

C:\Users\Admin\AppData\Local\Temp\a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a16a1326190655f327850b89d59080d9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
  "C:\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1804
- C:\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
  "C:\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
354KB

MD5
c7021f05bd12860e1d3350f0a444f99a

SHA1
747241c3429076691338dceb1672080829b662e7

SHA256
db106d65f64f3cff8d79fba4b7aff6436ed8d4972bae7a7be19d4b6fbc5db92a

SHA512
de937f0c8e8ad97aa3528314f0cc1406808a5b3ef9f0b32cb7554adb1e0a15ca1e6ec7cd40bfeea9772cb87bb9716b4cc8d9cdf94a0dd696dcc3648f5795afa0

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
503KB

MD5
3f67da7e800cd5b4af2283a9d74d2808

SHA1
f9288d052b20a9f4527e5a0f87f4249f5e4440f7

SHA256
31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

SHA512
6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
153KB

MD5
12a5d7cade13ae01baddf73609f8fbe9

SHA1
34e425f4a21db8d7902a78107d29aec1bde41e06

SHA256
94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5

SHA512
a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe

Filesize
579KB

MD5
693ed385cb9c7d902c9aa4271d345d7e

SHA1
36f512f61342924f3e4ea8d92badfc0e21e7ebe8

SHA256
01e693491511a132443e9aae0b3d8522ff258bb1f47d5d5e9dc0407a24e67eaf

SHA512
f31c5b3b02d698fff2b956850cc0d79bbbf2a083bc82fbd406426eac19a598bb5ebae028aecdaddd7010501237f2422fe4e709be91e18368a78995486cfa5cee

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
205KB

MD5
da31170e6de3cf8bd6cf7346d9ef5235

SHA1
e2c9602f5c7778f9614672884638efd5dd2aee92

SHA256
7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858

SHA512
2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE

Filesize
226KB

MD5
61c4eb4385ee3530cb2022fe6fc5bc45

SHA1
551c8baeb6dac4470dbaf68091ad9b864c022e90

SHA256
9cdb825851f24e29737dfa6fd3f8dc1a314956b1224c8a438e614ca8229d1dfe

SHA512
a4a4dd302df0696c43765aec07df39d1dae7e4e9db7fc2e1c4df7cdf4ad88f6026d912d3be323d92e286b6e694cba9d81a50e6f52a037e30803c38d009963c9f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
271KB

MD5
eadb2e7c90f5deabad2e2757622ddadd

SHA1
947a77f92ae3fcbdac42229f69ac5c4dcc3cf74e

SHA256
437dbdb218902cbf3bd4f1d5cfad46e2b0435ba7ae7d9de21d14bdd9206acbd2

SHA512
eecf366b56eb4c9d18cabed5ecf70c7541469537a96540fccc8277c44d94294a9195ced436c51faf70f6c2f51e81367a29032282beab55d2c55db030c92dcc43

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

Filesize
479KB

MD5
02d3c32bc62ebf875e3b7afe8c987678

SHA1
78895bc848f20ea7700fc5559d802c430be1b2bc

SHA256
b7374a93e027f2301bc3b8371ebd9fb1b28130ee987bf812bd3bf681f9d321d9

SHA512
643e6dfcd2bf5d907923574c13f7e8b892ffd71115134d2bf2f8e713020c2ac19ca8070440b6956fe90ef5c5c0d042abe07c4cbd61218bfaf3e14d4b5d402d58

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE

Filesize
184KB

MD5
67a6e518de5b8401669ccf03059f1bac

SHA1
98ccf378e8c7e3ada48c4f6ca52b9293e141ce84

SHA256
c554dfea900392e9eb4a0ab658f76a5a1de1e41bdce80382b5943dd78fc9516f

SHA512
4e7b1922328d1e05e7faf456f61375df081faacca415c5242e12f081dee4d7f03835a9776295c77e7788984188f27ff358d72bc9100dbb250975aaaf2e95777c

Download Submit
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE

Filesize
127KB

MD5
154b891ad580307b09612e413a0e65ac

SHA1
fc900c7853261253b6e9f86335ea8d8ad10c1c60

SHA256
8a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483

SHA512
39bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6

Download Submit
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE

Filesize
308KB

MD5
4545e2b5fa4062259d5ddd56ecbbd386

SHA1
c021dc8488a73bd364cb98758559fe7ba1337263

SHA256
318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8

SHA512
cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1

Download Submit
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE

Filesize
647KB

MD5
f642d1d17c9c11fd36c861ec464ef3bc

SHA1
2bcfbe7d7af87c420949472f1c854be44df9c7ba

SHA256
ef98853ac7877333baf3f8be301402d5f6b894a7f87af7b01f3fca7ef63f6cc3

SHA512
0a7ce3d2a06f759f0fe5c6f611845d4ad255ad51ff5e99ed3c03449273d8c763c81edeeab3e0f3e150192441263d4c7aad232afcc320a52c17bb0c9f336f1bd4

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE

Filesize
1.9MB

MD5
cdbe34fca2872ab1661c141d28ec1b9b

SHA1
340d5005409f662b2f2347b5940e235c9785748c

SHA256
8c1b01b836e1173ecf5072c886d939957871af7031440697df813fa55fcde096

SHA512
765df7c767109647b2c22dfc9dec2b3fdb0dd77ba2de796a04897cfc68b285e19bddddc3d1324558f6ee6a7dfb6cc43a732efc1e323c11d87021db4330510e78

Download Submit
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE

Filesize
1.5MB

MD5
bfe8267cbc145e3230a3fc9430e3de1e

SHA1
505e1723d02274804942dc322f4d45c99a0d1a1c

SHA256
127e2cf254aa60bcc1e2bfc7f963afa92d57e8ea2a2b3d50f4fb5b4b73d089ba

SHA512
5c1680af090e8667e103700015e50de6174c13427f9fa4865d786170bd45b1c2733342bc8cf1e5b23830beaddcb99a21566b957e5cafe9b95fe36d8c5fb3567e

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
ad7d4d593001c1be47bc030b94425db2

SHA1
e7a421916f2def227f7d6a516e94def7660b7d8e

SHA256
d092e1ed460777bc23e3bc8acea9911a53c13e3ff5735ce116ae4e793595f8a7

SHA512
2dbb5686a0d67f22b1ff7e9edc8694c6b6d17c0ca0f26ef7a0698a829bfcd94f5b32ededfdc5c1b53851cb30160e2ce40d11615d8a47f71c8f77e64eb8829b53

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
cc5020b193486a88f373bedca78e24c8

SHA1
61744a1675ce10ddd196129b49331d517d7da884

SHA256
e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a

SHA512
bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
06366e48936df8d5556435c9820e9990

SHA1
0e3ed1da26a0c96f549720684e87352f1b58ef45

SHA256
cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612

SHA512
bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
37805b5430914afe29a0f8bff298f9ce

SHA1
40f50a314a46b824b49c71599aa022a6e53734cc

SHA256
9fe21c23e316e7868124b9632b665674d69cb1baf063037e3c1268b1522a1990

SHA512
f9f5bb78f12179a93ec012db09a5101682a89d28e9b6c163946e6d9c3b4a3055ea35ec7aa3e1b02bfc43f19e1dfb35a54c2ecec2eec5c28791109a1b099504ef

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Filesize
195KB

MD5
3fe4432f457ba9b0b99d6922de2bdbb9

SHA1
31bef418a04a951412f28a9a46202bcc679085e5

SHA256
1906b7b9f548afea19fc38eee37248be4656dbdd8a5fe37f78d9587cbb61e683

SHA512
f9c50a0361482fb4a3a1fca86ee1b72427dc31cd876849e39b3a76f85785c2eb62a18696c384bd81b57681a012f916a9cacba83f740a78b7221c891bb6f893b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
4b544460aedc2015edc180e231fbf8df

SHA1
cb96fa0978a591597932dae6b25be6479eefb687

SHA256
e1fa8ac5f48afadaeebe8a993c90c9fd9bd4cf0a1a2da7a0b436994bb677c21b

SHA512
90d8d1a108f5a183c2e71f6aa79df7e052a24a9b5ba5a387037a11c6161f686b0f86485c477aafaf9a154a82dccd6fce71078c9d0e4e8b156a00cfd3998ad27a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
e98eaf745be5c638c0273bdf5535c9de

SHA1
aa09f250899b1b56144d2b8fa92d091ae53b3f96

SHA256
9782abec73716aec140bc8df64d014a93f1ffdb2e88a878ce81ffd6adaadd4f2

SHA512
ba9a0eb140ded6561be35ebc987937e587a9b8ad76793d418cc4e4eaa7112a1619b6c8c3e395c352dd688ce905d5410c736e3b39d052c3d50ef8bdf76acd7f4a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Filesize
235KB

MD5
f88cae88bfeb942f5aee73584bc19fe1

SHA1
afba079c5264c9c04fcb6d94b68c1b6b28b38dd7

SHA256
95dcc64cff82520063679011ad47a05ae8067d096737097165259f5eb59e864d

SHA512
02732114c65713b9678103ff6d8400d6c9f075d799c14520a183098eb5043834390d90e48f19521ff8f7b58be33315d72f1712733c93f23d836caad70e30b00b

Download Submit
memory/1804-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-2-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2096-22-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2792-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2792-183-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-180-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads