Overview

overview

10

Static

static

3

cf5a4bee46...18.exe

windows7-x64

10

cf5a4bee46...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf5a4bee46486ec885a34bcc9ef5092e_JaffaCakes118.exe

  • Size

    282KB

  • MD5

    cf5a4bee46486ec885a34bcc9ef5092e

  • SHA1

    c77dce44f41d6310ecdb41054e7c20b8c0aec4b0

  • SHA256

    5df5cd54d3d5adf1791a570d7c4436f2f4ef98c0dd08f36b2c08088fdda21734

  • SHA512

    7190e34cdbe25e8373bd62d7409ea1a109e7ea71335fb041e8b309a8b50932c0d165a874d26be53e9424e64c673f2e4a9cf05d3400c2d1f7e3f99718a644a1a1

  • SSDEEP

    6144:byH7xOc6H5c6HcT66vlmrX5ZQIRvRLfUePSeqpFyH7xOc6H5c6HcT66vlmrl8uyF:baA5ZvRvRIePSHaQBePSO

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf5a4bee46486ec885a34bcc9ef5092e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cf5a4bee46486ec885a34bcc9ef5092e_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\cf5a4bee46486ec885a34bcc9ef5092e_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Users\Admin\AppData\Local\Temp\cf5a4bee46486ec885a34bcc9ef5092e_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\cf5a4bee46486ec885a34bcc9ef5092e_JaffaCakes118.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2068
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\cf5a4bee46486ec885a34bcc9ef5092e_JaffaCakes118.exe
    Filesize

    206KB

    MD5

    03f4faf62b95458458bf7f9f99853fbf

    SHA1

    1586238cd2d8cfb8ead9d6009f0164f3dcb43480

    SHA256

    8859a64eec279742403efaa0adfc0580d97b616ad05c9eaa139a78e4824901a8

    SHA512

    d8f179d8b414feb16333642bd5b9b056d0357cf4ee720c8735b0b06fe7e51d8632329b32f777052f70a77735a57631472dc2bb434b67e57c141b989cb69060d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cf5a4bee46486ec885a34bcc9ef5092e_JaffaCakes118.exe
    Filesize

    247KB

    MD5

    9810b10c26fab0862560c713bf9cd760

    SHA1

    7308d32abe1db1bbc5c5fd509f87e7ec9907981a

    SHA256

    3d61ab5be27b57aef627faf3205c39a59dfac49ae31120ddc1c2cdaecc3bd75e

    SHA512

    29d3d629a0758f85eb84422ee901647f21dcdafc3d98b854425f78ce5a3c589a1c271b3bc6f94585c39642b6d453c1a8fc5cc44ef898a4ca75574607e9844b22

    Download Submit

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    e670f44a849dbb9aed35fca3199748ac

    SHA1

    15c28fdff201678ade6d03e410671b6a44a95a1e

    SHA256

    fdef4676d98ac1b29431af4f843a9dd5268f4bc539acff19a232cfba409eef19

    SHA512

    d76817fe47ab062dbdcaf34b393ba8c30f351eaafd32497a29fbaf4f2a2cd602417a2bd986f475a3cffdebead2ffa4466ac4ad2de23525d693d73091330500d9

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • memory/1740-105-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1740-113-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1740-116-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2068-104-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2068-106-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2068-109-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2380-10-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2884-3-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download