Overview

overview

10

Static

static

10

JaffaCakes...20.exe

windows7-x64

10

JaffaCakes...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_63b273a1313b10097263f35529e8cd20.exe

  • Size

    1.3MB

  • MD5

    63b273a1313b10097263f35529e8cd20

  • SHA1

    3c818ee060befe46d05f8f7b52b8db89d9136e0a

  • SHA256

    678674141b451bcdaf2a310c051222da0dc89fc6702d823e1cda52af4ef9cfd7

  • SHA512

    0090335d5d1fff651beed959039a8ca0ea5dcde509522b159561fc23dd65330d1fa63959748981177a7d1088eca4deb8e8cae202c176b59b51c58a1c6480784d

  • SSDEEP

    24576:oi/7tC5GPql69nfWRGKENMuOhJecdubAXc/C0yDkWDzW5/TP8lA9Lp9LF:V/7Y5aUGKSCUcUbAMB69Dq5/nL7LF

Score
10/10
neshtadiscoveryevasionpersistencespywarestealerupx

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b273a1313b10097263f35529e8cd20.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b273a1313b10097263f35529e8cd20.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_63b273a1313b10097263f35529e8cd20.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_63b273a1313b10097263f35529e8cd20.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 3532
        3⤵
        • Program crash
        PID:2116
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2520
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4396 -ip 4396
    1⤵
      PID:1804

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    1
    T1497

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
      Filesize

      86KB

      MD5

      3b73078a714bf61d1c19ebc3afc0e454

      SHA1

      9abeabd74613a2f533e2244c9ee6f967188e4e7e

      SHA256

      ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

      SHA512

      75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_63b273a1313b10097263f35529e8cd20.exe
      Filesize

      1.3MB

      MD5

      0d64dffe07413bd446ee18afd410fde4

      SHA1

      7dc045b4f5ab145e20cd78eed06660b728530081

      SHA256

      1358d110f059d8eb133d2574976ed81fe654a24b514bc6f7e42509b560f7a3bc

      SHA512

      8c529df34901b75b5b40759fabd32bd2dede9d27ad9c096006ed611308035956f2096acf7d637c2c6b4216e7709e33d686cc102b9d6c7bc87189ecb858510f35

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\utt7CD1.tmp.new
      Filesize

      2KB

      MD5

      9014fd63b207e03dce7f14dda95ba4e8

      SHA1

      78ea2798354be99f74f8e6d2851af68046231306

      SHA256

      4b7d4e373adac532629e68f66698af7f6d11e8a85eb33696aebdaa42621aba44

      SHA512

      cdbb8d0ff24fd61c4c0d8efa3f6e480b81163709c80d9e949240a4b4550718cc6d24d37505d7c4a96cac3b13209f3f441b5c03fc2665fdc4ab4bfe56f275f595

      Download Submit

    • C:\Users\Admin\AppData\Roaming\uTorrent\apps\player.btapp
      Filesize

      243B

      MD5

      50b75bd976152b0f4e0a4a4fdc039194

      SHA1

      415d89c9357da8376c323546c90a36b14b969dce

      SHA256

      18a66d4e3eb851c9a9f2c87ccc3b2c0ea26f887b85398e40e56d3e05fa96e93d

      SHA512

      a26cf1a946efbceff065d685204a4a86101275d7dbe110d97cc34ec3434c0c83029efc59264f539a01bf07ef7e1263ff13fac07d7e8a3f5758ea99c12717458c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\uTorrent\apps\plus.btapp
      Filesize

      768B

      MD5

      f9bcb8c14295ef3b2f00d899cd498265

      SHA1

      cac8128c852287d27c517ba1fac61af7d9c97113

      SHA256

      577a752fc88a37f310d0465619e998b21c83dc0e3fee6c1045bfcef719309286

      SHA512

      542245ba7dc96ac59c626b772133354237e6db086c5d6cbe7cf0193eaca0f253f12885e0b7a2a5a5a6f35aafa7c277da331d7b4083e6c703a5d461885a603cc8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\uTorrent\apps\welcome-upsell.btapp
      Filesize

      243B

      MD5

      c56b1a1bb7f7f600009d26fb0f9b2b0b

      SHA1

      33a2ca0554e087026caf836dd35d06a72af2f34d

      SHA256

      933fa82b67aee0e742bba0fd18523a4297b749d51abf533a7206ddee79e2a191

      SHA512

      22b50299116e60478b93a4cafdbc6cde0ef1df0191c07d97c8c8863916ebd4a08a5ce160993c4cb20f2e3384b88ad4b03e8d5a11a0dab6953929b0ec6a5580a3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old
      Filesize

      7KB

      MD5

      1d827e90ca467bac1f8d396c9cad4524

      SHA1

      6af5aef9889b0170f426f8e839b070934bbf885c

      SHA256

      2cd1bd42c5228c30b19da2a568b24c09e9a493502ebfe19b5638123664346ac7

      SHA512

      40c085ac29773449047ce94361b7fbc0786816a6e9f9676e1a920f5c61c161fafce9c39fdf6af183cad035dfc50b17e193c835aa3129ba66e769becbb1e28a6d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.new
      Filesize

      36KB

      MD5

      5ddf9910d6e31eabfd226f707473b1db

      SHA1

      1e554e6ef9798a2730c32f43a66496151de06f88

      SHA256

      0e1406ecbba795f90c8dd80a3e24350a01c8934309b560c13414404b9a8551d7

      SHA512

      7a7d2ec4103c6c8788ea931ef32729f3507f455637e1e3bd86bacddc822de5dda93f130632da5d25a02d9032a1b40f9ef000092f618d4397b18d19a2f2601c10

      Download Submit

    • memory/3276-129-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3276-132-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3276-126-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/4396-130-0x0000000000400000-0x000000000075B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4396-133-0x0000000000400000-0x000000000075B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4396-128-0x0000000000400000-0x000000000075B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4396-145-0x0000000000400000-0x000000000075B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4396-127-0x0000000000400000-0x000000000075B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4396-12-0x0000000000400000-0x000000000075B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4396-196-0x0000000000400000-0x000000000075B000-memory.dmp

      Filesize

      3.4MB

      Download