neshta | 5d5bb2ad4bbb98e74dc68cb02e46d82c0a44996434fdad66b0cfcf500bed786f

Analysis

max time kernel
93s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
Size

740KB
MD5

7af578439c23caca854aa5a5519c1a30
SHA1

d3af78f2885ecc390cc74fd4e63b8abae9644772
SHA256

5d5bb2ad4bbb98e74dc68cb02e46d82c0a44996434fdad66b0cfcf500bed786f
SHA512

8d97215f7bd107bdba9d1444048573a96855b479a9b2b05cd776c463b593aa722e2c90d94c889b0cf34fbabc04b1475e42bd6fdb4c0073cd23ec0bc5a71ef145
SSDEEP

12288:qUc6SBLLTSEgBAnhc1kG1PaGLX/0lIxDa+Y2:b2BLHSn6q1vPaGLX/QIxDaU

Score

10^/10

neshta ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000020253-33.dat	family_neshta
behavioral2/memory/5032-114-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5032-115-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5032-117-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe

Executes dropped EXE 3 IoCs

pid	Process
3420	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
2912	JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe
1244	DesktopLayer.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023ca1-4.dat	upx
behavioral2/memory/3420-12-0x0000000000400000-0x000000000050E000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-15.dat	upx
behavioral2/memory/2912-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2912-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1244-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1244-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3420-29-0x0000000000400000-0x000000000050E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\DESKTO~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4712	3420	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2710140813"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2704828380"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153871"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153871"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153871"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442777324"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CCD6034A-CAC2-11EF-91C3-468C69F2ED48} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2704828380"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1244	DesktopLayer.exe
1244	DesktopLayer.exe
1244	DesktopLayer.exe
1244	DesktopLayer.exe
1244	DesktopLayer.exe
1244	DesktopLayer.exe
1244	DesktopLayer.exe
1244	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4860	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4860	iexplore.exe
4860	iexplore.exe
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 3420	5032	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe	83
PID 5032 wrote to memory of 3420	5032	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe	83
PID 5032 wrote to memory of 3420	5032	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe	83
PID 3420 wrote to memory of 2912	3420	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe	84
PID 3420 wrote to memory of 2912	3420	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe	84
PID 3420 wrote to memory of 2912	3420	JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe	84
PID 2912 wrote to memory of 1244	2912	JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe	86
PID 2912 wrote to memory of 1244	2912	JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe	86
PID 2912 wrote to memory of 1244	2912	JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe	86
PID 1244 wrote to memory of 4860	1244	DesktopLayer.exe	87
PID 1244 wrote to memory of 4860	1244	DesktopLayer.exe	87
PID 4860 wrote to memory of 772	4860	iexplore.exe	90
PID 4860 wrote to memory of 772	4860	iexplore.exe	90
PID 4860 wrote to memory of 772	4860	iexplore.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4860
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4860 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 548
    3⤵
    - Program crash
    PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3420 -ip 3420
1⤵
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a242c16707ddb2e8d8cdc25c90105a56

SHA1
9b89a87ca70fd62da5d616640802babc7edf8f6e

SHA256
cc4f0c341edb160871fc365d7d6c69d4ad8aba356a3ed1c4b7edbe938a318d73

SHA512
40664796a563b766485552f7f4c5084c185ada5bc25556d155041443ad6257a396692fcb667d0ab69e3f666aa2940d7f28e39eaded9762240a24ed40d7ec0291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
234d12ee732f9bf6c0d6efa56039569e

SHA1
db04b6d7ed62bbd2e3f6e2455a032a01f1f945e0

SHA256
eab48d13cc986c34f627967190e5cb43be7e23b8d709747aae6363a9374fe51e

SHA512
8b160c8712f5801b8a35d92209a8ff3dabb853089855d284fe3123274d9a4bc54f727b0b6223629719fb4e4950039b6fb6c482ec1e801e7fc3751bee9adbbfeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7af578439c23caca854aa5a5519c1a30.exe

Filesize
699KB

MD5
4c586576edfde173d60c344d8ea45642

SHA1
86fd9c94839ccb7ae2b9192635cc9851b3c9ec84

SHA256
f3cabf8053c0d51be2309b06164c37cf4e6eb70f19f82b05e41514deff1b5e7e

SHA512
6281e009239fe7a321b9eb17975b885c158761dbcbeeee5065c55592dbd1c3d27a001d262e62bcfcb312f27d4dbff39b2287b7268b96fc09dcbe1b41ab11c84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7af578439c23caca854aa5a5519c1a30Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1244-25-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1244-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1244-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2912-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2912-18-0x0000000000440000-0x000000000044F000-memory.dmp

Filesize
60KB

Download
memory/2912-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3420-29-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3420-12-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/5032-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5032-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5032-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download