neshta | 6405396548d318a96b7d7fd79bc285e57e9fc0ebdf55fec9d9997f2b56631889

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
Size

296KB
MD5

7b6c5729027a5bc368fa07a6867d54be
SHA1

1d4aac5bb183e1c130236db9939d1b842d7de839
SHA256

6405396548d318a96b7d7fd79bc285e57e9fc0ebdf55fec9d9997f2b56631889
SHA512

056527dd7f3d76b27c557594792ee948c2865a43c40de328872290e44146e37cc960966defbce11c033713bf2be01f7bf7b020f5d4a1be0cbb6f19057885bfe8
SSDEEP

1536:JxqjQ+P04wsmJCU4w7T5WomTyjte5YhpsP4NlJBkU4FFhJInB7Nt19em2:sr85CtwhjwyReXPkk5IBRt92

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-13.dat	family_neshta
behavioral1/memory/2236-474-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2236-529-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2236-530-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2236-531-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2236-533-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 1 IoCs

pid	Process
1740	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe

Loads dropped DLL 3 IoCs

pid	Process
2236	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
2236	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
2236	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80e6475de05edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000010de124b9823ff5c786cfe61f5e75ae3b001ad33e87a0ca91029a891f15fe27a000000000e800000000200002000000091b9a7ae105d7d926108a26a8bf89f534f447f72d0c05d5ef06a2f55b19535b420000000245e7f0421ec12ecb0923746dda81c4afbbc83b067c69dc8697ad3dd448a945640000000d2affec678a61c84c37f6293017bb47ac738a286cefaed23cb17c036315e137051831a2020413540a0f361c154fc7387252c5abe8ae6f99a770780bb48428f15	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442181402"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87832DB1-CAD3-11EF-AA78-72B5DC1A84E6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000005981056192a1756663632d6e35ea0b1865f3730c58a89fd0b025f80679153536000000000e8000000002000020000000972a74e657eb4439a446d283365ff3a21d942acc5814e40a14718adfdcfdd1e8900000007f307e4d72642336a9f53d4d8c41f1f4d4309bd65277dd825e8cab651b7449a2d2f04ade2f20dfffd8e391030eabca95e5782cc3d800423ced756663d6bd1df9621b6de5233adecd5e80cb470ff741b40578f225add50de0cb4a9cbfe231e155b2219a0b42fecdfc4c2720ba01a62d04fd110fd0fdeb9f87a5f79f7bd5421a1f74819bd325e4b8ea4c3c011d9d61b51940000000fc2d55115dce2356037bb33b57c114aa3e705e30a288702036d6b0914c05f99480422029be235ece24d8056d64e42d1b865be7bb1391ba1591d093e8e555bce2	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1740	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
276	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
276	iexplore.exe
276	iexplore.exe
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1740	2236	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe	29
PID 2236 wrote to memory of 1740	2236	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe	29
PID 2236 wrote to memory of 1740	2236	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe	29
PID 2236 wrote to memory of 1740	2236	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe	29
PID 1740 wrote to memory of 276	1740	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe	30
PID 1740 wrote to memory of 276	1740	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe	30
PID 1740 wrote to memory of 276	1740	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe	30
PID 1740 wrote to memory of 276	1740	JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe	30
PID 276 wrote to memory of 2872	276	iexplore.exe	31
PID 276 wrote to memory of 2872	276	iexplore.exe	31
PID 276 wrote to memory of 2872	276	iexplore.exe	31
PID 276 wrote to memory of 2872	276	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.iniuria.us/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:276 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
10df5af7f8ae514801a446a1405f09d4

SHA1
6a9d877edcda5223917ebba9016aab1ed82d4614

SHA256
e14f20ba4e2ed401791d036aad0629caa54e4bc7cff5824e7691045edca53a3a

SHA512
835d8c07812d9deec3df079230040a0cbffb99599a7e24e6f6dc0dbde2676179388ff73ab85e6e40f37c060ad6e4901d08da3323297c681f6fbd39b1a062cdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e475a0105f3fe27b185f8ae29fa91ce1

SHA1
2feebfd454350063a26be2fe43ad55091b083b42

SHA256
e7b437771054ff8e8422a6c9f636450f4dfc1d0b1e42829116ae7b2a05619c7c

SHA512
bcd64638feb9c95ccae80deb701b746f8a0211ecca7f9e39b42f74f36b9a668d3ef11625a21ed7e2d8a9c6a8a99db2e8c52623bb561a10055c7b50c601969e4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cba90732ed7aa5ef7a78b64c3f93efd

SHA1
30a8615f856634d01e1d85a1bb3d743a1d27a5e5

SHA256
a61887bbf778f573abc6a5c76890d3e86e06878afa5f4c36025fc310ce95ed2f

SHA512
f102feafc063595aaee8a479c3ec0221fac12ed1f83cb5cfc7e92f7d18f2001d27ed62bd2e552397a0d348bb09b179555898ba6af442a40e629bd80fbc00415f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3093affdcb4525172ec05985f072f34

SHA1
7a974a539b4f3eee5b1527adfe7171323157025d

SHA256
c0ab98045c60c06f3eac4be64990b395a906a6a0ac58e53089f646f8b1164cfe

SHA512
0b86840d36b0a514b89c70902b9de63f4ed06bd7d70490dd91f18becbb935233df17fbf6d982ae3cd311497a7417609f1c363ef453187dd55fc8fcee31a77068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e1053aa18626b91613f81dc11d25ea4

SHA1
f8f79fa858d0864f2a8cdf5bcc84af912e15e50a

SHA256
286765ae045688b28ac7d297959483a7a8ec1ae3c9617a15b2284178bba221a5

SHA512
b5a5694010770ae3a22d7f8ce3cf5a3df2abc50574d1129792243e9b4871ee391873e1fb198a5afefc892b18e7157731145d6b275d0519a88915e5a92f3ae43c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1753e9af934d817d3abb86a207dab64

SHA1
91f4479c93a84cf37e7fc61110d8d340e444d4b5

SHA256
94548e9695d5715a2bbca321547b23b4bd693303c509dffaddb0d84b8da2232d

SHA512
bab6b908763878218593b2f463c9389ecadf30a2aadcdbbe551deeac069f498987c97a41f4765a3c6888c4710e929af6490831163515535fde0490108024a7a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d5b4447cb3bc53d35b30e331c66c50c

SHA1
6db673f632a2b96a8c3eccde5db626acf5f7f82d

SHA256
2f35c574c1372bb9e2cc94f6ded28d0f7e29c6cf501fe3ffeb6a120527835827

SHA512
fac84d43722de0eac0efe06e4ea5db9461f82842cea322088e77129615713ebcc59c5ebb9683cc8f74a9f06e8987d4559b377553b23e302a640a790d9aa5afd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebf36f18cb01daae28d05c1f1fe222db

SHA1
1cd1a38d35102541a6081ef09e3e0d4b87c2777e

SHA256
eb54996500921843f1b8bf3eb597bb7e47b30906801019b2d9c8362d676e5867

SHA512
7cd79ea774febef8aae0272a31813cfdb11b0735ddcca2d5f2af84c7475a8370ce042a2fc21d75ff8e4713e6616a25d721f0ad5d4ac8af69c67f35fde26f17e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f979f7436d974f1d570cdf402fa9ee4

SHA1
0544593f864dce39a09ec17140b70192ea146191

SHA256
6ebe3afc7bea78e1213ae38d0562c495467c7f28e533f3e032488c8085a38a37

SHA512
72ce1dbfa884a43821bdd0a34104bd472276730ca31ca9fc82d41cd7cc6be03e778ee68a2520043fca2dee4e3c17b4b82a618460888df8a1852a84d22ec000e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78370c32966492e848451840d09bd6ea

SHA1
e535253c4b4ee8de9f2c8599ce3adfcb15952c36

SHA256
37a05fafc6ddc21e45a04114150984b96f676c4ee6b4a3a1d011933ca0fdbf3a

SHA512
d6eda258306edbeb0abcdfb3254432be4a9dd36ce844ffaba2981577ce4190e96c44c98312a8eb614b32ac4f84495db27e6f65ab35709731ed83a808be8ea72c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e2dde1489d8f0e5c5f81d7bd0e21301

SHA1
6286ecdf6b15d0a61e5a6ceff25db13f140a7af3

SHA256
ffa1fdd7cb09dccf1b53e09d8ef6ae9049fa0f33d20141b720c4c50a2efedc0a

SHA512
7d8dea763cd813d80dedac639259a1ca0715a8736170ca33aedc65872f3431500b87f4ece896eb5adbb8c5007f9ba4b8392c147f4e611424fc6a99c24e8487aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89c16289f547546545cb706a4ac5bd8d

SHA1
71a4f6c0867c3a863a51ccd428e93e6350f45398

SHA256
e7019213991c88747d7ed011a949fe5b8813e952b30ae4eebe7ce3387ee214f6

SHA512
7783f07918e180bb55249d2ef1991ec1bb662910d269707334709279bacc5c288f2f050762cdc158cc06b95d9c160d1fcdb5cf083f19cc55297f902decc0d44b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e754b8ca8d3178e50a65cc74cb5f54a

SHA1
40b6ae4065e1066b8de94345e66e76c853cf8f2b

SHA256
d945f5f0d77989cefdabf4166dfb054312153da2a10df81701a29b4776295baf

SHA512
4534e647c10342b861f867bedae944d1d11ff25658c519a790628e96d36ad4d09b2d2506d01334ae10122bc2b0af0c921235ed62927c26ca995d585948aca281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abd882aeb0d8a99570bbd8a10e65c659

SHA1
8cc0f7a0e9e361910d51e20357cd9a0dba768697

SHA256
23240f8be5ec282191d67849fa3fe6cc45fe7eb1ab2e7f5c0bfd4d8e0a5b6c15

SHA512
35346d823339e5b8aad4b55fc27e7282938affcd896f738a363fac8b6ee7c3bcbe0cdefeac9bf7ade93d1fc4a366f51b411f22dc0b75c0c9e9cf01ee363609d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
539e252108a2d79a78c785f4e25fd03c

SHA1
9ca707b5abbf506aa9fdb14fcc415165ee818be1

SHA256
f04fe95e4d6afb5b2bda1e2dcf04dcd61d4765a3379bc2fafc2f7cb5cc38326d

SHA512
a011eddb4060ecfe6b933ae03e75ba997cd0f7c1660d850eb1b8c8fb8866f91667203f776ed9c674b1985849956b09167d622ba7ef8a8680280d1c07fd303ea6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d1e93042017c91677927dcd15aad2a0

SHA1
0cbfd9b3c3d5e2c762c856062d0cd780a7b5f4a4

SHA256
8b6866a7ed0a1b33e618e1543f9d923c8a863938e97a6a036fda9b273cf06303

SHA512
cc947629045a89a2e45568c413ce7c8b1ad1cf2dd8bbafd727bfee8189006aac46ad8b00c6f5f7249f13e6166273981b1bb775aa29ad4f04fa57a40e5b688bf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4be79dfb9156dc2be6e727986ec15ece

SHA1
cee8875778031c717c8238b6782c833f49312eac

SHA256
4d2d1730f0b2927e81c2438f4fa40eaff500f0b0b3cf6bc7996bf1696971ce10

SHA512
864139289cf3548530968464bffc089673d7b5e7282bd6749b6ff622258a983a5a5a88919fd34603ef1ce5bf309a033d83ad5b74c48ffffb822db15a4148261a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
118d8e688d38acfc8c0fabde6329985b

SHA1
91a3f923a6fe87726f7b9069a22024917708f3a4

SHA256
11d6719ab8023d41c5ca41b1a5fe1f14d414b5ac0aba8b098344fc95ff465b97

SHA512
9b2ceff4594054daf18b3f1348d7869171556aa8e76851b2883d31bc2fc52757c6a97455cc0a71b83ff1e0f91e3ac8aeef6c2b779c84e6986aabbbf53d8ca511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47dbcca8b5b9c507835fbea7aef136a2

SHA1
65ddfbb31b6dc62a80613e8cc919d0c3f33bac82

SHA256
f86cb26b6bdc8195b0d376854a65775ee6a78be8b91ae497dcaf23a86ebaa477

SHA512
d42dafd678a1fc3253759c10ae745ad9fce77f822c2edb4bead67f37a0e02e980f473907b80eccc7dbe8d5f17bb6b325a0821093b5aef71776d10593e91aab84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01f4da4fc60684d2721ae0a7c6c0106f

SHA1
6c87d56c2b60a5b764aa972be580d3821e4bb64a

SHA256
b5974b12304351292b072386f2e64ea05ba37f3922745f1f09257995acff57d3

SHA512
d2f7b9674fbe00e55130a3f31f223dbce15ea9300c7bdc530d2fe6f1d2fef32a37f0e96114e71ea3903a3e2ec1262179a63292239fcb50c49e70c3952bc77db1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95fb258e5c79d71b54f62d7815f02a32

SHA1
9b8bbddcc7cfbd3077c50ecaf6494ccdaad37871

SHA256
cec00c1e667d2d119cfe113902f6a267fac1020cbcc1e9fcc224189c7d2f6d4d

SHA512
f4dbfe192a2fd4128665ba84a0919da9eaf14d9a29fa9f26d488c97575005b7bd89e6834272b258760857e86ed5763481ca0dc1aee42585010a5f53e76b57fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5360593039cd114eb6141674b3673cc4

SHA1
a8fec3d75642b9b159e19d80918bdbed1b82985a

SHA256
1ab6f912f1e6377af518323b9f6ea955163e2b982828645d06dcbaf7b3a79a51

SHA512
dbd6b2fcfbe07d414d7c3c3f58577de6bc0d389634177d78c789c99ec2c50f9ada265553815c22ce6e8735598ee88a61b0d83a031ad49b6db4c451aaca45f4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7b6c5729027a5bc368fa07a6867d54be.exe

Filesize
256KB

MD5
1364bd81198addaa901f1a246ed2eec8

SHA1
6153cb807ca147f7d9d1b55dccb7592773d7a1a7

SHA256
291c5cca8abe1ee2f046128e1758877d18facc424a6ec39ca1e732f1f455825c

SHA512
001d74798b224ca7ec7836cbb2be2d6047bf5ae4fbe224f5679de2f4451f01015a5f810d965ca91cf26a3538039641a47a26d8166e94e00d89b32aacf691ef66

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE0AF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE0B2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
memory/2236-529-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2236-474-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2236-533-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2236-531-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2236-530-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads