Overview

overview

10

Static

static

10

JaffaCakes...92.exe

windows7-x64

10

JaffaCakes...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 02:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_09a27ae3ed117533c7a3aed3f7db8d92.exe

  • Size

    3.6MB

  • MD5

    09a27ae3ed117533c7a3aed3f7db8d92

  • SHA1

    c79972a55b2d90198c6354b07a5172a6b10600b4

  • SHA256

    5c5b557730f0e2a27f0c452216ace6a580024d392b8cd6c4a3f4dce981ba439b

  • SHA512

    db23e7ce62c19d291d03ac56882aa99b5cd5824eb436fbc60f58d6a5d6cd9ec75ecfb289186c88941b7e18611a1d1675a37193e128e80fe25e2de15fa241df91

  • SSDEEP

    98304:HyW1Hg4eSQhBVh9H3rEh/fQpKn1Y8zQVmLsFisZPJMpO:dd+SqBPxrE1QpK1JQVrFis4pO

Score
10/10
neshtadiscoverypersistencespywarestealerupx

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09a27ae3ed117533c7a3aed3f7db8d92.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09a27ae3ed117533c7a3aed3f7db8d92.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_09a27ae3ed117533c7a3aed3f7db8d92.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_09a27ae3ed117533c7a3aed3f7db8d92.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Temp\1PO0U4KP\JaffaCakes118_09a27ae3ed117533c7a3aed3f7db8d92\plugins\0\CustomUI.dll
    Filesize

    345KB

    MD5

    0fe39de528a1afa32ed1f5f10a02aa4e

    SHA1

    8651305d45126ad268b498eecab7db5cae570b7c

    SHA256

    2ad7b88bea948708cef7dd539567686b0662692802edf0bb544594306cef7c73

    SHA512

    74a2f59e7d2a788dda76c2566d7c827ecde4f3b5e16191586fbcab69b04f1436e0963b8dff97fbbe383e9c580c9fffe5a9a5fe11da8ede6b8d06dcb040c09e27

    Download Submit

  • C:\Temp\1PO0U4KP\JaffaCakes118_09a27ae3ed117533c7a3aed3f7db8d92\splash.bmp
    Filesize

    178KB

    MD5

    1cf986e7ce64f5b02863d8dadf416adc

    SHA1

    f95216199aab5f11aa8e076fc65cac6f09f9c371

    SHA256

    16262ca591bb170310b3e51bcdb5188e2bbb89c01b09bb9d932776c6ad822d6a

    SHA512

    4222e6afb4185be2a0ca667bbeaf895684071a8c4d59a49fba1b69feba92c0099188d1fba0731ca15e8f04326b9cc46410ddc828c45280a9b556809c1d87c3af

    Download Submit

  • C:\Temp\1PO0U4KP\unpack.dll
    Filesize

    34KB

    MD5

    e619dbc708231336467add6b6f6ff99c

    SHA1

    cd9b0168d3d8259709098edea0d83834d580fbfb

    SHA256

    c66742cee46087844c244af84c91a464eeab5ac0fe57be6d9c7aef6daea54793

    SHA512

    5e5fb37db93eb11f7e0e7f5249e5733e6ecda3395ad51323d22bb1fbbf3e3b137c4554600faee5e53368426a0827add13862c3b400a7f54acbbbb2d9becfaf1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_09a27ae3ed117533c7a3aed3f7db8d92.exe
    Filesize

    3.6MB

    MD5

    01827b5e00e2742b0070cf27219c241c

    SHA1

    c929d2355cf4d39c4ed8c27c4a168972f45f91b6

    SHA256

    dc9d135dd6b3a654882c838d202ade1e2ebf2998649aa5c08c747bc837c23efa

    SHA512

    1138381dd16ad421f36fdb6c9b3b666212bba89118d2c7975d4c826d53a0910b158aff4c6fc936056e6da3fa4176433d34e89a603b18b9a027594d9b8dfabe93

    Download Submit

  • memory/4028-194-0x0000000003520000-0x000000000357D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/4028-12-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/4028-18-0x0000000000750000-0x0000000000777000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4028-167-0x0000000003520000-0x000000000357D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/4028-187-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/4028-188-0x0000000003520000-0x000000000357D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/4028-218-0x0000000003520000-0x000000000357D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/5020-186-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/5020-192-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/5020-196-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/5020-189-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download