Overview

overview

10

Static

static

3

JaffaCakes...8d.exe

windows7-x64

10

JaffaCakes...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2025 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

  • Size

    368KB

  • MD5

    182a26233416f1cd3249e487bec9d58d

  • SHA1

    bddb9925cc64ef4955d3af8cb97952a51689e596

  • SHA256

    1e8ef0b7823dcf23a99cfc4d40c34786cbd1032581d906c5adea3bba3ade0449

  • SHA512

    996f6dacd765d6ae25a40c2ea4ca1e37bab8e12f817cded4075c7d200c35e623b04098da7564ca6b18ac0456cea9cf26a83177e46462bfda01a83889af2a001a

  • SSDEEP

    6144:jyH7xOc6H5c6HcT66vlmrJp13452WhN+nPQ4mevjx1GVUHnthaTBaE9A1XtR4UeJ:jakp13mvNSPmUHGVmaTAEwd9eJ

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe"
          4⤵
          • Executes dropped EXE
          PID:2700
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
    Filesize

    854KB

    MD5

    9bf7da1d524b0dc6e8007ca407f489c1

    SHA1

    419c4d1423133a2b77290c3219317c3ef76abaf2

    SHA256

    fe3c217e6d538c00b351e433a08cb5741cde072f2db75cb0ba5334fdb6246da2

    SHA512

    8694f630010dd63278f5557eec3ae65cefcbbffe3b10eb61928a18db5c4622dd828d2e2020c670999eeb59759800a6e1172efb98e5dabb9cb4cd7a12e157a083

    Download Submit

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
    Filesize

    583KB

    MD5

    c5c7c9ab4205dbd206d0e41a35251646

    SHA1

    451304ee05223f4e113042da7550279136f6497f

    SHA256

    a4e6b639611fb2404d5157f35c5016f531aa309eee1c7ebb14e6853315ed00f9

    SHA512

    cefcba1107a1e3a72a0f23af2842e341abfb77f6ac06553f18aeeb1e80f8a79f88d45f61bc087bd38d869147bc6fe8bca40c8874389246d6fd8b6f56e7c21eac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
    Filesize

    332KB

    MD5

    21457be2cadea289f89ef25a581bbf40

    SHA1

    2a7a7b0e439cc0c997be8cc76b3fd2e7b2e0620a

    SHA256

    fcac4ab1c72efb51e5118f303422a8c9e2f35afdcfe1a6e57c6594019a21ad43

    SHA512

    c600e4ec34aede98636f7a748c26ddb004b8e1c5a732ea4655e0762b6d89d1b3a9d295a2381371a02c4cf4f8cd9693adcd1f2870de890c05d2699572a82e0a20

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • \MSOCache\ALLUSE~1\{9A861~1\ose.exe
    Filesize

    145KB

    MD5

    9d10f99a6712e28f8acd5641e3a7ea6b

    SHA1

    835e982347db919a681ba12f3891f62152e50f0d

    SHA256

    70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

    SHA512

    2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
    Filesize

    292KB

    MD5

    1a7507b7410c9b7985ee1df26fdb50ca

    SHA1

    9b0b289fe9a95fdbd037cc89e9c60e116c968b3e

    SHA256

    d9cb9083f54312203a0dad3349a04eafc0211be6934b30e37f856b72b15f956a

    SHA512

    c5ebb43f5f0f46eca87e1ae052b0dd972ab5200fa5bae736af60589f415ce307fa07e4e19cee9c8f2d95d538561a1182f535d16eef1b7eb05b82d0b3d64d2238

    Download Submit

  • memory/764-5-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1796-123-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1796-121-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1796-111-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2336-21-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2492-110-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2492-108-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2700-35-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download