Overview

overview

10

Static

static

3

JaffaCakes...74.exe

windows7-x64

10

JaffaCakes...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2025 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_54afd320682184557f14928b4c12da74.exe

  • Size

    757KB

  • MD5

    54afd320682184557f14928b4c12da74

  • SHA1

    db9379734ee85174171125b852516a1e90f766d6

  • SHA256

    9fe70174fd5cfc1d61d3b00fcac1e2822371328000943f23bc14eefee7553b24

  • SHA512

    2bc09c383b9bb04f37b1a6899bb0e705ca2135f6754fe378fd6b43c4473819f329931cee09d7c21c01605d12e1b136c597a7e86c64ad318c66a9692b5e6cc915

  • SSDEEP

    6144:jyH7qOc6H5c6HcT66vlmrfkZtWYo0jyjeLxB0laEDJ+XTWx6IIqwUM3Sf4HQhW3b:jaan91ifD4iI/biNx2U45ePSlVj

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2824
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
    Filesize

    1.1MB

    MD5

    dc8b816c61fca8b79e9888b5a6fac22f

    SHA1

    30744694fc9d00952ed3226037bcd555bcefee70

    SHA256

    3879947a17edf095e465c2c5ffb7efc24d26706cc179f8eea9f4f35ee5f2eeeb

    SHA512

    3acd02e87d6e2a1f1ceeb03b5b56bcb7f5cf8ba2612534032b2b53e6e1f678c5fa8d41cc061f46c1239a0446135801f1a066a5842a9fb96112c471e3a70f95a4

    Download Submit

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
    Filesize

    894KB

    MD5

    77e7aa4aa2503079afba916c22c5b344

    SHA1

    56cb42669fe73dea4fad9b630129d5dfdeb12d2d

    SHA256

    32f2f774e3b61ab84ec1859620ddc2410977ee9d9ca4530d8b72e10b1cdabbb9

    SHA512

    5072045f70f7bfaad895f5b406da795a0b4899b74a4c82e62b6e3858bce1fede3843aa6a164680e383c194fdb3d24a315a89ec5a86e35068f88313a063561b9a

    Download Submit

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
    Filesize

    583KB

    MD5

    314676f7f153873d5f3cea522ac38148

    SHA1

    0bcbaba187ae4d0785b6358b7dbfad59c608fe70

    SHA256

    50535ed9054c8b5d21097459824fa831fa406a14d9bcd43e409cea7d46b6db08

    SHA512

    ab232a6fea238133e1f3f0c74c0ac8be9b0137c525b32036b65be0c0dd72eded641475fae36d78989636244e47a16efb61d572e16f80149a7aeef418b62774e3

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    20b7df0b9a4dd4bff212b0a3445c7d31

    SHA1

    c75e9fc0797fca3224bdeabd12df9d19b4d4468f

    SHA256

    bd07ee71f57cffde0b17f3f0ea4531b2bcc00258bbab7f3172e2abe99cc97e19

    SHA512

    ce597a722757e6dfc429131549c6d96d89f25ab28013a8d24aa58853c18c1ff047fb2f9cf865c8ad7e448af5b8c9d08208deb948992d0a7264db528e3217fb32

    Download Submit

  • \MSOCache\ALLUSE~1\{9A861~1\ose.exe
    Filesize

    145KB

    MD5

    9d10f99a6712e28f8acd5641e3a7ea6b

    SHA1

    835e982347db919a681ba12f3891f62152e50f0d

    SHA256

    70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

    SHA512

    2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe
    Filesize

    722KB

    MD5

    3d710b1ee63919885875f5ba10e867ed

    SHA1

    48a6b8e8e153b2920dcd3784b4453073e09b3829

    SHA256

    380c48e745f19eea1e551f23154a87895e75b6aaf6c3dbde9df26e941d433d19

    SHA512

    9479bbd99036e2d0b64c13929e63c1e57a71eaa8a13165a30e92b157b4d1bee410b07b7ef29fe94f9630826917c9d04c1f55d1754489d27c33846d4a10f3621c

    Download Submit

  • memory/2144-104-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2816-20-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2824-105-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2824-107-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2824-109-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2824-112-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2824-103-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3064-5-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download