neshta | 9fe70174fd5cfc1d61d3b00fcac1e2822371328000943f23bc14eefee7553b24

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2025 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_54afd320682184557f14928b4c12da74.exe
Size

757KB
MD5

54afd320682184557f14928b4c12da74
SHA1

db9379734ee85174171125b852516a1e90f766d6
SHA256

9fe70174fd5cfc1d61d3b00fcac1e2822371328000943f23bc14eefee7553b24
SHA512

2bc09c383b9bb04f37b1a6899bb0e705ca2135f6754fe378fd6b43c4473819f329931cee09d7c21c01605d12e1b136c597a7e86c64ad318c66a9692b5e6cc915
SSDEEP

6144:jyH7qOc6H5c6HcT66vlmrfkZtWYo0jyjeLxB0laEDJ+XTWx6IIqwUM3Sf4HQhW3b:jaan91ifD4iI/biNx2U45ePSlVj

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	JaffaCakes118_54afd320682184557f14928b4c12da74.exe

Executes dropped EXE 3 IoCs

pid	Process
116	svchost.exe
1748	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
3668	svchost.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_54afd320682184557f14928b4c12da74.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	JaffaCakes118_54afd320682184557f14928b4c12da74.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_54afd320682184557f14928b4c12da74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_54afd320682184557f14928b4c12da74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_54afd320682184557f14928b4c12da74.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_54afd320682184557f14928b4c12da74.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 116	808	JaffaCakes118_54afd320682184557f14928b4c12da74.exe	83
PID 808 wrote to memory of 116	808	JaffaCakes118_54afd320682184557f14928b4c12da74.exe	83
PID 808 wrote to memory of 116	808	JaffaCakes118_54afd320682184557f14928b4c12da74.exe	83
PID 116 wrote to memory of 1748	116	svchost.exe	86
PID 116 wrote to memory of 1748	116	svchost.exe	86
PID 116 wrote to memory of 1748	116	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1748

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_54afd320682184557f14928b4c12da74.exe

Filesize
681KB

MD5
fc04ed6702749bcfd8fa2db77f2d4308

SHA1
f719ea89eb65e406e575da67c4387a652da8ef51

SHA256
92235cbb506d1af123956ed5590925038fc2675b0a2bfa3d8a36d68624f79ee9

SHA512
ff030fbdc451bbcd8f344aa2b6ef246f429d83d8e29c1b64a9616cecf462d0fa2f573a8c49f1a6fa04120a223eaf1361c345fc34bf964395e771c9532a1f270e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54afd320682184557f14928b4c12da74.exe

Filesize
722KB

MD5
3d710b1ee63919885875f5ba10e867ed

SHA1
48a6b8e8e153b2920dcd3784b4453073e09b3829

SHA256
380c48e745f19eea1e551f23154a87895e75b6aaf6c3dbde9df26e941d433d19

SHA512
9479bbd99036e2d0b64c13929e63c1e57a71eaa8a13165a30e92b157b4d1bee410b07b7ef29fe94f9630826917c9d04c1f55d1754489d27c33846d4a10f3621c

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
a1959b3a3dd9727f6169ef56fed61bc6

SHA1
afbff5187752ad183852cc783c28fcc1cb0c21c5

SHA256
bcc9b5cce30058a71e376d8515065c20ce035c6998d338017ab9d89b1b6b5ecc

SHA512
e9b77ca6d27851861fdb0618a181877a06ac83389696f2a90ff4fafd9d4a1c61a14924963cfb3b5a15b7c0a9875b265a1787665a8aa0e5c6c405035069179355

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
20b7df0b9a4dd4bff212b0a3445c7d31

SHA1
c75e9fc0797fca3224bdeabd12df9d19b4d4468f

SHA256
bd07ee71f57cffde0b17f3f0ea4531b2bcc00258bbab7f3172e2abe99cc97e19

SHA512
ce597a722757e6dfc429131549c6d96d89f25ab28013a8d24aa58853c18c1ff047fb2f9cf865c8ad7e448af5b8c9d08208deb948992d0a7264db528e3217fb32

Download Submit
memory/116-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/808-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1748-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1748-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1748-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1748-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3668-105-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3668-109-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3668-116-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3668-119-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads