Overview

overview

10

Static

static

10

JaffaCakes...e0.exe

windows7-x64

10

JaffaCakes...e0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0

  • Size

    616KB

  • Sample

    250208-j15zbatqbw

  • MD5

    c0e42cf18b138205a171768f3dddf0e0

  • SHA1

    867ebc0dae6437916f8882192652b58986d75d3c

  • SHA256

    3ff5b8d4a80c9f631c2220c3f7ff9f1839bbd04d6eda9e57add7360a71774d1d

  • SHA512

    887bdf246e507dbfd428916489016a6a470c668be44bc981469a89dee038179a9da67601b5dc9a1e96f8d57702abc5daa43c0f66e6f05573a3f17e49aadbc8ae

  • SSDEEP

    12288:s7uII7WPIHFZQWoW1lADk6rOkEx5o7pKyskZWNCGNF+0W5iiUF:su78mZncDkYC5up6kENFfE5iiw

Score
10/10
neshtadefense_evasiondiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Targets

    • Target

      JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0

    • Size

      616KB

    • MD5

      c0e42cf18b138205a171768f3dddf0e0

    • SHA1

      867ebc0dae6437916f8882192652b58986d75d3c

    • SHA256

      3ff5b8d4a80c9f631c2220c3f7ff9f1839bbd04d6eda9e57add7360a71774d1d

    • SHA512

      887bdf246e507dbfd428916489016a6a470c668be44bc981469a89dee038179a9da67601b5dc9a1e96f8d57702abc5daa43c0f66e6f05573a3f17e49aadbc8ae

    • SSDEEP

      12288:s7uII7WPIHFZQWoW1lADk6rOkEx5o7pKyskZWNCGNF+0W5iiUF:su78mZncDkYC5up6kENFfE5iiw

    Score
    10/10
    neshtadefense_evasiondiscoverypersistenceprivilege_escalationspywarestealertrojan

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks