Overview

overview

10

Static

static

10

01d06f85fc...18.exe

windows7-x64

7

01d06f85fc...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe

  • Size

    100KB

  • MD5

    01d06f85fce63444c3563fe3bd20c004

  • SHA1

    c4192f0994d5b9a5efd18e9a697dcf78cc092c0d

  • SHA256

    bd11592557d2dba4e2cc5cdfdbc61cba64735ae01050db58557e2281389512a0

  • SHA512

    0846b6e70c32fa21bae9f8eb05cd4d1dadb8f806baafeb27a19ea2ce44ec2d3cc3184925628ca4132a2e83e6c5f914db72c84cf71fbf448997d84bc69a553e1a

  • SSDEEP

    1536:ugResSzjBEY7AmycmyTOOiq7NPsS5A9M3jj+kEPDKgf:t3S/CY7GQT9iqx0XYg7/

Score
7/10

Malware Config

Signatures

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2684
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275464 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:468
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275471 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2340
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:734222 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1684
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome12.ini
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:620
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          4⤵
            PID:1616
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          -nohome12.ini
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            4⤵
              PID:1628
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            -nohome12.ini
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2964
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              4⤵
                PID:852

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Adobe\netmgr.dll
          Filesize

          51KB

          MD5

          ffd43ae9ebb59c9fd3b5a2b52addaed7

          SHA1

          b274ba1e9e386ecd129bc4957f1bc5d73056e0a2

          SHA256

          c2c601b8a7d8511853a9e5a09bf78af1ea2fe481529e216ca9c42bc2ecbbe3a9

          SHA512

          2f87022ee56ba03e06e271aacde55933e9f4cc83b314c5817a8391a5b15b23230d5baf674eeac792933f9bd5c2d6ea495a74edc581df76d3e7a9b0d506636271

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Adobe\perf2012.ini
          Filesize

          150B

          MD5

          a6a97e5d6dc6a5306e269c267f68edce

          SHA1

          7217d9a9386fad675bf7d966e0b37c535f86488a

          SHA256

          550d806901c92b91ea78cee49ee11f21a51c6065019ed2095c673ab6bce78cbd

          SHA512

          2210fd122f8bab59c5ea6aa8ac22874d758f5c5a40ae4a8d374a5da6b20d56f9e035e83ad9c0859b5051eaf73baa43f581141b41b1ca57ae47ffe69b71eccda1

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • \Users\Admin\AppData\Roaming\Adobe\netmgr.exe
          Filesize

          20KB

          MD5

          2dc139d82a2a5bf027bcb6a40f75b3f4

          SHA1

          53549df8a3a3115e316c5c34a79ceb8ca1b61b5b

          SHA256

          eff3444317ceca3b4642ee4ad3ed947f7bb17e35976465fad686ddd52cfe8cc5

          SHA512

          780d8c107ec2eca2f08759c01b2dc2308f92c3d466eac46132dc8e279b0e770b4fdfd7f6dc672c2512bff9d334e3357176e82b5aadf5f16e84b724c19876a7da

          Download Submit