Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 11:03
Behavioral task
behavioral1
Sample
01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe
-
Size
100KB
-
MD5
01d06f85fce63444c3563fe3bd20c004
-
SHA1
c4192f0994d5b9a5efd18e9a697dcf78cc092c0d
-
SHA256
bd11592557d2dba4e2cc5cdfdbc61cba64735ae01050db58557e2281389512a0
-
SHA512
0846b6e70c32fa21bae9f8eb05cd4d1dadb8f806baafeb27a19ea2ce44ec2d3cc3184925628ca4132a2e83e6c5f914db72c84cf71fbf448997d84bc69a553e1a
-
SSDEEP
1536:ugResSzjBEY7AmycmyTOOiq7NPsS5A9M3jj+kEPDKgf:t3S/CY7GQT9iqx0XYg7/
Malware Config
Signatures
-
Drops startup file 4 IoCs
Processes:
01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exenetmgr.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk netmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ netmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
netmgr.exepid process 1576 netmgr.exe -
Loads dropped DLL 7 IoCs
Processes:
01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exenetmgr.exepid process 1636 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe 1636 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe 1636 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe 1576 netmgr.exe 1576 netmgr.exe 1576 netmgr.exe 1576 netmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425216108" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1400CE11-3087-11EF-8C89-6200E4292AD7} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
netmgr.exepid process 1576 netmgr.exe 1576 netmgr.exe 1576 netmgr.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exeIEXPLORE.EXEnetmgr.exepid process 1636 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe 2800 IEXPLORE.EXE 2800 IEXPLORE.EXE 1576 netmgr.exe 2800 IEXPLORE.EXE 1576 netmgr.exe 2800 IEXPLORE.EXE 1576 netmgr.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exenetmgr.exepid process 1636 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe 1576 netmgr.exe 1576 netmgr.exe 1576 netmgr.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2800 IEXPLORE.EXE 2800 IEXPLORE.EXE 2684 IEXPLORE.EXE 2684 IEXPLORE.EXE 2800 IEXPLORE.EXE 2800 IEXPLORE.EXE 468 IEXPLORE.EXE 468 IEXPLORE.EXE 468 IEXPLORE.EXE 468 IEXPLORE.EXE 2800 IEXPLORE.EXE 2800 IEXPLORE.EXE 2340 IEXPLORE.EXE 2340 IEXPLORE.EXE 2340 IEXPLORE.EXE 2340 IEXPLORE.EXE 2800 IEXPLORE.EXE 2800 IEXPLORE.EXE 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exenetmgr.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exedescription pid process target process PID 1636 wrote to memory of 1576 1636 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe netmgr.exe PID 1636 wrote to memory of 1576 1636 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe netmgr.exe PID 1636 wrote to memory of 1576 1636 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe netmgr.exe PID 1636 wrote to memory of 1576 1636 01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe netmgr.exe PID 1576 wrote to memory of 2960 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 2960 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 2960 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 2960 1576 netmgr.exe iexplore.exe PID 2960 wrote to memory of 2800 2960 iexplore.exe IEXPLORE.EXE PID 2960 wrote to memory of 2800 2960 iexplore.exe IEXPLORE.EXE PID 2960 wrote to memory of 2800 2960 iexplore.exe IEXPLORE.EXE PID 2960 wrote to memory of 2800 2960 iexplore.exe IEXPLORE.EXE PID 2800 wrote to memory of 2684 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 2684 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 2684 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 2684 2800 IEXPLORE.EXE IEXPLORE.EXE PID 1576 wrote to memory of 620 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 620 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 620 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 620 1576 netmgr.exe iexplore.exe PID 620 wrote to memory of 1616 620 iexplore.exe IEXPLORE.EXE PID 620 wrote to memory of 1616 620 iexplore.exe IEXPLORE.EXE PID 620 wrote to memory of 1616 620 iexplore.exe IEXPLORE.EXE PID 620 wrote to memory of 1616 620 iexplore.exe IEXPLORE.EXE PID 2800 wrote to memory of 468 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 468 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 468 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 468 2800 IEXPLORE.EXE IEXPLORE.EXE PID 1576 wrote to memory of 2224 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 2224 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 2224 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 2224 1576 netmgr.exe iexplore.exe PID 2224 wrote to memory of 1628 2224 iexplore.exe IEXPLORE.EXE PID 2224 wrote to memory of 1628 2224 iexplore.exe IEXPLORE.EXE PID 2224 wrote to memory of 1628 2224 iexplore.exe IEXPLORE.EXE PID 2224 wrote to memory of 1628 2224 iexplore.exe IEXPLORE.EXE PID 2800 wrote to memory of 2340 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 2340 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 2340 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 2340 2800 IEXPLORE.EXE IEXPLORE.EXE PID 1576 wrote to memory of 2964 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 2964 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 2964 1576 netmgr.exe iexplore.exe PID 1576 wrote to memory of 2964 1576 netmgr.exe iexplore.exe PID 2964 wrote to memory of 852 2964 iexplore.exe IEXPLORE.EXE PID 2964 wrote to memory of 852 2964 iexplore.exe IEXPLORE.EXE PID 2964 wrote to memory of 852 2964 iexplore.exe IEXPLORE.EXE PID 2964 wrote to memory of 852 2964 iexplore.exe IEXPLORE.EXE PID 2800 wrote to memory of 1684 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 1684 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 1684 2800 IEXPLORE.EXE IEXPLORE.EXE PID 2800 wrote to memory of 1684 2800 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01d06f85fce63444c3563fe3bd20c004_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe"C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275464 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275471 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:734222 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome12.ini3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome12.ini3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome12.ini3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\netmgr.dllFilesize
51KB
MD5ffd43ae9ebb59c9fd3b5a2b52addaed7
SHA1b274ba1e9e386ecd129bc4957f1bc5d73056e0a2
SHA256c2c601b8a7d8511853a9e5a09bf78af1ea2fe481529e216ca9c42bc2ecbbe3a9
SHA5122f87022ee56ba03e06e271aacde55933e9f4cc83b314c5817a8391a5b15b23230d5baf674eeac792933f9bd5c2d6ea495a74edc581df76d3e7a9b0d506636271
-
C:\Users\Admin\AppData\Roaming\Adobe\perf2012.iniFilesize
150B
MD5a6a97e5d6dc6a5306e269c267f68edce
SHA17217d9a9386fad675bf7d966e0b37c535f86488a
SHA256550d806901c92b91ea78cee49ee11f21a51c6065019ed2095c673ab6bce78cbd
SHA5122210fd122f8bab59c5ea6aa8ac22874d758f5c5a40ae4a8d374a5da6b20d56f9e035e83ad9c0859b5051eaf73baa43f581141b41b1ca57ae47ffe69b71eccda1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnkMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\Adobe\netmgr.exeFilesize
20KB
MD52dc139d82a2a5bf027bcb6a40f75b3f4
SHA153549df8a3a3115e316c5c34a79ceb8ca1b61b5b
SHA256eff3444317ceca3b4642ee4ad3ed947f7bb17e35976465fad686ddd52cfe8cc5
SHA512780d8c107ec2eca2f08759c01b2dc2308f92c3d466eac46132dc8e279b0e770b4fdfd7f6dc672c2512bff9d334e3357176e82b5aadf5f16e84b724c19876a7da