618a75808b11fba4d1501587f2df23c6bf4094a474497a1f15fb85bbdc6cd593

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
Size

224KB
MD5

13b3cb819b460591c27e133e93fb8661
SHA1

33157a630a00078ac106f05ebd90feb1e61fb46d
SHA256

618a75808b11fba4d1501587f2df23c6bf4094a474497a1f15fb85bbdc6cd593
SHA512

d0853c6f3734ccbce7092c233c5ae582aba7ece330459b2a280199e19b7ae10fcd844307a2bb85f81b2b0d46235ca3241286740027cee157deba46b621ac43b4
SSDEEP

3072:j78yHpYetDrHNsbqrf29rGHWwsMr7w2nu+PpAgxs9D/sv9Z:j78yHp9rQ85RZr0ku+cD/cZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2832 cmd.exe

pid	process
2832	cmd.exe

Drops startup file 4 IoCs

Processes:

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exenetmgr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	netmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	netmgr.exe

Executes dropped EXE 1 IoCs

Processes:

netmgr.exe

pid process

2308 netmgr.exe

pid	process
2308	netmgr.exe

Loads dropped DLL 7 IoCs

Processes:

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exenetmgr.exe

pid	process
2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
2308	netmgr.exe
2308	netmgr.exe
2308	netmgr.exe
2308	netmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5CB1E631-340B-11EF-A05A-CE80800B5EC6} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87244B11-340B-11EF-A05A-CE80800B5EC6} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425602761"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE558EB1-340B-11EF-A05A-CE80800B5EC6} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

netmgr.exe

pid process

2308 netmgr.exe
2308 netmgr.exe
2308 netmgr.exe
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exeIEXPLORE.EXEIEXPLORE.EXEnetmgr.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

2480 13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
2680 IEXPLORE.EXE
2128 IEXPLORE.EXE
2308 netmgr.exe
1808 IEXPLORE.EXE
2308 netmgr.exe
1580 IEXPLORE.EXE
2308 netmgr.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exenetmgr.exe

pid process

2480 13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
2308 netmgr.exe
2308 netmgr.exe
2308 netmgr.exe

pid	process
2308	netmgr.exe
2308	netmgr.exe
2308	netmgr.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
264	IEXPLORE.EXE
264	IEXPLORE.EXE
264	IEXPLORE.EXE
264	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exenetmgr.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2480 wrote to memory of 2308	2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	netmgr.exe
PID 2480 wrote to memory of 2308	2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	netmgr.exe
PID 2480 wrote to memory of 2308	2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	netmgr.exe
PID 2480 wrote to memory of 2308	2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	netmgr.exe
PID 2480 wrote to memory of 2832	2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	cmd.exe
PID 2480 wrote to memory of 2832	2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	cmd.exe
PID 2480 wrote to memory of 2832	2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	cmd.exe
PID 2480 wrote to memory of 2832	2480	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	cmd.exe
PID 2308 wrote to memory of 2692	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 2692	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 2692	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 2692	2308	netmgr.exe	iexplore.exe
PID 2692 wrote to memory of 2680	2692	iexplore.exe	IEXPLORE.EXE
PID 2692 wrote to memory of 2680	2692	iexplore.exe	IEXPLORE.EXE
PID 2692 wrote to memory of 2680	2692	iexplore.exe	IEXPLORE.EXE
PID 2692 wrote to memory of 2680	2692	iexplore.exe	IEXPLORE.EXE
PID 2680 wrote to memory of 2800	2680	IEXPLORE.EXE	IEXPLORE.EXE
PID 2680 wrote to memory of 2800	2680	IEXPLORE.EXE	IEXPLORE.EXE
PID 2680 wrote to memory of 2800	2680	IEXPLORE.EXE	IEXPLORE.EXE
PID 2680 wrote to memory of 2800	2680	IEXPLORE.EXE	IEXPLORE.EXE
PID 2308 wrote to memory of 3040	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 3040	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 3040	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 3040	2308	netmgr.exe	iexplore.exe
PID 3040 wrote to memory of 2128	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 2128	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 2128	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 2128	3040	iexplore.exe	IEXPLORE.EXE
PID 2128 wrote to memory of 2396	2128	IEXPLORE.EXE	IEXPLORE.EXE
PID 2128 wrote to memory of 2396	2128	IEXPLORE.EXE	IEXPLORE.EXE
PID 2128 wrote to memory of 2396	2128	IEXPLORE.EXE	IEXPLORE.EXE
PID 2128 wrote to memory of 2396	2128	IEXPLORE.EXE	IEXPLORE.EXE
PID 2308 wrote to memory of 2900	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 2900	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 2900	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 2900	2308	netmgr.exe	iexplore.exe
PID 2900 wrote to memory of 1808	2900	iexplore.exe	IEXPLORE.EXE
PID 2900 wrote to memory of 1808	2900	iexplore.exe	IEXPLORE.EXE
PID 2900 wrote to memory of 1808	2900	iexplore.exe	IEXPLORE.EXE
PID 2900 wrote to memory of 1808	2900	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 264	1808	IEXPLORE.EXE	IEXPLORE.EXE
PID 1808 wrote to memory of 264	1808	IEXPLORE.EXE	IEXPLORE.EXE
PID 1808 wrote to memory of 264	1808	IEXPLORE.EXE	IEXPLORE.EXE
PID 1808 wrote to memory of 264	1808	IEXPLORE.EXE	IEXPLORE.EXE
PID 2308 wrote to memory of 1552	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 1552	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 1552	2308	netmgr.exe	iexplore.exe
PID 2308 wrote to memory of 1552	2308	netmgr.exe	iexplore.exe
PID 1552 wrote to memory of 1580	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 1580	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 1580	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 1580	1552	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 3052	1580	IEXPLORE.EXE	IEXPLORE.EXE
PID 1580 wrote to memory of 3052	1580	IEXPLORE.EXE	IEXPLORE.EXE
PID 1580 wrote to memory of 3052	1580	IEXPLORE.EXE	IEXPLORE.EXE
PID 1580 wrote to memory of 3052	1580	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\netmgr.exe
"C:\Users\Admin\AppData\Local\Temp\netmgr.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308

C:\Program Files (x86)\Internet Explorer\iexplore.exe
-nohome
3⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Program Files (x86)\Internet Explorer\iexplore.exe
-nohome
3⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Program Files (x86)\Internet Explorer\iexplore.exe
-nohome
3⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:275457 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:264

C:\Program Files (x86)\Internet Explorer\iexplore.exe
-nohome
3⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
2⤵
- Deletes itself
PID:2832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8d7460695a25fa5a5c67d6e4455a6287

SHA1
4c6a851cc573e3f2120f2ba3805d2f85e50c5193

SHA256
5d0401c8bc46a0c821c9027c8b33d888aa14cb1c39b06031100b83af36606796

SHA512
782c36bf78f4f250c26362c9676700659a2a17000086a508c96981ea2693b73e7b3894423b5bf2ed42e2de884ef0e7ca8f43b0bc459ce645009e35c2da666352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4683b7bbd250af1b957b87b27c10aec7

SHA1
047581ab0176f4dcdfff0de8d02e0303acbfcd4d

SHA256
6b5b8df23476ee43bfea673e0b336c3bc5a7f7cad08a39989b84f3006b1a6ac0

SHA512
e869084c3ce843be300826228d20645e747d138460f9a1ba85db47a47b40a3e061dacca7ebaa112182423d258d40436fa1edb9fcff63f4a0383e1695239f8d4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a689588fb772c4571b2ce9ccfc39cc2a

SHA1
332cc54405a0c053134b4b8aa60449fa38c2c775

SHA256
f5d3d707aff8339c9bec1afce684acbab279d4bd95450809cc2ac06e5d01dc1c

SHA512
3c9ac03a994d0e701a64ef060123a0be92f6cff513d75dcb31351057f58d5f2b1085d2cafda6a3acf7be1ac7e819c88eb8219d0a1fefadfa05a9b3b94222782d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
aa548c3ff2c5aa5233b704a5c5c5e758

SHA1
8d39d582bfabe04378c7d6d998967639beeee46e

SHA256
74981993afc543b9af5c06e18e3ce993304c6354300617f8596b590a6adbd267

SHA512
43e7550fd253a20807f4e338fedb65273ea11efc85ad43341825c3a896fb2c92b6db553c8a027d3b834b1534fac39e2e7a35469d8a1a79ed7af673f4a29492e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
11f90b12f1e699d08783250a92e26dfd

SHA1
9db0be873095cb7121901c4bb83df825b4f0fe7d

SHA256
af8e7c0f3dc8179d1a75f8a66e0440ac76ca6735d1e12af2d62df0870feae9a9

SHA512
c2fb41c13c0fb0785c9dc2a0ad8ffec093ac2c7353d24c0858f48fe054633c490bb96fe69dbf55456b3c397b24cadc6aeaa6e3f3fad63ed973959e4513238c76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a862529d872a3a6d213f90ef963ba1ab

SHA1
c7560b2413f51316fe4428e22e5ec1ffbe2583eb

SHA256
e404adc4b482b1222d46ff17f37ac5a3eea868162aaeba6884b9c12362a6ac08

SHA512
105281040deb5b6fc1b0cca2f7465a3486cde0f3a10a72ae368f3d744005e593c9e6f829e25bde26e377c7ad0734fcec4cb0731aa8482048a5c8b54ecb9bb293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d0e3c7ccef08a5f74d4557dc3d92a845

SHA1
a4d6e46de41cc28c2cba76a058d9f8fd0c727805

SHA256
d23fbcbbea9185fe9e0f5b7d1ed00808ebff9325abc80573703c1977b218c891

SHA512
902098231d60d7560b9291342156cc30abdb9e962f8b19640e059c8b12be3e5f7f0d153cb47da0444fc772785cb7ed76eee0029657d8b142b327751f12c744a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c3d0262b14d69b3b04dc1d4d5d18d830

SHA1
410c5fd9ed07933a450a9bc7b528bab59fde75f7

SHA256
310640163b1f51318b17c2cbb9064e16b63a255aa0b1d0762ab8e04fb9f208bb

SHA512
68ba737de91da817308486e3ded23844a64d5028ceaaf2721da302d021f5ef45e7f327ecf856a6cc0e802e9dd1943c1bf9973847771ef319d2cec9a3ad8f2e3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c3cb9443fb1c4ad703855d7baa927247

SHA1
6c45b85b601a78ae84e1f6c0aad4c8975cc9ccd7

SHA256
18561b978769ca614efc1a739f66ba6a48f922e8d8c6286c9110678011a7ff5c

SHA512
2fc370c59a0035cf9a9fb95d25adc524dce57b75597313781af523f0a6af9bbf3bbb491da0f27875a98bb88467c3a9706cece6c4383d9dda131e330fdd223ad2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
02666420f8ae9e313578ae92eaa666c6

SHA1
00b256f63137f0e0515c35631ef9419627d0033b

SHA256
e86a743a0e07abc2c9ef7d1aab85219469f77270bef4891175907cd4c55f0b9c

SHA512
f514b04021321392209dcda37f76c56f9a75e38a5333cef3707f9570260dab37bdd8508bea055020afd9b5d93aa9b89434cecc7b5f0aaf7845ea3cfdfb962de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
68d0d2a433b7e59fc891cdeef6b5fb01

SHA1
23e3dabe611bae033f556310c412916fe74763d4

SHA256
16a168500e5c28486e9c650ba6308f56e66626ea0cce0cc41cc2183d9e506b66

SHA512
c00e36b3dac159a1cfd4be6862a72c1d491b7f5ff6c39840fa74935bd29c53531c23b1d25c80677fe49c10e44325d11ef3004caf60e45f7e0cd5c8593ec81891

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2453c7ae429b1e9e7bfae5689d43f2e3

SHA1
5c3ffe1f9b8e9327f87951cefecaf46a8465646f

SHA256
d2cba84c22da5ddb1adab80ac2a0a1c129aacb55d919e4fef7e9ca825b1e4e79

SHA512
6e90b5df1af33dde8b4244f3d9875a6b8eb2ec558617c3b4de19f26920af6d649962962bb1288b83f83c62b422be3456337d38ac32dea6fa0289db5ce2b5358e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
47b4424cdefdef31d0158e5a7f367562

SHA1
6dfb5a47369252272ec9874904ac28d4e3994add

SHA256
9521d482244e2d4d9ea7b5ac1fee5bc2b64bcc27ebe38425d25b934a4e6d134e

SHA512
8e14db0eca825e86c7d0491d71e730dd72d512b30a9cbc528019a48170d2b1395a82bc9c8b73f67b7d282ff511e3f32b678ce2f763ca96c805928b75c467f0d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
49623d33adfab699d62e5fb0c0abb6f1

SHA1
d7e651beca90f2d4234f73f1eb0817fd5360b813

SHA256
9f6c7cf746774e64d257dcca81ed9a581bc21695b824aab5ce893c91e0126e88

SHA512
a7e6b14409c88643082dae5dbe801e744766b498e54aef2d14200a27eda93c88f9ed017552eb1a49b458fddd1101331e8e1f06f6bf31b52213aa116cd0df1dd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
35a83eefd5b2f1d06b4c702085b4f7e4

SHA1
9403110d956c8a8ed32e5fee343ce9f055097430

SHA256
b1d3252cde080bb00af3fa42e70752a47174700d8b5d8d6c53b4c497b83dab0c

SHA512
db1f918709345737ab4a64f83c6e7a928322a74c89dac0024221b60dedbc6da17adebe878fcf70ce9d7b2fe168c238fd9ff2e2f55d8846dee69899f51276e4ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5f085ed3f9bdf3cfdfd43f74715a00bb

SHA1
10ccb9a4734d73b6bfbe2bf7270e3c8d50d16fb1

SHA256
507227d8838eefd4db799df86240159a9823c4e69b2ab2ca2e26e15d43b4b7c9

SHA512
aef7d9167141352f170c68bdd897f1860f94f1f66876337c49ddf14d7ad5eef029140b3f540cd0cf6426e7aaf67079b34313038ceccf3dbaa473f83173ebe106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
802e5a0d17f7ac61d174e5c8035344d6

SHA1
7b6acae34e40dc91ceffc61fc217aeabafb559bc

SHA256
1611658875b119a384bbfd8e46ea7244a349a5ae584ca3b4912008389f65a124

SHA512
9437afa8bc9e966f79a988184d926d5ff2da0259c8990d2d2877db34459854dff8eded7fd364d6682b2306a6858ec0da4e9509ec0378d9e864592057c4bcadc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7300170f1db2faee2b857693e08e9237

SHA1
13030ede0c536aca26502468051f0c8f2bd687a6

SHA256
aaf9a322288de74365c5d9d1bc99e14997ec9c18be7d188135e49810ef918b97

SHA512
2d564e06363538e795bfa4b15d76a89b8fbf6c70460835ce3c0fe300f87d1a0f6ff3fefb80ed5803e720ba5145e0d261c3dbf43f777742311579364554737855

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2c6dae6b16f2a98ea817fb8c5bbe09e8

SHA1
5d050483f0aa3ddb716b11856091ee694fa7371d

SHA256
a8f635837afca5bcad5ace5aafe0ddfff21ff7910651634ab8a814c335b56265

SHA512
123bf89d7a1cef29acf5acfed5afc1a1de2d23f66b62a0ca3b0b3ca2819698a9f406b6f56416f9ed470c2caf9dbbdcd55bb01fcee29f52266b39f95d01d028e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ddca6133ed365755b07c0a43cb3d63c0

SHA1
dbba15637db17e38113114f843cdb55f0a97574d

SHA256
c5166fb2a7f514eca2f9e554c50ec06162f6f3c1170070e6bbcb2db16297f15c

SHA512
9ca1abdfdad76a748c3618cf0f6d79b713a87cf0311f2dc86bc9bc33affd069b325b5bbaebfc9bc28472c8b44d7f5b1d8cc73ce717fb7feacaba77da1ff8088c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5CB1E631-340B-11EF-A05A-CE80800B5EC6}.dat
Filesize
5KB

MD5
1eb6ca0921ff045fdc182115927c7753

SHA1
2232a1425b9f7cdd5ad8370c753a184b0a10dc3d

SHA256
3378840a7ece5695edd4c94228ad5e543012f8f5ebe14688cc6b948c2f0d370f

SHA512
a3d0192eba91df992364d60bee7578d3c74ae05386b90cf944f7f7beee410f873b37ec98067b20cdd86a0cee198dbe5f5fc26b190744de691a4f2a5d27e575f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5FF0A611-340B-11EF-A05A-CE80800B5EC6}.dat
Filesize
5KB

MD5
2f2ecc5ea2a8b83696f9d242b2df37fa

SHA1
f1483b12c7c472815147bfb46d80b2611c8fef90

SHA256
0bcdefe4fcfc1a4fc2661667acdbd3135565af6ffae5574cee099208c2e648fe

SHA512
f5f5455288ad1f5a7d1a446b227c78d9c8b957ec30a9930bd307443c94d59f07097884e0627d5172136fa25ac401e89d99b145bdc51b3fe937d7f9b1562aa4f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5FF0A611-340B-11EF-A05A-CE80800B5EC6}.dat
Filesize
4KB

MD5
26e5bd48fdad7630f502e3244812b8c1

SHA1
ad4e4e06265b2160f2dddecaf5fc6918f8bca983

SHA256
637bf9394a85d12f07c17e59881e9d08b21b8ef268d75140f59792ae3425a880

SHA512
638087f0b3151a38fba182c8add81e944df09152353bddee2efec4f28213731127164c1e4f02847b32517466cafa9785ee82556becfddf498667d41d8dcb87a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2E42.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F01.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\netmgr.dll
Filesize
130KB

MD5
3fdd7a1ac800d5f0ea46e3a5bd46a6d5

SHA1
3e68e322fb1eb8489fdfbfb91edc4839076d7b0a

SHA256
4c84d0c716dca56e0c4b7974895e2c65672760f4dc6df77824cc23419911d993

SHA512
9d249c39b48c843c489b6f03978f0b7bbb19868be1f231871b2502ee20ab2a81c8be6f9c446cdfdcbc96a2cad2526329f8636b4992b5b009499568d361f6c9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\perf2012.ini
Filesize
137B

MD5
f9695c9b318bf4e3416ad9a087473417

SHA1
767c3076f2328313ae9b36f510b6c002d964f161

SHA256
a82447489c446fedd980fd52f43c645394adcde827a9aa6b0c3530705b5e2484

SHA512
0e714fb203ed606645648e7d5008bef1fdcf6b1162d154374340468fce805ab3d2d9d363416b8c64790c47b4653ccba32f58a00346542e09db3a1e909968bf13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\netmgr.exe
Filesize
16KB

MD5
6d49cdbade7541d46be3fb47a0f563bb

SHA1
4ccb8adcada3fa48b8241cd935db60fdf55a3704

SHA256
2635a89660d6c99fa852258704e00f097f24c10343bb523f1e212dd09835459a

SHA512
6cf79b4cee52db109eb45d5b3fceee832c9a5b223fe843c54aec84516dc261d1d1f5942fb3a7377b63d347e170edc5e76f542fbbe084d377cb48292410b24246

Download Submit