618a75808b11fba4d1501587f2df23c6bf4094a474497a1f15fb85bbdc6cd593

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
Size

224KB
MD5

13b3cb819b460591c27e133e93fb8661
SHA1

33157a630a00078ac106f05ebd90feb1e61fb46d
SHA256

618a75808b11fba4d1501587f2df23c6bf4094a474497a1f15fb85bbdc6cd593
SHA512

d0853c6f3734ccbce7092c233c5ae582aba7ece330459b2a280199e19b7ae10fcd844307a2bb85f81b2b0d46235ca3241286740027cee157deba46b621ac43b4
SSDEEP

3072:j78yHpYetDrHNsbqrf29rGHWwsMr7w2nu+PpAgxs9D/sv9Z:j78yHp9rQ85RZr0ku+cD/cZ

Score

7^/10

Malware Config

Signatures

Drops startup file 4 IoCs

Processes:

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exenetmgr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	netmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	netmgr.exe

Executes dropped EXE 1 IoCs

Processes:

netmgr.exe

pid process

5052 netmgr.exe
Loads dropped DLL 1 IoCs

Processes:

netmgr.exe

pid process

5052 netmgr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5052	netmgr.exe

pid	process
5052	netmgr.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115288"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5E015990-340B-11EF-90FA-C21B8D59DC13} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "847115767"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115288"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115288"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115288"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "910240909"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426205864"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115288"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{89B8B6F3-340B-11EF-90FA-C21B8D59DC13} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "848834725"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "911959973"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{61E852AD-340B-11EF-90FA-C21B8D59DC13} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115288"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "848834725"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B181F618-340B-11EF-90FA-C21B8D59DC13} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

netmgr.exe

pid process

5052 netmgr.exe
5052 netmgr.exe
5052 netmgr.exe
5052 netmgr.exe
5052 netmgr.exe
5052 netmgr.exe
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exeIEXPLORE.EXEIEXPLORE.EXEnetmgr.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

300 13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
1460 IEXPLORE.EXE
3684 IEXPLORE.EXE
5052 netmgr.exe
1888 IEXPLORE.EXE
5052 netmgr.exe
64 IEXPLORE.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exenetmgr.exe

pid process

300 13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
5052 netmgr.exe
5052 netmgr.exe

pid	process
5052	netmgr.exe
5052	netmgr.exe
5052	netmgr.exe
5052	netmgr.exe
5052	netmgr.exe
5052	netmgr.exe

pid	process
300	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
1460	IEXPLORE.EXE
3684	IEXPLORE.EXE
5052	netmgr.exe
1888	IEXPLORE.EXE
5052	netmgr.exe
64	IEXPLORE.EXE

pid	process
300	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
5052	netmgr.exe
5052	netmgr.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
3684	IEXPLORE.EXE
3684	IEXPLORE.EXE
4600	IEXPLORE.EXE
4600	IEXPLORE.EXE
4600	IEXPLORE.EXE
4600	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
4856	IEXPLORE.EXE
4856	IEXPLORE.EXE
4856	IEXPLORE.EXE
4856	IEXPLORE.EXE
64	IEXPLORE.EXE
64	IEXPLORE.EXE
3388	IEXPLORE.EXE
3388	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exenetmgr.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 300 wrote to memory of 5052	300	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	netmgr.exe
PID 300 wrote to memory of 5052	300	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	netmgr.exe
PID 300 wrote to memory of 5052	300	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	netmgr.exe
PID 300 wrote to memory of 4720	300	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	cmd.exe
PID 300 wrote to memory of 4720	300	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	cmd.exe
PID 300 wrote to memory of 4720	300	13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe	cmd.exe
PID 5052 wrote to memory of 1248	5052	netmgr.exe	iexplore.exe
PID 5052 wrote to memory of 1248	5052	netmgr.exe	iexplore.exe
PID 5052 wrote to memory of 1248	5052	netmgr.exe	iexplore.exe
PID 1248 wrote to memory of 1460	1248	iexplore.exe	IEXPLORE.EXE
PID 1248 wrote to memory of 1460	1248	iexplore.exe	IEXPLORE.EXE
PID 1460 wrote to memory of 4280	1460	IEXPLORE.EXE	IEXPLORE.EXE
PID 1460 wrote to memory of 4280	1460	IEXPLORE.EXE	IEXPLORE.EXE
PID 1460 wrote to memory of 4280	1460	IEXPLORE.EXE	IEXPLORE.EXE
PID 5052 wrote to memory of 4720	5052	netmgr.exe	iexplore.exe
PID 5052 wrote to memory of 4720	5052	netmgr.exe	iexplore.exe
PID 5052 wrote to memory of 4720	5052	netmgr.exe	iexplore.exe
PID 4720 wrote to memory of 3684	4720	iexplore.exe	IEXPLORE.EXE
PID 4720 wrote to memory of 3684	4720	iexplore.exe	IEXPLORE.EXE
PID 3684 wrote to memory of 4600	3684	IEXPLORE.EXE	IEXPLORE.EXE
PID 3684 wrote to memory of 4600	3684	IEXPLORE.EXE	IEXPLORE.EXE
PID 3684 wrote to memory of 4600	3684	IEXPLORE.EXE	IEXPLORE.EXE
PID 5052 wrote to memory of 3772	5052	netmgr.exe	iexplore.exe
PID 5052 wrote to memory of 3772	5052	netmgr.exe	iexplore.exe
PID 5052 wrote to memory of 3772	5052	netmgr.exe	iexplore.exe
PID 3772 wrote to memory of 1888	3772	iexplore.exe	IEXPLORE.EXE
PID 3772 wrote to memory of 1888	3772	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 4856	1888	IEXPLORE.EXE	IEXPLORE.EXE
PID 1888 wrote to memory of 4856	1888	IEXPLORE.EXE	IEXPLORE.EXE
PID 1888 wrote to memory of 4856	1888	IEXPLORE.EXE	IEXPLORE.EXE
PID 5052 wrote to memory of 524	5052	netmgr.exe	iexplore.exe
PID 5052 wrote to memory of 524	5052	netmgr.exe	iexplore.exe
PID 5052 wrote to memory of 524	5052	netmgr.exe	iexplore.exe
PID 524 wrote to memory of 64	524	iexplore.exe	IEXPLORE.EXE
PID 524 wrote to memory of 64	524	iexplore.exe	IEXPLORE.EXE
PID 64 wrote to memory of 3388	64	IEXPLORE.EXE	IEXPLORE.EXE
PID 64 wrote to memory of 3388	64	IEXPLORE.EXE	IEXPLORE.EXE
PID 64 wrote to memory of 3388	64	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Local\Temp\netmgr.exe
"C:\Users\Admin\AppData\Local\Temp\netmgr.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052

C:\Program Files (x86)\Internet Explorer\iexplore.exe
-nohome
3⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Program Files (x86)\Internet Explorer\iexplore.exe
-nohome
3⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3684 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Program Files (x86)\Internet Explorer\iexplore.exe
-nohome
3⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:17410 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Program Files (x86)\Internet Explorer\iexplore.exe
-nohome
3⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:64 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\13b3cb819b460591c27e133e93fb8661_JaffaCakes118.exe
2⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:8
1⤵
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
5f0847e5a15af2d7923393c3cd30c5d1

SHA1
326c44f2bc29ec6578a400d6d46361efcb013540

SHA256
28766e681bf500e9cddbcd3275cd898c4165354ad087c2461d9ee374a7e2221e

SHA512
a83751183cd1f2ac063a0077f8edfaecda72a4649437070c83f88151c822ff42d43fb8a291c123af2598e10d15cbdc147cef353b2149baca9462fb02e3d67a06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
10cdfaf5a13511467401f163fb7c5dad

SHA1
68069bef7994dbaf3d890acff2868148c65195c1

SHA256
18c5600cfd022d07747ec5fd03839ec882f12b0ebf318b359a6ee22d16af678c

SHA512
3f9f86dcc4e18ae29339db2c49d7373e25b1f688a32262c8f541044351c1efc344afc13d16ac265ee96cb909367388e067e05590b65c5f6d82f95ae4f416ee21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5E015990-340B-11EF-90FA-C21B8D59DC13}.dat
Filesize
5KB

MD5
ed4cb3e038f2fd12135bdcf80d481e64

SHA1
641abd11c6ecd1f100d0fa77700ae529f20bbdc3

SHA256
ec9e75389908043a42d818aa493c30e69732790b81bd06062f8ef532d4df6d19

SHA512
39cc41aa433e9f5c33ea985475b0144d835d42732fa4445173490c8b0729161030d5bec8f2777fd1c9bc12ede0e211b96020e03270a162961af53e990878c1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61E852AD-340B-11EF-90FA-C21B8D59DC13}.dat
Filesize
5KB

MD5
f2bded359c70af197490b05015a2ff11

SHA1
f684983617b0536e9fef1d22be09affbe5d7e4b7

SHA256
ba7d85a9aea6caaf936d6b1588192c8da2af72005b22a527f338f32a3873f4f5

SHA512
7410c7f64fadabe3a7ab1614bf0f61cf12ca9f692200a7704aef4d758fdc1ce0e9b3b4083f8b213a34fbca9550b224859318136a9830818b16d9215efdc9a925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61E852AD-340B-11EF-90FA-C21B8D59DC13}.dat
Filesize
4KB

MD5
47c6df5d5e7b33fa6a3af33c55437449

SHA1
b299f35637b703d4122d09aab13e3bc588bd51fb

SHA256
89a97d5a86ff68805caa064636412b80c4b4590ca5e2c40a3b19157d37fc5d8b

SHA512
a030ec4974c60e59dc8bcbc32e4c0abf0ea5a724d4214b8b480058f8d102d27e743277962bd184cf63f642c2b9c121952d0310e0f519c91fd7aa303fdee3871c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver79CF.tmp
Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QZRYTBAT\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\netmgr.dll
Filesize
130KB

MD5
3fdd7a1ac800d5f0ea46e3a5bd46a6d5

SHA1
3e68e322fb1eb8489fdfbfb91edc4839076d7b0a

SHA256
4c84d0c716dca56e0c4b7974895e2c65672760f4dc6df77824cc23419911d993

SHA512
9d249c39b48c843c489b6f03978f0b7bbb19868be1f231871b2502ee20ab2a81c8be6f9c446cdfdcbc96a2cad2526329f8636b4992b5b009499568d361f6c9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\netmgr.exe
Filesize
16KB

MD5
6d49cdbade7541d46be3fb47a0f563bb

SHA1
4ccb8adcada3fa48b8241cd935db60fdf55a3704

SHA256
2635a89660d6c99fa852258704e00f097f24c10343bb523f1e212dd09835459a

SHA512
6cf79b4cee52db109eb45d5b3fceee832c9a5b223fe843c54aec84516dc261d1d1f5942fb3a7377b63d347e170edc5e76f542fbbe084d377cb48292410b24246

Download Submit
C:\Users\Admin\AppData\Local\Temp\perf2012.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\perf2012.ini
Filesize
137B

MD5
f9695c9b318bf4e3416ad9a087473417

SHA1
767c3076f2328313ae9b36f510b6c002d964f161

SHA256
a82447489c446fedd980fd52f43c645394adcde827a9aa6b0c3530705b5e2484

SHA512
0e714fb203ed606645648e7d5008bef1fdcf6b1162d154374340468fce805ab3d2d9d363416b8c64790c47b4653ccba32f58a00346542e09db3a1e909968bf13

Download Submit