Malware Analysis Report

2024-10-16 02:23

Sample ID 240712-kv1cbawfpp
Target 3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118
SHA256 d3931ee10daf52359a7591418690f97d4dd2c053624b231358e433f9e58769ca
Tags
isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3931ee10daf52359a7591418690f97d4dd2c053624b231358e433f9e58769ca

Threat Level: Known bad

The file 3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

isfb gozi

Gozi family

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 08:56

Signatures

Gozi family

gozi

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 08:56

Reported

2024-07-12 08:58

Platform

win7-20240704-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9472B1D1-402C-11EF-9CB8-C278C12D1CB0} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426936436" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
PID 2112 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
PID 2112 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
PID 2112 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
PID 2292 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2844 wrote to memory of 2852 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2844 wrote to memory of 2852 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2844 wrote to memory of 2852 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2844 wrote to memory of 2852 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2292 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2096 wrote to memory of 1752 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2096 wrote to memory of 1752 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2096 wrote to memory of 1752 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2096 wrote to memory of 1752 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1488 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1488 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1488 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1488 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2292 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1792 wrote to memory of 2832 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 2832 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 2832 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 2832 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2292 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1516 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1516 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1516 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1516 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe

"C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

-nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

-nohome12.ini

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:209930 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

-nohome12.ini

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:406551 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

-nohome12.ini

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:668686 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Roaming\Adobe\netmgr.exe

MD5 a6d89df2a80675980fb3e4a9bcc162e2
SHA1 28ebac4db777095888b0ac79762097c49dfac0e7
SHA256 6fd002fdcdc1a8447f03c227abd3e6551f9179ed79e39591069bca4b9fc9d6a8
SHA512 35f1c1728d8d864898e2be9a0fd078a79af39a37428826380a7ba976c373a4984451e68c5eb9d8966d0061140eb1f8c57fcf871972db67ef959b8b36c673cb32

C:\Users\Admin\AppData\Roaming\Adobe\netmgr.dll

MD5 ffd43ae9ebb59c9fd3b5a2b52addaed7
SHA1 b274ba1e9e386ecd129bc4957f1bc5d73056e0a2
SHA256 c2c601b8a7d8511853a9e5a09bf78af1ea2fe481529e216ca9c42bc2ecbbe3a9
SHA512 2f87022ee56ba03e06e271aacde55933e9f4cc83b314c5817a8391a5b15b23230d5baf674eeac792933f9bd5c2d6ea495a74edc581df76d3e7a9b0d506636271

C:\Users\Admin\AppData\Roaming\Adobe\perf2012.ini

MD5 3ecb2f912c4a7e7365d9908b6900ec8a
SHA1 c823dec745baaf854a5ac17b633f31a18cb3d8df
SHA256 540546114eb029124055e6422203e5ff804f181cce7ceeb0de896d64362dd139
SHA512 babfc384543c6c218d0151f833388b8dd687c5f1b4e41bcb216630d5586f631a7f99ff8f41cad847817cefaafaddcf563cbd0a0fdb69ee59c9a59c2a386534d8

C:\Users\Admin\AppData\Local\Temp\CabDE9F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDF3E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f16e73a681106b128d9ee90c00b7d244
SHA1 536c121dcde138c6c5b5c867fd913cde3cd8c749
SHA256 3496ec76c64bd2aaa7aa579e8ade4eb76333d21ba21c7c99683c527a4df8b67b
SHA512 78cf58dc3fd533c29129f190183343277dd15577c6eed1674c22b95479ca83fedf835f85483a4902a2e760f778655046b34b8f351ba57d87b67eaf3e0ae2e7d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e64edd7379268c2a63222edacbc9bef
SHA1 bd24659240f116a22a1cc87641861f2c90182924
SHA256 3ee12454b1d0b2de906a474170efab3b87f7370ca05a1e609d3147de48e42618
SHA512 bf9adbdfcd74f9b45283c56627e39a9776c521a5c8694a3d4f03868e677473b26e9e0fea2e9ceac8ae13b36caa510bb7e53285f9fdfc72c1e7e8e92092b5df3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7229749d7a914b2d7ab6693e1ecc717a
SHA1 54c004b7287fe2d96a8f1affa8453dbe67f731be
SHA256 1594ced2334f0227d6dd367012e872e79d0ff7c35dabdb164b9c6b98b78626f0
SHA512 9377f17faadb3ca6677262284df2b7d8f4b911c2de1d438f2b802e3eeba50fd88aa1dbcafcf3a10969c767dbe6ce6a159b935745eecb4ebfb5497b74c508c46d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dc9d1116645f169a4252b7d3a963a70
SHA1 b18459527425d44453e024871176744ff6f7a394
SHA256 535d40c1d3f7f2f788fdcf32bc2892641e1f78ab9db7a8a830041cea8e2c4e1d
SHA512 20a57d97614f641e0922b65e621529516e83d117c9aab2d6b3c043b682e3fd5f7bd15af9210a80e1abc94e9fdd9d18ae8ca6dc295b06a5f07fb47d05874b6ced

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4af1eacbfda97f71c44bd5c48e5ca4e3
SHA1 6a2b9d241b97e8b089459af529d73565dc348dbe
SHA256 97b96815e868fe2860b2888d83aca0eafd0c4578640891afdf39ea38c7bc7db4
SHA512 fadef54e006988df77e92236cfe77520de61508bdfc776b543857d7fd08dee97f2a57e3891892803db3e6aa90dd59cd30fcd846bfd92256f915e3c7bb3c87f79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2167df173e5b2ac1b8da55a31f87615b
SHA1 0a1610dfdc9851eda08d31b3b35978fb161b6ad5
SHA256 9566ccddc8545af790084014c1bdda6e90882f5803e5aab3283e36f684a9d8d4
SHA512 82db48a1c0a8ee8bad710dce3ba585c67d881516ae70fede1e7d14bf3e330bb1c91aa9bb49e678f14416622a1f3eaf6cd5f23ddf969ba8bb01def59f5742249c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcfebd59d17c5ca9209fb567315b9c63
SHA1 0265bb22a879a0000fb7aae5f4198f05eef08136
SHA256 95de21fe53b55715669be8f8593a3021acb8012085c9f3a96df1dcfd5a87f057
SHA512 b368c9c62258b97755eabc4f071cc5a47515d6d3c66f896a46d7087feddb3ed942b47c9a6973cc775d756c3653cdce4830e866fa368a5f73495f68f2b865a710

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a6d4e257d0d8158ce4c02dc735dc5ff
SHA1 c270447487b3de9fd3302f36239cdb10b538e6ed
SHA256 41c9107c14145db32c13de74beb70e76dbd41a1cabb2482f602f3f1f1e64ff24
SHA512 7e371a464023cf26b787c7624b5ea6d4ad682b863d03a6a381e6d1344e1be4bbbc479f675eb616d0be409585707d1d250392703f4f4f1c3cf049175dfd8b5920

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ead76608856f1643494938e8548a512
SHA1 4325734a37398542ffb7aa51183cc328dcbe7327
SHA256 642077eadebffce87c1a95568c2c8d975b95e39f7dc8e124cf7b2a03d0af4228
SHA512 bd921b5dbf566dd3c88ed61184fb14bc33c309e14577dd4220febb0e8e17509b7d9a21609c2f7c77038fc58523924ebd79aa67be6d8ce9a73a588fce9a9f8cdc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2467b17a4590a468a1d838d9bac4fe6c
SHA1 fcae9b1a930b42203fd139049a71fba47e35362d
SHA256 6e8673e3d6dd378c1152b9c5e5309121e9d47b70187919b9459be49ff4440d41
SHA512 228d2068bc963639bb2a28f61311f2c6125b0c0eaacb001e2a7d9111c62595dad208fca9b014f4d5acf95f3926d4b71a3294c1d5586fc99a84b35c9fe17ac0b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74b1bdf10dd4b7d63455127a144a0c3c
SHA1 24a21f0aba430b3b3df2f2f9ecc6b4b7f1a19e00
SHA256 07e2d4b716bb95b575987f7b00e09f56040d048b271fd960bd26833677c4f286
SHA512 24c62f3bb3a853a8462b4563f92f9938b11065f4c9ad90b09099b0f2e691bbef03f4081c8465534bef75fb5e905a90034bf8eca8fe2a6066bccd8a990d2ea5ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb45f8844171d8bfd7da172c9e7b60b7
SHA1 93e3ef5741a9b6d9ed7ad0656df84e648da26efb
SHA256 66eb752fb6302485ff460bb21998ebff0ba1dad457a5ccb4b06e9aa83dfdd09a
SHA512 b88d4fe218aa2208c1d57f60a19dd67cf72cd34973b6f39a4dfcc9d2f879b74786cd153e85a91856f3c28cc08ebe1754255b346785e038f5d1d442007f24364a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4064742e820db08b8dd3ab3aae07ebf
SHA1 67fb7a5914bbc9138af8ccf042630198dedffccb
SHA256 05e689a6a0fdff896dbaab4fd7e830eeb5e06e4328b8c553c69f53f1073c5e0a
SHA512 acd4a4bd85df592cfa179ab0fadad564fdcbe66c3f91990138dd94f7dd2545755094fc5dd045175df4d7d61b05c68471376581ed91eda56ec5ced49aa7ae9ba4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22c0b5a9149767ded49a704ff1802ee0
SHA1 649f6c020d957b1828bbb00fccfb8d1a057bc16f
SHA256 b565bc2de742de9096757ffbeef17d8a5bdb10aea9551ba8c18a5357ab755b38
SHA512 dae8b4ee57bf7c47e1d35a930382b05b3c0379814b4670eaf19a3ace4c61f77672d72f9b3f5c4f313475d338de0bc99d6740f9f5e98f6bc01665e0018679e761

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cca3c26c30cb15c158ed0b0b7463a2cc
SHA1 db2c1fbde9989e34759bceef532cc844ea950b5c
SHA256 a1c4d96ee72e385ac497a18d458984f558dd44bef738cfda6167c8ef12e23311
SHA512 7e6b597f1cd3f3ec026247caee379dcf5b3a006be61489422ece2191616f9373be0f475eb6ffcdbf73dac49af9643b71647de24c1816243faef7ea494e5767b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 351b95b7b948112c65b1ff5112dcacfe
SHA1 af7a496ef7f357dd03f31d63d67386008b1fa914
SHA256 746057f05a2b65fb7974a6f116e1ea909ab0ced5af536eacaa1bb900ffd911c3
SHA512 d9af0ac924519326d3f52c20bbdf6e6ff35b39b2c982f56933737f28bcb753861a9508bd38716281596309a20c2ba110b0b8798ffd80a4784aa3aa7eb766fc7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36d93f0ffa26fd07c16b0150ba9ad1ac
SHA1 8a8e2de43344308306d29ce510a6ff292d9a59d7
SHA256 fefde2dd5aacaf80eeacf931ab9a9bf9fc0ababa118bab22e3b233e10be2abe2
SHA512 0a5d944888a23734ccd3818171a23901f914f5ad06d8f60ed40ad1f0b0aab0384565a87816ac7412b3292360f6b62cff9d2af9d7e95a10106875e0e4d8165b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b210b9760dacab370cab05b74187072
SHA1 3f6018f7cddac5b3e3f20f0bad2f18b9149c6832
SHA256 d76fa3773f7bbec66f866bbf9bd108145c4a12b7a62288ec9303fe35cc7aa658
SHA512 1a77a8dfb3ee16970193044dd943aac55985fccfd0117567f4691df5f6ef9b431190f762d6e20eb6807955a4d938dd26cf5d53d05f6e21716c6563a3faa42d0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5798258516048502ed6433751077910c
SHA1 b43c0ccf061816b06f912aff90e7d94614727f90
SHA256 9a94181c33985b9d2163b4591af61b9f25ae8582bd92b15ef037ee0eb5eef490
SHA512 f3ecb24bc33fd29a70d744508b67e5646855be4054d4ac101ceaf607a14bb52273b6304e28fd8593dc673561c9d72c6150b18c2ab261aa0ece171f3d33a017fb

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 08:56

Reported

2024-07-12 08:58

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118393" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427539543" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1763195617" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31118393" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118393" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1760851586" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94A0618B-402C-11EF-A8A8-C6F7DEB4B7CA} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118393" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1760851586" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1824289303" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
PID 3632 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
PID 3632 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
PID 4232 wrote to memory of 448 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4232 wrote to memory of 448 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4232 wrote to memory of 448 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 448 wrote to memory of 4972 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 448 wrote to memory of 4972 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 2784 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 2784 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 2784 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4232 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4232 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4232 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1060 wrote to memory of 2056 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1060 wrote to memory of 2056 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 3596 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 3596 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 3596 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4232 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4232 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4232 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4664 wrote to memory of 1892 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4664 wrote to memory of 1892 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 3576 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 3576 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 3576 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4232 wrote to memory of 232 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4232 wrote to memory of 232 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4232 wrote to memory of 232 N/A C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 232 wrote to memory of 1160 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 232 wrote to memory of 1160 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 4184 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 4184 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4972 wrote to memory of 4184 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3cb96fe79aa01c82ac68c54e88918e57_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe

"C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

-nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

-nohome12.ini

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:17414 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

-nohome12.ini

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:17420 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

-nohome12.ini

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:17426 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe

MD5 a6d89df2a80675980fb3e4a9bcc162e2
SHA1 28ebac4db777095888b0ac79762097c49dfac0e7
SHA256 6fd002fdcdc1a8447f03c227abd3e6551f9179ed79e39591069bca4b9fc9d6a8
SHA512 35f1c1728d8d864898e2be9a0fd078a79af39a37428826380a7ba976c373a4984451e68c5eb9d8966d0061140eb1f8c57fcf871972db67ef959b8b36c673cb32

C:\Users\Admin\AppData\Roaming\Adobe\netmgr.dll

MD5 ffd43ae9ebb59c9fd3b5a2b52addaed7
SHA1 b274ba1e9e386ecd129bc4957f1bc5d73056e0a2
SHA256 c2c601b8a7d8511853a9e5a09bf78af1ea2fe481529e216ca9c42bc2ecbbe3a9
SHA512 2f87022ee56ba03e06e271aacde55933e9f4cc83b314c5817a8391a5b15b23230d5baf674eeac792933f9bd5c2d6ea495a74edc581df76d3e7a9b0d506636271

C:\Users\Admin\AppData\Roaming\Adobe\perf2012.ini

MD5 3ecb2f912c4a7e7365d9908b6900ec8a
SHA1 c823dec745baaf854a5ac17b633f31a18cb3d8df
SHA256 540546114eb029124055e6422203e5ff804f181cce7ceeb0de896d64362dd139
SHA512 babfc384543c6c218d0151f833388b8dd687c5f1b4e41bcb216630d5586f631a7f99ff8f41cad847817cefaafaddcf563cbd0a0fdb69ee59c9a59c2a386534d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk

MD5 e901c332fbee28373bcd7e83f5c4ca72
SHA1 9596958a7ea19cbb1d70da0b300fa0fb345e7242
SHA256 1bc1cc56f2785277608d0abcee5a41ebe73ea75fd43c15a6308d75af57772593
SHA512 198ee6d444579d1e62682232cfb6cbcdeee935df38729ed9db08f48756ff09ca464b1b7ff3a07d5fc7826a5c96c1d5c20bf42a034d2f14c3ee6c83bce0507942

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WZ04RUV6\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee