4d1f652eab422d52dfb60a5a8f928f99288d590452359e8494761de2387bc468

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe
Size

31KB
MD5

858a11b0097df26c5721f4d15f997bff
SHA1

71a0a7dc8dbf58ba72eaafbde003140ded893e0b
SHA256

4d1f652eab422d52dfb60a5a8f928f99288d590452359e8494761de2387bc468
SHA512

280a23c3fc1f7bc0e232f3e2f346f8ac651bbe8545051d475b4b0ef1e22d8273318555270e3ab7b37f22deb294c535e29febf1bc13e0a2a8984f599e98ffd9f1
SSDEEP

768:+W5zBCTMjhS3Pxwfnb0/i96+C1PpRBnbcuyD7U:7MTMjhSZwfWi0PhpRBnouy8

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Program Files (x86)\\NetProject\\sbmntr.exe"	sbmntr.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234bb-7.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3568	sbmntr.exe
1472	sbsm.exe

Loads dropped DLL 1 IoCs

pid	Process
3568	sbmntr.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/624-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/files/0x000b0000000234b3-3.dat	upx
behavioral2/memory/3568-5-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/files/0x00070000000234bb-7.dat	upx
behavioral2/memory/3568-10-0x0000000010000000-0x000000001000B000-memory.dmp	upx
behavioral2/memory/624-17-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/3568-18-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}\	sbmntr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetProject\sbmntr.exe	858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe
File created	C:\Program Files (x86)\NetProject\sbmdl.dll	sbmntr.exe
File created	C:\Program Files (x86)\NetProject\sbun.exe	858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe
File created	C:\Program Files (x86)\NetProject\sbsm.exe	sbmntr.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbmntr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbsm.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	sbmntr.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	sbmntr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.ieservicegate.com/redirect.php"	sbmntr.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Search	sbmntr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.gatetofind.com/index.php?b=1&t=0&q={searchTerms}"	sbmntr.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\SearchScopes	sbmntr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	sbmntr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	sbmntr.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\xxx = "xxx"	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ = "C:\\Program Files (x86)\\NetProject\\sbmdl.dll"	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ThreadingModel = "Apartment"	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}	sbmntr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe
624	858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe
3568	sbmntr.exe
3568	sbmntr.exe
1472	sbsm.exe
1472	sbsm.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
1472	sbsm.exe
3568	sbmntr.exe
3568	sbmntr.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
3568	sbmntr.exe
1472	sbsm.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
1472	sbsm.exe
3568	sbmntr.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
1472	sbsm.exe
3568	sbmntr.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe
3568	sbmntr.exe
1472	sbsm.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
1472	sbsm.exe
3568	sbmntr.exe
3568	sbmntr.exe
1472	sbsm.exe
1472	sbsm.exe
3568	sbmntr.exe
1472	sbsm.exe
3568	sbmntr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 3568	624	858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe	83
PID 624 wrote to memory of 3568	624	858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe	83
PID 624 wrote to memory of 3568	624	858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe	83
PID 3568 wrote to memory of 1472	3568	sbmntr.exe	84
PID 3568 wrote to memory of 1472	3568	sbmntr.exe	84
PID 3568 wrote to memory of 1472	3568	sbmntr.exe	84

C:\Users\Admin\AppData\Local\Temp\858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\858a11b0097df26c5721f4d15f997bff_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files (x86)\NetProject\sbmntr.exe
  "C:\Program Files (x86)\NetProject\sbmntr.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Program Files (x86)\NetProject\sbsm.exe
    "C:\Program Files (x86)\NetProject\sbsm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NetProject\sbmdl.dll

Filesize
10KB

MD5
c209d22d35f5687817b79a9e767b7a4f

SHA1
5f9193bf597dcfd84548a012b9d53791f24d2e1b

SHA256
5b32979194a4f62e6c188a6763b0b027cd168db1f84fb6939a7edeb43ac64e5e

SHA512
73fd6431bb65ffab91e9a06d8747198898f9e11e02f3342ba0d6afc28414f89372549ab727ca368b98289a61645ecd35e72e272ac704588a805faee53ad76ed3

Download Submit
C:\Program Files (x86)\NetProject\sbmntr.exe

Filesize
19KB

MD5
8245884d12ff9ff4502b3b21a3b8ded0

SHA1
a9f0c6f07a35d46f5e42e20a34d65649c353df89

SHA256
46b8290aa9efec051976ed64bc9749c8cd7aa1a5321a72f375f2cab49a9391f6

SHA512
f08a652e6342f7e2654bc4f56fc5ba3c5c60874520d4e17508234b28e8d36fa97d8369931f763840200ec7fdd466db70c31e32693f2278126b140ba9e334558b

Download Submit
C:\Program Files (x86)\NetProject\sbsm.exe

Filesize
5KB

MD5
71a0a391d84bef1434da89fafaaf8f70

SHA1
906ba7209af06159593ce8b3c3886652b57aa468

SHA256
79283937cdb0c680feb7e0b8ffcd1f66f8386ea852261a340da54d73b13d98ce

SHA512
b66336bcd1cf2c7a93ceeabdadc1a18ab13b08b1ce772f926ee8bf78008625ddd9292c47852ea2331369422118c41b6b3ca5a1583e47ba38f1d607384c79def0

Download Submit
memory/624-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/624-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3568-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3568-10-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3568-18-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3568-20-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download