422ba6dae6752430a2e52e1efb327f277e912ce551f9f1408ee6ab13ebf3717a

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
Size

80KB
MD5

dc01df3c40cb4fb0bef448693475ea1b
SHA1

a81ba37cce6201f5ad4d256c1eac55976cbdb5ac
SHA256

422ba6dae6752430a2e52e1efb327f277e912ce551f9f1408ee6ab13ebf3717a
SHA512

9160928492dd4ec28bb00fd00657cd05d104f4e4938dbf25f2acc65a5a0b0280a67a503e58713191a8b95709bdd2fd47439f61529733c7242792c59141359e29
SSDEEP

768:DAbj35jVq5PIZtsUD0oc75LXf+Dmu0+zaEMv38S/A6yM+tX/1M5F0knS3qXxDTgP:Eju5gQqhYf8m2aImH1m0uAB24CjFlKE

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	netmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	netmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	netmgr.exe

Loads dropped DLL 7 IoCs

pid	Process
2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
2840	netmgr.exe
2840	netmgr.exe
2840	netmgr.exe
2840	netmgr.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA64B1D1-70D2-11EF-8B05-6E295C7D81A3} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{89A32BF1-70D2-11EF-8B05-6E295C7D81A3} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C9CE3F1-70D2-11EF-8B05-6E295C7D81A3} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2840	netmgr.exe
2840	netmgr.exe
2840	netmgr.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
2376	IEXPLORE.EXE
2608	IEXPLORE.EXE
2840	netmgr.exe
880	IEXPLORE.EXE
2840	netmgr.exe
2672	IEXPLORE.EXE
2840	netmgr.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
2840	netmgr.exe
2840	netmgr.exe
2840	netmgr.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
880	IEXPLORE.EXE
880	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2840	2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2840	2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2840	2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2840	2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2928	2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2928	2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2928	2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2928	2872	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	29
PID 2840 wrote to memory of 1956	2840	netmgr.exe	31
PID 2840 wrote to memory of 1956	2840	netmgr.exe	31
PID 2840 wrote to memory of 1956	2840	netmgr.exe	31
PID 2840 wrote to memory of 1956	2840	netmgr.exe	31
PID 1956 wrote to memory of 2376	1956	iexplore.exe	32
PID 1956 wrote to memory of 2376	1956	iexplore.exe	32
PID 1956 wrote to memory of 2376	1956	iexplore.exe	32
PID 1956 wrote to memory of 2376	1956	iexplore.exe	32
PID 2376 wrote to memory of 2600	2376	IEXPLORE.EXE	33
PID 2376 wrote to memory of 2600	2376	IEXPLORE.EXE	33
PID 2376 wrote to memory of 2600	2376	IEXPLORE.EXE	33
PID 2376 wrote to memory of 2600	2376	IEXPLORE.EXE	33
PID 2840 wrote to memory of 3004	2840	netmgr.exe	34
PID 2840 wrote to memory of 3004	2840	netmgr.exe	34
PID 2840 wrote to memory of 3004	2840	netmgr.exe	34
PID 2840 wrote to memory of 3004	2840	netmgr.exe	34
PID 3004 wrote to memory of 2608	3004	iexplore.exe	35
PID 3004 wrote to memory of 2608	3004	iexplore.exe	35
PID 3004 wrote to memory of 2608	3004	iexplore.exe	35
PID 3004 wrote to memory of 2608	3004	iexplore.exe	35
PID 2608 wrote to memory of 2668	2608	IEXPLORE.EXE	36
PID 2608 wrote to memory of 2668	2608	IEXPLORE.EXE	36
PID 2608 wrote to memory of 2668	2608	IEXPLORE.EXE	36
PID 2608 wrote to memory of 2668	2608	IEXPLORE.EXE	36
PID 2840 wrote to memory of 2340	2840	netmgr.exe	40
PID 2840 wrote to memory of 2340	2840	netmgr.exe	40
PID 2840 wrote to memory of 2340	2840	netmgr.exe	40
PID 2840 wrote to memory of 2340	2840	netmgr.exe	40
PID 2340 wrote to memory of 880	2340	iexplore.exe	41
PID 2340 wrote to memory of 880	2340	iexplore.exe	41
PID 2340 wrote to memory of 880	2340	iexplore.exe	41
PID 2340 wrote to memory of 880	2340	iexplore.exe	41
PID 880 wrote to memory of 2112	880	IEXPLORE.EXE	42
PID 880 wrote to memory of 2112	880	IEXPLORE.EXE	42
PID 880 wrote to memory of 2112	880	IEXPLORE.EXE	42
PID 880 wrote to memory of 2112	880	IEXPLORE.EXE	42
PID 2840 wrote to memory of 2344	2840	netmgr.exe	44
PID 2840 wrote to memory of 2344	2840	netmgr.exe	44
PID 2840 wrote to memory of 2344	2840	netmgr.exe	44
PID 2840 wrote to memory of 2344	2840	netmgr.exe	44
PID 2344 wrote to memory of 2672	2344	iexplore.exe	45
PID 2344 wrote to memory of 2672	2344	iexplore.exe	45
PID 2344 wrote to memory of 2672	2344	iexplore.exe	45
PID 2344 wrote to memory of 2672	2344	iexplore.exe	45
PID 2672 wrote to memory of 2160	2672	IEXPLORE.EXE	46
PID 2672 wrote to memory of 2160	2672	IEXPLORE.EXE	46
PID 2672 wrote to memory of 2160	2672	IEXPLORE.EXE	46
PID 2672 wrote to memory of 2160	2672	IEXPLORE.EXE	46

C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\netmgr.exe
  "C:\Users\Admin\AppData\Local\Temp\netmgr.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2600
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2668
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2112
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37d88b3e6094de42fa65a0f79b10462c

SHA1
6c07db120f25876d91fcd8d6704e76861d3ce7a2

SHA256
b6aa3c13b83b894ea58cf29da7e9b3cfedd68f2c95180386497797c78ebcea6d

SHA512
0f259e812717c6c40fe478fad5648e411aa7cb62f39c1a012049b65c0c6c11c8c50303b765459947cacf9313a6cd54d49d6c6790e40e3e3f4034a5b5c61bed9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0d200c886167c4012f1ae6593910144

SHA1
583981a67241a9bd89fe5ba41f643e1e7d07d005

SHA256
54e80d4d111e72fefd28ac690097ad98bf12d893fb2e6e75f26296bb071ceaf8

SHA512
dad1bd32c95db0be92c7d055b72cc7a00bfb4faa143de78417fbb3eea60248240ae1500b4043a581e513c9c442a94b415ed3bae209b659a8bfff676ebc6da271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
590ba50829d8256d34079c603f8e59a1

SHA1
41f722848b34a3c201fc2b9ed66e633bff10fc91

SHA256
968f3c64c3d2f8aa2c16b6e2e9a75b72e1254877d867113199194935a33fb9d8

SHA512
87fdbe6efb5113629be688325e9248f79ad3bcb13c1e3f7d343bd0e0c3d88b5a752e6c1d8f4365d5db10b7d554d5638e24bc5078bb6f0cbc194ea59027754d92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
241dc6510b95503d25d0b7a0fd5cf0f0

SHA1
6cc9982b5a6ad5b20681b0802cbe69c92da082b9

SHA256
cbf7fe00dca464ab28670a54debf5549dd63eeadec663804699938f47d0a60eb

SHA512
d495d4552d233727eb5cfcad8d9d7d7c156c57fcfaebadfac178015bb6eda89941e5861a69b1d2cda0ecbeb00c5f3820a5839202bd24e77f47f76873931e0bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c08dd85e87304d028bd86f5ea5d90fa

SHA1
69ad3e21934f731417fe38d728121103cd57831e

SHA256
77e7f1c217a019e760d8c4dbfe59d544831c1488a67e858190cc5223f66c85f4

SHA512
39c160bb75159a36d600b97d2e26ddd8b115aae71168aefd6db2bdb811af2ec804262f8444675ac468c271b0272101fd498dcc2f07caf51f0c5e7c14c9a92b16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d2f1f12e5099e735097522a2db0d217

SHA1
63e052bb61673b721ddcae97e1b8f23aac757e6b

SHA256
f005595b8dd796869959112d99ff7cc9e240943f4809a790366f4309ab38b3a9

SHA512
82ed01e93ebe6668d6d849c5655db7e3d99f5f31f9a69793f508ddc48edc9abffde432a1fee9680bff5b6d68425cde94bf88ce3cbf619e74970356fb8af2edf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01cbe342ec72feb1f11803a40503c26c

SHA1
72cf0e348787ec1d9748700311b817551fa8e65a

SHA256
12f91427e2221c7f1106295fd4d6f3052bc228bbefa7f8297c5c9772625e6640

SHA512
d73bcb582e7f780d16b48e85bdba09024dcd642e080192492c8fe2bd9e5f4f1beaf278d1a0a05ea9646617cbeed6309d86e6e1c21f65290b4981622831861071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6895383fb8ed0517b10f7d4de6fcf323

SHA1
2e6acb8c11d064b16c17d079415af79d3b8a0c31

SHA256
205bbfd43e129a52cc73b3f1066fd1c037e396cfb25e1f779a33479b82613493

SHA512
c95ff923e0f004f39a16f9d94a418fb7d25ef414b5272e1b298e7247a34c8410df0a17d72ebb43d1e30366b1dc83b7fdf793d03ea754bf77342fd1ea4fe2f79f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d40b9c1e5252bcaf92d4e9129a00f1f3

SHA1
614cf15c00c4801a3ecc4fff9607da7f97a07b83

SHA256
56dc8bb3fb33f48cc0dbbfb9184701c07c7ac1609d785bd6de95119e93d7bd04

SHA512
4c886bc3aa96a016d52236c3022a9b697ed3dd1e9ed4e4a9d9f20c4fcb87a837aa1cd4e31e0a26292a31a0b34a5d5b86d61a73fb3a7d29ffdf8bead2f441095e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e518a4efbd3e6d9be75c2982fb06b84

SHA1
5111b9535f54bc75d58cd989dd415c294f454ec3

SHA256
0671034bcc4742736d2f2e34cb0927049a11f9842c4a1dae7c7a8317fd5d2637

SHA512
b0943fc3a6f7883dfa5353eb5c7d3e5d0854184d0ea812ca7a107ed7285063395cffa1f14a20d61c389ed5bb139a9fe7db126b9d4df18e657ca8525b587eb761

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f628c487c6067d660e2f1838b788d842

SHA1
97c203e17a0a35313b327c4098e7bd25b75b5650

SHA256
bddd376c14076271f5c72e838c2bef07e1d6aaa57f63ccb8d15d6e7a840c4245

SHA512
fa8d3ba2f68bd81e2b25d8a65821324cec7eddde1223b5fc66cabcbcd92ed2100a7e829a03956aa7b3c3ac349c0cab20fe48935c19d9583e8b1707163b9d91df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9ef5e8cb0812a69496ec1254a1e69e2

SHA1
3e6843079268dce197a2d551715af1998a12ff87

SHA256
bcabc77b05317c68cef0b435f4354fbde7bc21ed11499f66f4ccd4692f3c29a3

SHA512
2b53dc819ea0df5b8c7d48ef9814d6b71215662763d979297bcf23c1c5bc64abb8c8e6ee8caea215e0ac5f94d0efc14436f9d2cadca463075db2d07bba9de91a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87aab4c46106b80d6b1d85ba7e5c0cf8

SHA1
d40472718eae3638502257a751ad7d47416ea82b

SHA256
84ecdf6e1951cf8ab96570a0381ed348021cfc2b51e651dbfd7396a3edf517b9

SHA512
cdbbc812e839c0e336106008e90f1dc7118349e055ffdb7a0f65f83a7be5c9dceb288cc72fae34eacea7e40f8d94e9488928715b6b24071411d0fd053553d999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3de177c0b5c853ba5dd28500409ffbfa

SHA1
832173c9bf9577dcc9cfb5ca286884fdfb0a8ab0

SHA256
f37637fea12e5196e13ec36aba4e6136dae35f315df757c256f091893443fc34

SHA512
235c344ff7f6432e7d453209d2cb9fedadba570c66965be361881c28045d686d1b9886e86c8d44548709e25360b18da5c6c775f1a401089d858381ac3c0cf9ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04ab3b76239547cae460fa739dc91b5d

SHA1
8a51858ca1b6dd3cb534a8087ded89f993a7150e

SHA256
1a2118937ac77ca86bd44a4d3169dea281a3473ef5013b19b53ce076bf461a2a

SHA512
183e80fe60df527e731e23f4efc50c3efc55a8407c20ae4e75f524124af7e642c1f353f9118b5c40eb73d60da92d0be6b3eab17cb966d09dab65de66acf898dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
841e74aa67b718cd19d9da518e35a331

SHA1
6cecb5f5fc013a2c1a528283cc2b64a3d2120d0b

SHA256
5a81abb775e161d36180958fad03f92b1ba381121ac1d3e13fbbfd754e28bcd8

SHA512
aa282be20cb761d93de1aee57c0f2024ead25a9f5ff16897c1e321cf2f7c0847df415ddda21b16b33309f5c82ad574fd949e20a84d1a1c4962a75540089a74a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4553f7ffafa5e7936be29a894a4dd0f5

SHA1
07a6d206b0b8c6b941520202b528e11279bcf818

SHA256
74b13a55592e6bca7f779d4a7e3df63a175a430d274ba3c1df602287c4eda97c

SHA512
d8b422070859a7495454a83d41d0440d441a83b57eadc3df011c53c43d41247c1fc65141b0cb38aab678e70c20ce70300e10838e930347af5d8e8ee696c6a958

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b1983bdd284940499dd843714b18010

SHA1
cada1cd296d30242bd0bb4cae6f691c68244c9d8

SHA256
e07d2e620f556d8a473b8104be4c3ca8b15562321bda7214f10f02263f0473bf

SHA512
c51cacc10aeaaa379d0fd8f137abe2923fec2de399204a02a1d944fbacffa1a402cf7a4692db5b0a736c53fd8a756e0aa3be90cdf1a47edd73d0b36ac1c8df8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b19ffc8896a8c725398e9598378ddcce

SHA1
114304a2028a7013b47aea7be155de5695945c8a

SHA256
ce98522458c13e70ff235393d53aca810e4136db3b9287c8892ddc59c0342796

SHA512
913abd87ab8ad1c220c659a94d4082ac573e92878755c573a9870fc4dc18786a3c5994253abf20ee8efe5c6424c823f7ac0ecec1117e02bc7e151267b01d1619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{89A32BF1-70D2-11EF-8B05-6E295C7D81A3}.dat

Filesize
5KB

MD5
bee1aa46da88dff2de265e03d20c23de

SHA1
2fd7e8035d4418722a7ef47e5bdd3900a966dd5d

SHA256
2bd8ba7820071c533aa0207623a415166c356ddc6fdfbc79aefd840b811b5778

SHA512
3de8756466ba9795b1d6aa7f05b7edb2efa3b30ca63bc1b34603a63537b4217c171d522a96d4f927c9e1c3036fb47f8e8458069b4eb45748e11f72a148a12332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8C9CE3F1-70D2-11EF-8B05-6E295C7D81A3}.dat

Filesize
5KB

MD5
11cc6f395b4d7eb1a5e15b3baa39aecb

SHA1
5a93fc922cbc1b2a0ee7f0e0f52c589273a0b5a3

SHA256
68833d8b85209cd41d61c6b310e184ac51b08bbdc6c3247ea9e617696f7693f5

SHA512
b3261c0ad405b30184e29a9b8f4b09bbc1ee2e2b839509dcb718c47ab48ba35816e68e0f2a485604f32e64ae1d7cdc5c425ffa69a8869f4e73b3bdb8e769a13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8C9CE3F1-70D2-11EF-8B05-6E295C7D81A3}.dat

Filesize
4KB

MD5
fc5c2bae174ab86ccd7412f26d4537de

SHA1
4344eaaacd43f5b6ef7ae2756fab4ba3782a7572

SHA256
17da30d2dafdc3fc569ccc11c28fe87b603fe28f63f8c3589c1bb1b41ba3f1b1

SHA512
ad836aaa1b1d84da3bdcce0bd919947bdcc6592f75074ce8134f63737233aa6341c463d987cfdf9e6a63db2b599d41516d3ddf5e48b8845a94b7887baa43d82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA6EA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA79A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\netmgr.dll

Filesize
49KB

MD5
d24fa8bc709ada9af8d4d755c132290f

SHA1
6dbe09062fd25a7c05002bf72ca86da35777b47d

SHA256
9a62e435a04486c6acafd602f782cf1ed0ac65a0159c6c47ed4fad996c1799ff

SHA512
6386ee31f577ccedc3fc50a6224f07c10fd0a019eac8c8de940c46a7ca56386527678ddfe080f59cf33ce44974273f8e93e1f65a680af1ed55a56f3c4cb26ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\perf2012.ini

Filesize
145B

MD5
3404edfd6310bca1c2e0b3d49281b267

SHA1
e845182b7ef9d7dda499ce5806401b8e063ed7fc

SHA256
8330f32dff8de2a6d6bd38a3b4081ab7bc8aea3595b2ee6382c93c93ea571c60

SHA512
89c8af65e3d6b1a4932ab77c851489e4a39109c559caac92506dd84b78a354d101e32fe16e8828ed22260a90b3b3df613cff0c20cc51e10205dfb1e9b3ee870f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk

Filesize
923B

MD5
49b02a47170a0b9a749569f0df175c24

SHA1
bcaea2cfe023e72990f28975eeae825ec0fbc525

SHA256
3dac3563e0f3d708c86f969e7344af9818a7a1f1f067c7197527204520529c57

SHA512
9b6907614559bcbd0aec4941ffce05b08e1f66d889e4779aba2140aeba7c453ed43d9f116157feb9ad17752d683758d41e8e39accbff5565fc7293c79fdc80a1

Download Submit
\Users\Admin\AppData\Local\Temp\netmgr.exe

Filesize
16KB

MD5
ff04126a5d61a10c81bfd0a6d0a643d0

SHA1
ffab0d227b67c60de19af0f3b3b05c7e6fa7eedc

SHA256
5a9d84792a06b3d2037f567e0f57781722a950d485854cf5e4042cbdd51d82af

SHA512
d22771de0ca11e2efcdcbebae6de8fbc4865a45a3e3aff8eafab8da2fc75dab8a1256ae62ed7463d039c4fe045d4f9d6e161b5fc225583334750f9613199cd56

Download Submit