422ba6dae6752430a2e52e1efb327f277e912ce551f9f1408ee6ab13ebf3717a

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
Size

80KB
MD5

dc01df3c40cb4fb0bef448693475ea1b
SHA1

a81ba37cce6201f5ad4d256c1eac55976cbdb5ac
SHA256

422ba6dae6752430a2e52e1efb327f277e912ce551f9f1408ee6ab13ebf3717a
SHA512

9160928492dd4ec28bb00fd00657cd05d104f4e4938dbf25f2acc65a5a0b0280a67a503e58713191a8b95709bdd2fd47439f61529733c7242792c59141359e29
SSDEEP

768:DAbj35jVq5PIZtsUD0oc75LXf+Dmu0+zaEMv38S/A6yM+tX/1M5F0knS3qXxDTgP:Eju5gQqhYf8m2aImH1m0uAB24CjFlKE

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	netmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	netmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
4372	netmgr.exe

Loads dropped DLL 1 IoCs

pid	Process
4372	netmgr.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DDB90A6D-70D2-11EF-9912-EEE1DD5A0987} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8CF2FF97-70D2-11EF-9912-EEE1DD5A0987} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130847"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1681892535"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B6D4AF54-70D2-11EF-9912-EEE1DD5A0987} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8FE92B6E-70D2-11EF-9912-EEE1DD5A0987} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1632986595"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1635642251"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31130847"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1683924277"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130847"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130847"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4372	netmgr.exe
4372	netmgr.exe
4372	netmgr.exe
4372	netmgr.exe
4372	netmgr.exe
4372	netmgr.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1064	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
5048	IEXPLORE.EXE
2272	IEXPLORE.EXE
4372	netmgr.exe
2000	IEXPLORE.EXE
4372	netmgr.exe
3944	IEXPLORE.EXE
4372	netmgr.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1064	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
4372	netmgr.exe
4372	netmgr.exe
4372	netmgr.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
5048	IEXPLORE.EXE
5048	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
4396	IEXPLORE.EXE
4396	IEXPLORE.EXE
4396	IEXPLORE.EXE
4396	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
3944	IEXPLORE.EXE
3944	IEXPLORE.EXE
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 4372	1064	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	84
PID 1064 wrote to memory of 4372	1064	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	84
PID 1064 wrote to memory of 4372	1064	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	84
PID 1064 wrote to memory of 956	1064	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	86
PID 1064 wrote to memory of 956	1064	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	86
PID 1064 wrote to memory of 956	1064	dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe	86
PID 4372 wrote to memory of 4460	4372	netmgr.exe	94
PID 4372 wrote to memory of 4460	4372	netmgr.exe	94
PID 4372 wrote to memory of 4460	4372	netmgr.exe	94
PID 4460 wrote to memory of 5048	4460	iexplore.exe	95
PID 4460 wrote to memory of 5048	4460	iexplore.exe	95
PID 5048 wrote to memory of 2936	5048	IEXPLORE.EXE	96
PID 5048 wrote to memory of 2936	5048	IEXPLORE.EXE	96
PID 5048 wrote to memory of 2936	5048	IEXPLORE.EXE	96
PID 4372 wrote to memory of 1528	4372	netmgr.exe	100
PID 4372 wrote to memory of 1528	4372	netmgr.exe	100
PID 4372 wrote to memory of 1528	4372	netmgr.exe	100
PID 1528 wrote to memory of 2272	1528	iexplore.exe	101
PID 1528 wrote to memory of 2272	1528	iexplore.exe	101
PID 2272 wrote to memory of 4396	2272	IEXPLORE.EXE	102
PID 2272 wrote to memory of 4396	2272	IEXPLORE.EXE	102
PID 2272 wrote to memory of 4396	2272	IEXPLORE.EXE	102
PID 4372 wrote to memory of 4876	4372	netmgr.exe	105
PID 4372 wrote to memory of 4876	4372	netmgr.exe	105
PID 4372 wrote to memory of 4876	4372	netmgr.exe	105
PID 4876 wrote to memory of 2000	4876	iexplore.exe	106
PID 4876 wrote to memory of 2000	4876	iexplore.exe	106
PID 2000 wrote to memory of 2184	2000	IEXPLORE.EXE	107
PID 2000 wrote to memory of 2184	2000	IEXPLORE.EXE	107
PID 2000 wrote to memory of 2184	2000	IEXPLORE.EXE	107
PID 4372 wrote to memory of 1152	4372	netmgr.exe	108
PID 4372 wrote to memory of 1152	4372	netmgr.exe	108
PID 4372 wrote to memory of 1152	4372	netmgr.exe	108
PID 1152 wrote to memory of 3944	1152	iexplore.exe	109
PID 1152 wrote to memory of 3944	1152	iexplore.exe	109
PID 3944 wrote to memory of 1900	3944	IEXPLORE.EXE	110
PID 3944 wrote to memory of 1900	3944	IEXPLORE.EXE	110
PID 3944 wrote to memory of 1900	3944	IEXPLORE.EXE	110

C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\netmgr.exe
  "C:\Users\Admin\AppData\Local\Temp\netmgr.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5048 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2936
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4396
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2184
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3944 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5f81c2f0e32c339ad20a7b38cb5b684b

SHA1
4196d08225494b3da7819301cac57f3618ef8aa7

SHA256
f1465c392ed09e095c9ed94934a546cd13bcf3c2f5fcd669bb58fb1475fc3b39

SHA512
fff25d77166243ec1c5e029ca5c51b605228e6faebbc08834c3bc9c1042f14596c062e9ab9f9cc6567f5ba3bb0679a4fc833704fbef0c91a1461bc005d4bf19b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
e8356122a72dbbbf2d2837f2ac068b49

SHA1
02e7829fef15e387c3c352494d2e326d6c12c2dd

SHA256
a81b7834e05496ced29b2d2f2848241c2445db502f393250d2d4b8444cd68a72

SHA512
d5ba35e45a94e0a91eddb299aba6cd0ac42a54a922162de5c66f4c57c5055f6b6383b2f9bd1da11c41da0fb9dace5718b81ea000c855326e3f235a7b3c329e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8CF2FF97-70D2-11EF-9912-EEE1DD5A0987}.dat

Filesize
5KB

MD5
52438b446e55238e2ed47f47491ea839

SHA1
6c1bb7163fa73107c7056dc044177338e8edd228

SHA256
b18bed856aea88d08a0ad9d6a807c0ba65e4ed03e787bc5e9305abe3015fabeb

SHA512
7847688cd4cbcd03762c8eb4fa9b400a65c8ab95585a3ea453fe853f6b7786bd9b39cdecd86a1b2d4ca06a88d95b3ef32420a7759345b4fc5e71b327667ed589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FE92B6E-70D2-11EF-9912-EEE1DD5A0987}.dat

Filesize
5KB

MD5
f6e7b0681c1e9d371f32a2dabd87935c

SHA1
411b72a52dee442949d826e0323f7037575eaa60

SHA256
a1943e92242cd503c765bc1fb5054dad80d1b15aee812a3c9f3b630b4cbd8e6d

SHA512
b03fcd7e68f683c75681e2a7b47d921193e4dc20a646249f378ef273fa5820492fc265540ba93f3693ebc07e150bc3fcded2b1ee8e81c376b0db3bcd8e2038ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FE92B6E-70D2-11EF-9912-EEE1DD5A0987}.dat

Filesize
4KB

MD5
cd831bec1404de9cfd8dc07ce2c2a00d

SHA1
1df2f3c35b2631377eeedc170024fdfbbf2329b5

SHA256
5f660923929bf8fe7cc5aaf943ed50c7b889354aba88b4d3c1f1eb88893546be

SHA512
f6af4558c6ab2a0b98f7e38da4e3166de19accedfece4afa8c5a664dc2f2c3d8da15464492bce83b88b281235684a061d645e56e17d0e79e06a83265629d6dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\netmgr.dll

Filesize
49KB

MD5
d24fa8bc709ada9af8d4d755c132290f

SHA1
6dbe09062fd25a7c05002bf72ca86da35777b47d

SHA256
9a62e435a04486c6acafd602f782cf1ed0ac65a0159c6c47ed4fad996c1799ff

SHA512
6386ee31f577ccedc3fc50a6224f07c10fd0a019eac8c8de940c46a7ca56386527678ddfe080f59cf33ce44974273f8e93e1f65a680af1ed55a56f3c4cb26ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\netmgr.exe

Filesize
16KB

MD5
ff04126a5d61a10c81bfd0a6d0a643d0

SHA1
ffab0d227b67c60de19af0f3b3b05c7e6fa7eedc

SHA256
5a9d84792a06b3d2037f567e0f57781722a950d485854cf5e4042cbdd51d82af

SHA512
d22771de0ca11e2efcdcbebae6de8fbc4865a45a3e3aff8eafab8da2fc75dab8a1256ae62ed7463d039c4fe045d4f9d6e161b5fc225583334750f9613199cd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\perf2012.ini

Filesize
145B

MD5
3404edfd6310bca1c2e0b3d49281b267

SHA1
e845182b7ef9d7dda499ce5806401b8e063ed7fc

SHA256
8330f32dff8de2a6d6bd38a3b4081ab7bc8aea3595b2ee6382c93c93ea571c60

SHA512
89c8af65e3d6b1a4932ab77c851489e4a39109c559caac92506dd84b78a354d101e32fe16e8828ed22260a90b3b3df613cff0c20cc51e10205dfb1e9b3ee870f

Download Submit