8d2483fbb42d3aaef61834d0836ade5401598083f3d53d0bd72ef52e2d59b591

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe
Size

28KB
MD5

8ac17d3eaca23970764c4dbd30bb714c
SHA1

027be9cc96a5b8e7ca1d1d1aebf167514675148e
SHA256

8d2483fbb42d3aaef61834d0836ade5401598083f3d53d0bd72ef52e2d59b591
SHA512

655883ae8c9c1be0ccf88504960e6246377688d050c5e10d384cc576eba4d4b2f14eb0e05b4a026d9f6c2260e945bb73cba103546ea5ba73da06156d3a35916b
SSDEEP

768:iPQsFltEC3ApuX29mS05KJRc5E4iVsqNfjx:5sFltECwCKmSAARuEnsq5jx

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Program Files (x86)\\NetProject\\sbmntr.exe"	sbmntr.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000015d8f-16.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2752	sbmntr.exe
2668	sbsm.exe

Loads dropped DLL 5 IoCs

pid	Process
2760	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe
2760	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe
2752	sbmntr.exe
2752	sbmntr.exe
2752	sbmntr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}\	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}	sbmntr.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2760-1-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000015d7e-5.dat	upx
behavioral1/memory/2760-13-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2752-14-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000015d8f-16.dat	upx
behavioral1/memory/2752-18-0x0000000010000000-0x0000000010009000-memory.dmp	upx
behavioral1/memory/2752-21-0x00000000003A0000-0x00000000003A7000-memory.dmp	upx
behavioral1/files/0x0007000000015d9a-20.dat	upx
behavioral1/memory/2752-28-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2668-32-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetProject\sbmntr.exe	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe
File created	C:\Program Files (x86)\NetProject\sbun.exe	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe
File created	C:\Program Files (x86)\NetProject\sbmdl.dll	sbmntr.exe
File created	C:\Program Files (x86)\NetProject\sbsm.exe	sbmntr.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbmntr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	sbmntr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.searchagate.com/index.php?b=1&t=0&q={searchTerms}"	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	sbmntr.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Search	sbmntr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	sbmntr.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	sbmntr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	sbmntr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.gateietool.com/redirect.php"	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	sbmntr.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	sbmntr.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\xxx = "xxx"	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ = "C:\\Program Files (x86)\\NetProject\\sbmdl.dll"	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ThreadingModel = "Apartment"	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID	sbmntr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2752	sbmntr.exe
2668	sbsm.exe
2668	sbsm.exe
2752	sbmntr.exe
2752	sbmntr.exe
2668	sbsm.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2752	sbmntr.exe
2668	sbsm.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2752	sbmntr.exe
2668	sbsm.exe
2668	sbsm.exe
2752	sbmntr.exe
2752	sbmntr.exe
2668	sbsm.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2752	sbmntr.exe
2668	sbsm.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2752	sbmntr.exe
2668	sbsm.exe
2668	sbsm.exe
2752	sbmntr.exe
2752	sbmntr.exe
2668	sbsm.exe
2752	sbmntr.exe
2668	sbsm.exe
2668	sbsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2752	2760	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe	30
PID 2760 wrote to memory of 2752	2760	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe	30
PID 2760 wrote to memory of 2752	2760	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe	30
PID 2760 wrote to memory of 2752	2760	JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe	30
PID 2752 wrote to memory of 2668	2752	sbmntr.exe	31
PID 2752 wrote to memory of 2668	2752	sbmntr.exe	31
PID 2752 wrote to memory of 2668	2752	sbmntr.exe	31
PID 2752 wrote to memory of 2668	2752	sbmntr.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac17d3eaca23970764c4dbd30bb714c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files (x86)\NetProject\sbmntr.exe
  "C:\Program Files (x86)\NetProject\sbmntr.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files (x86)\NetProject\sbsm.exe
    "C:\Program Files (x86)\NetProject\sbsm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\NetProject\sbmdl.dll

Filesize
7KB

MD5
77d82ed145df10f6b53f56611fa2e0de

SHA1
373afa0c2b3d995066d6c2bf4ae43d7cc7e72867

SHA256
bdf3d816b15d49c1e88e129b2312854c5824506395c5a727258848b3d838c4b0

SHA512
520e4a79221751e7dfc18e15de0ab3f80f6577eea9c3202a27a14cfb609ad2287b5cd5faf5d56f912a6a079691bc63d695ecadd4df187dfaa0b3b0a2600561cd

Download Submit
\Program Files (x86)\NetProject\sbmntr.exe

Filesize
16KB

MD5
89fccd75e8df23f50fece18855d47ff1

SHA1
0195bbbcc48bb1fae897caa35b5ad5741f5ed045

SHA256
6c3f934658cfbbc4ff9957dbd1c1e865d0f28168b1efc402aafc62bbfa236133

SHA512
c4688d4914ac72e30ed9b2f582d2f6b561cd49c4802f16eedd52b35fb3ab3a6f75cd121a48643d17c8d7eca148ec7b6373fcd932f3bdb8ef6c9fb03641a7105a

Download Submit
\Program Files (x86)\NetProject\sbsm.exe

Filesize
4KB

MD5
240af87df1a03e2f5ddffca47cd344b8

SHA1
092f4effe7945d69da6c460bd1f8b52aa55aa99b

SHA256
171b1469bcc031ed67a62e206eea81c3e993d54ccfcd4617803072dbd56fa42a

SHA512
3442e72412f75d26ee66dee068a7c005a1e82863db99e0ca93e70a60e381f35f486623c7a6bd21975621248e3d6fff010758e835203275e39a1ea3f44ab1e855

Download Submit
memory/2668-32-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2752-14-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2752-18-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/2752-21-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/2752-28-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2752-29-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/2752-30-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/2760-10-0x0000000000570000-0x000000000057B000-memory.dmp

Filesize
44KB

Download
memory/2760-4-0x0000000000570000-0x000000000057B000-memory.dmp

Filesize
44KB

Download
memory/2760-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2760-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download