a7ad629c0d5323a126e66d26e41d9f516467d208c0ca71be3d3db94a5b5af081

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Size

570KB
MD5

b505c838d1ff40fd639e762f4594075c
SHA1

ddc06b4a856bffdfb686812012080451d2e14dbc
SHA256

a7ad629c0d5323a126e66d26e41d9f516467d208c0ca71be3d3db94a5b5af081
SHA512

8f50b3e8452ecefcfb7a0335942686d86481d5adab3ea806bde158c3fda84891ab5fb843fc43f731c96ea074c3027f902c9da540a573816d1c5459388288d257
SSDEEP

12288:zANwRo+mv8QD4+0V16/5UfeNB6efhgBdStUgkPM94MR:zAT8QE+kX420XR

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2600	holyshit.exe

Loads dropped DLL 4 IoCs

pid	Process
2520	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
2520	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
2520	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
2600	holyshit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winloge = "C:\\Users\\Admin\\AppData\\Roaming\\holyshit.exe"	holyshit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	holyshit.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	holyshit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\ProxyStubClsid32	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\TypeLib\ = "{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\TypeLib	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\InprocServer32\ThreadingModel = "Apartment"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\ProxyStubClsid	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\ProxyStubClsid	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}\8.0\ = "WebPRoject"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\TypeLib\Version = "8.0"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\Control\	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Roaming\\WebProject.ocx, 30000"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\ = "Neutralize"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\Control	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebPRoject.Neutralize\ = "WebPRoject.Neutralize"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}\8.0	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}\8.0\FLAGS\ = "2"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\ProxyStubClsid32	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\TypeLib\ = "{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\VERSION	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\VERSION\ = "8.0"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}\8.0\FLAGS	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}\8.0\0	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\ = "__Neutralize"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\ProgID	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\ = "_Neutralize"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\TypeLib\Version = "8.0"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebPRoject.Neutralize\Clsid	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\MiscStatus\1\ = "131473"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}\8.0\0\win32	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\TypeLib\Version = "8.0"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\MiscStatus	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\TypeLib\ = "{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\InprocServer32	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\ = "Neutralize"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\TypeLib	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\ToolboxBitmap32	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\TypeLib	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\TypeLib\ = "{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}\8.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\WebProject.ocx"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}\8.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\WebProject.ocx"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{6234C2B1-54E6-4F4F-96A8-40EE1DB40867}\8.0\HELPDIR	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\ = "_Neutralize"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\MiscStatus\1	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\ProxyStubClsid32	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\TypeLib\Version = "8.0"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4DA0049-4863-40D8-A1A4-801F8409D8CA}\ = "__Neutralize"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\ProgID\ = "WebPRoject.Neutralize"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFAB8ABE-7619-4F41-885B-A0978E17AFC8}\Implemented Categories	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1D1BE37-54DE-4B41-B3DC-7A9C873B2792}\TypeLib	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe
2600	holyshit.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2600	2520	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2600	2520	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2600	2520	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2600	2520	b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b505c838d1ff40fd639e762f4594075c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Roaming\holyshit.exe
  C:\Users\Admin\AppData\Roaming\holyshit.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\WebProject.ocx

Filesize
48KB

MD5
686f8494e71de081c5bb8c6888fceb0d

SHA1
07ee5026a08f952d12d1bcad6f6a319c6b0a6f5d

SHA256
2c5925e725c873b2988456d083555028d4aa91132b85d55cbe3c13821f736fe0

SHA512
ca3ce4b514f69d15b50a9346561124c674951d7ed87da3e2f2166dea3d5b9bb721cdae6fb3c5f0d904f7a5d8520e1563adfcbc7d2913f21c232c767016ad695b

Download Submit
\Users\Admin\AppData\Roaming\holyshit.exe

Filesize
20KB

MD5
bcf781e1e9dacfafc428dfd74b6d2607

SHA1
34e05431184e0bfa38bc146593183297831924a2

SHA256
e236ffb6e458cb169ad4473d759b2247debb2cfa65fe379e309de734a1d5f2f7

SHA512
9c5c1cd141b4c871a5f21ed0340a08a40ee00765d932a95019cf4ccbc905cc6305d3fae46f89960b199887e68c4ca05f56e5ee215884af66bf33a99fcf4a87ae

Download Submit
memory/2520-33-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2600-32-0x0000000004BA0000-0x0000000005C02000-memory.dmp

Filesize
16.4MB

Download