Malware Analysis Report

2025-05-06 00:16

Sample ID 250124-be4v5atmep
Target JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40
SHA256 09b0f876f56db4bf8cce72a99089fb34f4c73d91cef525fc9c08a09a044d64fc
Tags
blackshades defense_evasion discovery persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09b0f876f56db4bf8cce72a99089fb34f4c73d91cef525fc9c08a09a044d64fc

Threat Level: Known bad

The file JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat upx

Modifies firewall policy service

Blackshades

Blackshades family

Blackshades payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-24 01:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-24 01:04

Reported

2025-01-24 01:07

Platform

win7-20241010-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Gun\update32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Gun\\update32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox = "C:\\Users\\Admin\\AppData\\Roaming\\Gun\\update32.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1008 set thread context of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 7060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 7060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 7060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 7060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Windows\SysWOW64\cmd.exe
PID 7060 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 7060 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 7060 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 7060 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2424 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 2424 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 2424 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 2424 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 2424 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 2424 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 2424 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 1008 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 4160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 5760 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 5760 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 5760 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 5760 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 5760 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 5760 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 5760 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 5916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3272 wrote to memory of 5916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3272 wrote to memory of 5916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3272 wrote to memory of 5916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3272 wrote to memory of 5916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3272 wrote to memory of 5916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3272 wrote to memory of 5916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 5948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 5948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 5948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\259522296.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "firefox" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gun\update32.exe" /f

C:\Users\Admin\AppData\Roaming\Gun\update32.exe

"C:\Users\Admin\AppData\Roaming\Gun\update32.exe"

C:\Users\Admin\AppData\Roaming\Gun\update32.exe

"C:\Users\Admin\AppData\Roaming\Gun\update32.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gun\update32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gun\update32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gun\update32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gun\update32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 lopta10.no-ip.info udp
US 8.8.8.8:53 1lopta10.no-ip.info udp
US 8.8.8.8:53 2lopta10.no-ip.info udp
US 8.8.8.8:53 3lopta10.no-ip.info udp
US 78.159.143.172:83 3lopta10.no-ip.info tcp
US 8.8.8.8:53 4lopta10.no-ip.info udp
ID 212.117.53.118:83 4lopta10.no-ip.info tcp
US 8.8.8.8:53 5lopta10.no-ip.info udp
US 8.8.8.8:53 6lopta10.no-ip.info udp
US 8.8.8.8:53 7lopta10.no-ip.info udp
US 8.8.8.8:53 8lopta10.no-ip.info udp

Files

memory/2424-4183-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259522296.bat

MD5 8ee521ce2531a21132b404d26fa1602f
SHA1 94db0cd88bf1c7629d0b340842519357dcf2b8ef
SHA256 274eb93116d0a8fc3b2e11f841529ff27fb5d336d4da306c84142415a34a0c9e
SHA512 42572cac6bc79900a45dfcec5b544e6a7bb38132c4e758214b3b1ed752c02ecc4e090f534fbac670d4967f0b3f4f00d49fe99129b781365f67321949d7d56759

\Users\Admin\AppData\Roaming\Gun\update32.exe

MD5 1c98b8d149e3dfaa8657b8d5a103ad40
SHA1 595075199403dc9a4b33415c74dd231cc59f4ef9
SHA256 09b0f876f56db4bf8cce72a99089fb34f4c73d91cef525fc9c08a09a044d64fc
SHA512 f4ac01eca34c0bf8c91489a7d9d6c9f4e0290987921354881fd5d564aa6b09f59b73da66450e3667d3e28c8826627d70f9294126420553bad7ee02a3b906d6bb

memory/4160-9922-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/4160-9935-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/4160-9937-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/4160-9931-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/4160-9929-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/4160-9928-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/4160-9926-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/4160-9924-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/4160-9944-0x0000000000400000-0x00000000005AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-24 01:04

Reported

2025-01-24 01:06

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Gun\update32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Gun\\update32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox = "C:\\Users\\Admin\\AppData\\Roaming\\Gun\\update32.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3352 set thread context of 5004 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2424 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2424 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4284 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 4284 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 4284 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 3352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 3352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 3352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 3352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 3352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 3352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 3352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 3352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Users\Admin\AppData\Roaming\Gun\update32.exe
PID 5004 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Roaming\Gun\update32.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2140 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2140 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2140 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4400 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4400 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4400 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240622515.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "firefox" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gun\update32.exe" /f

C:\Users\Admin\AppData\Roaming\Gun\update32.exe

"C:\Users\Admin\AppData\Roaming\Gun\update32.exe"

C:\Users\Admin\AppData\Roaming\Gun\update32.exe

"C:\Users\Admin\AppData\Roaming\Gun\update32.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gun\update32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gun\update32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gun\update32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gun\update32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 lopta10.no-ip.info udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.109.54.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 lopta10.no-ip.info udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 1lopta10.no-ip.info udp
US 8.8.8.8:53 2lopta10.no-ip.info udp
US 8.8.8.8:53 3lopta10.no-ip.info udp
US 78.159.143.172:83 3lopta10.no-ip.info tcp
US 8.8.8.8:53 4lopta10.no-ip.info udp
ID 212.117.53.118:83 4lopta10.no-ip.info tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5lopta10.no-ip.info udp
US 8.8.8.8:53 6lopta10.no-ip.info udp
US 8.8.8.8:53 7lopta10.no-ip.info udp
US 8.8.8.8:53 8lopta10.no-ip.info udp

Files

memory/4284-4-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4284-6-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4284-5-0x0000000002350000-0x0000000002351000-memory.dmp

memory/4284-3-0x0000000000790000-0x0000000000791000-memory.dmp

memory/4284-2-0x0000000000760000-0x0000000000761000-memory.dmp

memory/4284-7-0x00000000023B0000-0x00000000023B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240622515.bat

MD5 8ee521ce2531a21132b404d26fa1602f
SHA1 94db0cd88bf1c7629d0b340842519357dcf2b8ef
SHA256 274eb93116d0a8fc3b2e11f841529ff27fb5d336d4da306c84142415a34a0c9e
SHA512 42572cac6bc79900a45dfcec5b544e6a7bb38132c4e758214b3b1ed752c02ecc4e090f534fbac670d4967f0b3f4f00d49fe99129b781365f67321949d7d56759

memory/4284-14-0x0000000002350000-0x0000000002351000-memory.dmp

memory/4284-13-0x0000000000760000-0x0000000000761000-memory.dmp

memory/4284-12-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/4284-17-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4284-16-0x0000000000790000-0x0000000000791000-memory.dmp

memory/4284-15-0x0000000000780000-0x0000000000781000-memory.dmp

memory/4284-20-0x00000000023B0000-0x00000000023B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Gun\update32.exe

MD5 1c98b8d149e3dfaa8657b8d5a103ad40
SHA1 595075199403dc9a4b33415c74dd231cc59f4ef9
SHA256 09b0f876f56db4bf8cce72a99089fb34f4c73d91cef525fc9c08a09a044d64fc
SHA512 f4ac01eca34c0bf8c91489a7d9d6c9f4e0290987921354881fd5d564aa6b09f59b73da66450e3667d3e28c8826627d70f9294126420553bad7ee02a3b906d6bb

memory/3352-33-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/3352-36-0x0000000002020000-0x0000000002021000-memory.dmp

memory/3352-35-0x0000000002010000-0x0000000002011000-memory.dmp

memory/3352-34-0x0000000002000000-0x0000000002001000-memory.dmp

memory/3352-38-0x0000000002080000-0x0000000002081000-memory.dmp

memory/3352-37-0x0000000002070000-0x0000000002071000-memory.dmp

memory/3352-39-0x0000000002090000-0x0000000002091000-memory.dmp

memory/5004-40-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/3352-49-0x0000000002020000-0x0000000002021000-memory.dmp

memory/3352-48-0x0000000002010000-0x0000000002011000-memory.dmp

memory/3352-47-0x0000000002000000-0x0000000002001000-memory.dmp

memory/3352-46-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

memory/5004-45-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-43-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-56-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-53-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-57-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-58-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-62-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-66-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-69-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-72-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-76-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-79-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-82-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-85-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-89-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-92-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-96-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-99-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/5004-102-0x0000000000400000-0x00000000005AC000-memory.dmp