Malware Analysis Report

2025-05-06 00:15

Sample ID 250124-hagy5avlas
Target JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9
SHA256 d828ecf013db31afa74e628822ef3aa6631fbf07793c9e716ccf7a287f150ab2
Tags
blackshades defense_evasion discovery persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d828ecf013db31afa74e628822ef3aa6631fbf07793c9e716ccf7a287f150ab2

Threat Level: Known bad

The file JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat upx

Blackshades payload

Blackshades family

Modifies firewall policy service

Blackshades

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-24 06:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-24 06:31

Reported

2025-01-24 06:34

Platform

win7-20241010-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svihost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svihost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xWleOvyTvzOYtHtgIdcFmEptTtFyROlHfXUfwLgUdCvZbIchpf = "C:\\Users\\Admin\\AppData\\Local\\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe" C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2712 set thread context of 2952 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 31 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 32 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe
PID 2544 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe
PID 2544 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe
PID 2544 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe
PID 2712 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2712 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2712 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2712 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2712 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2712 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2712 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2712 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2952 wrote to memory of 2112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2264 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2264 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2264 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2264 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2144 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2144 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2144 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2144 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2176 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2176 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2176 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2176 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe"

C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe

"C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svihost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svihost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svihost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svihost.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 yaritsme.no-ip.biz udp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
US 8.8.8.8:53 yaritsme.no-ip.biz udp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
US 8.8.8.8:53 yaritsme.no-ip.biz udp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp

Files

memory/2544-0-0x0000000074161000-0x0000000074162000-memory.dmp

memory/2544-1-0x0000000074160000-0x000000007470B000-memory.dmp

memory/2544-2-0x0000000074160000-0x000000007470B000-memory.dmp

\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe

MD5 1ed1092d731bd439d033b76d3ef8f4a9
SHA1 365f11c686efee4e5c1a35b488f6e854558d5778
SHA256 d828ecf013db31afa74e628822ef3aa6631fbf07793c9e716ccf7a287f150ab2
SHA512 c5d87cb14e9dd539e54b7cb52327b3d9c38928c7925090ef13e0056489f8c4628f1ff4efbe4cdf6a94b9a70ea6389f8e54ce862974d889ac906bf7a87bb2a972

memory/2712-16-0x0000000074160000-0x000000007470B000-memory.dmp

memory/2544-15-0x0000000074160000-0x000000007470B000-memory.dmp

C:\Users\Admin\AppData\Local\Twain.dll

MD5 2153e2d85da316a0fe302227e0f9af88
SHA1 48b334c27d604ce7d89c9c825d211d26427176cf
SHA256 645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0
SHA512 647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac

memory/2952-32-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-34-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-35-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2952-38-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-43-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-42-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2712-41-0x0000000074160000-0x000000007470B000-memory.dmp

memory/2952-40-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-51-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-54-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-55-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-56-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-57-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-58-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-59-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-60-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-61-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-62-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-63-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-64-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2952-65-0x0000000000400000-0x000000000045C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-24 06:31

Reported

2025-01-24 06:34

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svihost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svihost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xWleOvyTvzOYtHtgIdcFmEptTtFyROlHfXUfwLgUdCvZbIchpf = "C:\\Users\\Admin\\AppData\\Local\\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe" C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2272 set thread context of 3520 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 31 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 32 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe
PID 2108 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe
PID 2108 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe
PID 2272 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3520 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1316 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1316 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1184 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1184 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1184 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe"

C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe

"C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svihost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svihost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svihost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svihost.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 yaritsme.no-ip.biz udp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
US 8.8.8.8:53 13.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 yaritsme.no-ip.biz udp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
US 8.8.8.8:53 11.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
US 8.8.8.8:53 yaritsme.no-ip.biz udp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
PS 94.73.26.136:3080 yaritsme.no-ip.biz tcp
US 8.8.8.8:53 udp

Files

memory/2108-0-0x0000000075372000-0x0000000075373000-memory.dmp

memory/2108-1-0x0000000075370000-0x0000000075921000-memory.dmp

memory/2108-2-0x0000000075370000-0x0000000075921000-memory.dmp

C:\Users\Admin\AppData\Roaming\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe

MD5 1ed1092d731bd439d033b76d3ef8f4a9
SHA1 365f11c686efee4e5c1a35b488f6e854558d5778
SHA256 d828ecf013db31afa74e628822ef3aa6631fbf07793c9e716ccf7a287f150ab2
SHA512 c5d87cb14e9dd539e54b7cb52327b3d9c38928c7925090ef13e0056489f8c4628f1ff4efbe4cdf6a94b9a70ea6389f8e54ce862974d889ac906bf7a87bb2a972

memory/2108-18-0x0000000075370000-0x0000000075921000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JaffaCakes118_1ed1092d731bd439d033b76d3ef8f4a9.exe.log

MD5 600936e187ce94453648a9245b2b42a5
SHA1 3349e5da3f713259244a2cbcb4a9dca777f637ed
SHA256 1493eb1dc75a64eb2eb06bc9eb2c864b78fc4a2c674108d5183ac7824013ff2d
SHA512 d41203f93ed77430dc570e82dc713f09d21942d75d1f9c3c84135421550ac2fa3845b7e46df70d2c57fe97d3a88e43c672771bb8b6433c44584c4e64646c1964

C:\Users\Admin\AppData\Roaming\Twain.dll

MD5 2153e2d85da316a0fe302227e0f9af88
SHA1 48b334c27d604ce7d89c9c825d211d26427176cf
SHA256 645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0
SHA512 647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac

memory/2272-33-0x0000000075370000-0x0000000075921000-memory.dmp

memory/2272-30-0x0000000075370000-0x0000000075921000-memory.dmp

memory/2272-19-0x0000000075370000-0x0000000075921000-memory.dmp

memory/3520-38-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-40-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-42-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2272-46-0x0000000075370000-0x0000000075921000-memory.dmp

memory/3520-50-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-51-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-53-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-60-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-64-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-67-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-70-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-73-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-76-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-79-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-82-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-88-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-91-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3520-94-0x0000000000400000-0x000000000045C000-memory.dmp