Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2025 04:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe
-
Size
11.3MB
-
MD5
3c1d6ad373cdc239dfbdaf555d8d3f2a
-
SHA1
78433e8da67df308f68f74ed8fa1eb275ab817fe
-
SHA256
07f25d50689a1a07aeca1b346a219ca71ed618fc1faf2f15ef2f3a76a75d8242
-
SHA512
00f381355693e745b157166a00f5183b3c61f9a9088abc0d5d3d3c1203e5a68688c7f688aa8a6186ff29c29d9a33b08adfa58000f72153f28f8c55991426e1ac
-
SSDEEP
196608:HlFv81RU6deokkHSWFgAj2X4+6xHZVujIT:HL81RNdeDkHSWjj2X4+MHme
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 16 IoCs
resource yara_rule behavioral2/memory/4628-6-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-10-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/3624-39-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-53-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-60-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-71-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-74-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-77-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-80-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-84-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-87-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-91-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-94-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-97-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-101-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/4628-104-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\microsoft\lsd.exe = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\lsd.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe -
Executes dropped EXE 4 IoCs
pid Process 4628 svchost.exe 1384 svchost.exe 3624 svchost.exe 4544 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\c24Builder.exe" JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\c24Builder.exe" JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini svchost.exe File opened for modification C:\Windows\assembly\Desktop.ini svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4816 set thread context of 4628 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 82 PID 4816 set thread context of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4828 set thread context of 3624 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 99 PID 4828 set thread context of 4544 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 100 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly svchost.exe File created C:\Windows\assembly\Desktop.ini svchost.exe File opened for modification C:\Windows\assembly\Desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4532 reg.exe 5096 reg.exe 4996 reg.exe 2040 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe Token: 1 4628 svchost.exe Token: SeCreateTokenPrivilege 4628 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4628 svchost.exe Token: SeLockMemoryPrivilege 4628 svchost.exe Token: SeIncreaseQuotaPrivilege 4628 svchost.exe Token: SeMachineAccountPrivilege 4628 svchost.exe Token: SeTcbPrivilege 4628 svchost.exe Token: SeSecurityPrivilege 4628 svchost.exe Token: SeTakeOwnershipPrivilege 4628 svchost.exe Token: SeLoadDriverPrivilege 4628 svchost.exe Token: SeSystemProfilePrivilege 4628 svchost.exe Token: SeSystemtimePrivilege 4628 svchost.exe Token: SeProfSingleProcessPrivilege 4628 svchost.exe Token: SeIncBasePriorityPrivilege 4628 svchost.exe Token: SeCreatePagefilePrivilege 4628 svchost.exe Token: SeCreatePermanentPrivilege 4628 svchost.exe Token: SeBackupPrivilege 4628 svchost.exe Token: SeRestorePrivilege 4628 svchost.exe Token: SeShutdownPrivilege 4628 svchost.exe Token: SeDebugPrivilege 4628 svchost.exe Token: SeAuditPrivilege 4628 svchost.exe Token: SeSystemEnvironmentPrivilege 4628 svchost.exe Token: SeChangeNotifyPrivilege 4628 svchost.exe Token: SeRemoteShutdownPrivilege 4628 svchost.exe Token: SeUndockPrivilege 4628 svchost.exe Token: SeSyncAgentPrivilege 4628 svchost.exe Token: SeEnableDelegationPrivilege 4628 svchost.exe Token: SeManageVolumePrivilege 4628 svchost.exe Token: SeImpersonatePrivilege 4628 svchost.exe Token: SeCreateGlobalPrivilege 4628 svchost.exe Token: 31 4628 svchost.exe Token: 32 4628 svchost.exe Token: 33 4628 svchost.exe Token: 34 4628 svchost.exe Token: 35 4628 svchost.exe Token: SeDebugPrivilege 4628 svchost.exe Token: SeRestorePrivilege 540 dw20.exe Token: SeBackupPrivilege 540 dw20.exe Token: SeBackupPrivilege 540 dw20.exe Token: SeBackupPrivilege 540 dw20.exe Token: SeDebugPrivilege 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe Token: SeBackupPrivilege 4284 dw20.exe Token: SeBackupPrivilege 4284 dw20.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4628 svchost.exe 4628 svchost.exe 4628 svchost.exe 4628 svchost.exe 3624 svchost.exe 3624 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4816 wrote to memory of 4628 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 82 PID 4816 wrote to memory of 4628 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 82 PID 4816 wrote to memory of 4628 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 82 PID 4816 wrote to memory of 4628 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 82 PID 4816 wrote to memory of 4628 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 82 PID 4816 wrote to memory of 4628 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 82 PID 4816 wrote to memory of 4628 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 82 PID 4816 wrote to memory of 4628 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 82 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 1384 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 83 PID 4816 wrote to memory of 4828 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 84 PID 4816 wrote to memory of 4828 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 84 PID 4816 wrote to memory of 4828 4816 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 84 PID 1384 wrote to memory of 540 1384 svchost.exe 85 PID 1384 wrote to memory of 540 1384 svchost.exe 85 PID 1384 wrote to memory of 540 1384 svchost.exe 85 PID 4628 wrote to memory of 3256 4628 svchost.exe 86 PID 4628 wrote to memory of 3256 4628 svchost.exe 86 PID 4628 wrote to memory of 3256 4628 svchost.exe 86 PID 4628 wrote to memory of 3020 4628 svchost.exe 87 PID 4628 wrote to memory of 3020 4628 svchost.exe 87 PID 4628 wrote to memory of 3020 4628 svchost.exe 87 PID 4628 wrote to memory of 4808 4628 svchost.exe 88 PID 4628 wrote to memory of 4808 4628 svchost.exe 88 PID 4628 wrote to memory of 4808 4628 svchost.exe 88 PID 4628 wrote to memory of 3536 4628 svchost.exe 89 PID 4628 wrote to memory of 3536 4628 svchost.exe 89 PID 4628 wrote to memory of 3536 4628 svchost.exe 89 PID 3020 wrote to memory of 4532 3020 cmd.exe 95 PID 3020 wrote to memory of 4532 3020 cmd.exe 95 PID 3020 wrote to memory of 4532 3020 cmd.exe 95 PID 4808 wrote to memory of 2040 4808 cmd.exe 96 PID 4808 wrote to memory of 2040 4808 cmd.exe 96 PID 4808 wrote to memory of 2040 4808 cmd.exe 96 PID 3536 wrote to memory of 5096 3536 cmd.exe 97 PID 3536 wrote to memory of 5096 3536 cmd.exe 97 PID 3536 wrote to memory of 5096 3536 cmd.exe 97 PID 3256 wrote to memory of 4996 3256 cmd.exe 98 PID 3256 wrote to memory of 4996 3256 cmd.exe 98 PID 3256 wrote to memory of 4996 3256 cmd.exe 98 PID 4828 wrote to memory of 3624 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 99 PID 4828 wrote to memory of 3624 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 99 PID 4828 wrote to memory of 3624 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 99 PID 4828 wrote to memory of 3624 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 99 PID 4828 wrote to memory of 3624 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 99 PID 4828 wrote to memory of 3624 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 99 PID 4828 wrote to memory of 3624 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 99 PID 4828 wrote to memory of 3624 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 99 PID 4828 wrote to memory of 4544 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 100 PID 4828 wrote to memory of 4544 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 100 PID 4828 wrote to memory of 4544 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 100 PID 4828 wrote to memory of 4544 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 100 PID 4828 wrote to memory of 4544 4828 JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\microsoft\lsd.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\microsoft\lsd.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\microsoft\lsd.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\microsoft\lsd.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5096
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 9043⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c1d6ad373cdc239dfbdaf555d8d3f2a.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3624
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8764⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5cde6529abeea500fb852f29ba0da6115
SHA145f2f48492417ae6a0eade8aaa808d3d1d760743
SHA256d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5
SHA512c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234
-
Filesize
3.6MB
MD5da58836942e87077da867e7bd15a8980
SHA1d10cb5dac2ef1a1f605df36cb43aed09ca3bb99e
SHA2568f34741996cad16495b29a74f75cb2f911bbea44817d54b8b3331a26e6eae355
SHA51242a3d68f2df65bcf10046d5d0da1f2c43f73dd7a0830c43c9ebbc7f5cab95bb6924bc8de7fde275da85ee46b265ad8b8a0aef96aa507908281d90803eee532c5