blackshades | 522fb65f0ffb4c5ac19e4808a96072562fffecd1b4991ea143ee8d83a1b8e114

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
Size

786KB
MD5

5f6f8b4efa3cd2ad23464fa674c66719
SHA1

8ef67e7899ac5563e4d5ac27aea91f649da4c147
SHA256

522fb65f0ffb4c5ac19e4808a96072562fffecd1b4991ea143ee8d83a1b8e114
SHA512

5e0d10f22035dcbfd69cbb9bb469746f49ce23b2c597cf1a1cb5e8360164a6de0a5325fd5705528e64f91ce4332801ba3b767d68ee39975ae266d2d818c58c6e
SSDEEP

12288:2viw5IPW7bQ7vNiDCA8OEdV7l7LqjNloYCRa7Qe8Ni4ntI6HrNE/aVKt/pZsMpEI:32IabQJiWNdbnqj3/ontrr21OoFS

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 16 IoCs

resource	yara_rule
behavioral1/memory/2700-35-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-27-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-52-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2624-80-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-82-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-84-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/964-101-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-102-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-104-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/552-120-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-122-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2720-138-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-141-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-142-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2980-159-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2700-160-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\drivergen.exe = "C:\\Users\\Admin\\AppData\\Roaming\\drivergen.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\svchost.exe = "C:\\Windows\\Temp\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe

Executes dropped EXE 23 IoCs

pid	Process
2700	svchost.exe
2576	svchost.exe
600	rundll32 .exe
2624	svchost.exe
696	svchost.exe
2116	rundll32 .exe
964	svchost.exe
1936	svchost.exe
1716	rundll32 .exe
552	svchost.exe
3032	svchost.exe
2724	rundll32 .exe
2720	svchost.exe
2796	svchost.exe
2000	rundll32 .exe
2980	svchost.exe
3004	svchost.exe
784	rundll32 .exe
2836	svchost.exe
2952	svchost.exe
2148	rundll32 .exe
2288	svchost.exe
2916	svchost.exe

Loads dropped DLL 16 IoCs

pid	Process
2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe
2956	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 2700	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	33
PID 600 set thread context of 2624	600	rundll32 .exe	53
PID 2116 set thread context of 964	2116	rundll32 .exe	57
PID 1716 set thread context of 552	1716	rundll32 .exe	61
PID 2724 set thread context of 2720	2724	rundll32 .exe	66
PID 2000 set thread context of 2980	2000	rundll32 .exe	70
PID 784 set thread context of 2836	784	rundll32 .exe	74
PID 2148 set thread context of 2288	2148	rundll32 .exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1060	PING.EXE
1280	PING.EXE
1588	PING.EXE
2224	PING.EXE
924	PING.EXE
3064	PING.EXE
1100	PING.EXE

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3004	reg.exe
1992	reg.exe
2812	reg.exe
2820	reg.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1280	PING.EXE
1588	PING.EXE
2224	PING.EXE
924	PING.EXE
3064	PING.EXE
1100	PING.EXE
1060	PING.EXE

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
600	rundll32 .exe
600	rundll32 .exe
600	rundll32 .exe
600	rundll32 .exe
600	rundll32 .exe
600	rundll32 .exe
600	rundll32 .exe
2116	rundll32 .exe
2116	rundll32 .exe
2116	rundll32 .exe
2116	rundll32 .exe
2116	rundll32 .exe
2116	rundll32 .exe
2116	rundll32 .exe
1716	rundll32 .exe
1716	rundll32 .exe
1716	rundll32 .exe
1716	rundll32 .exe
1716	rundll32 .exe
1716	rundll32 .exe
1716	rundll32 .exe
2724	rundll32 .exe
2724	rundll32 .exe
2724	rundll32 .exe
2724	rundll32 .exe
2724	rundll32 .exe
2724	rundll32 .exe
2724	rundll32 .exe
2000	rundll32 .exe
2000	rundll32 .exe
2000	rundll32 .exe
2000	rundll32 .exe
2000	rundll32 .exe
2000	rundll32 .exe
2000	rundll32 .exe
784	rundll32 .exe
784	rundll32 .exe
784	rundll32 .exe
784	rundll32 .exe
784	rundll32 .exe
784	rundll32 .exe
784	rundll32 .exe
2148	rundll32 .exe
2148	rundll32 .exe
2148	rundll32 .exe
2148	rundll32 .exe
2148	rundll32 .exe
2148	rundll32 .exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
Token: 1	2700	svchost.exe
Token: SeCreateTokenPrivilege	2700	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2700	svchost.exe
Token: SeLockMemoryPrivilege	2700	svchost.exe
Token: SeIncreaseQuotaPrivilege	2700	svchost.exe
Token: SeMachineAccountPrivilege	2700	svchost.exe
Token: SeTcbPrivilege	2700	svchost.exe
Token: SeSecurityPrivilege	2700	svchost.exe
Token: SeTakeOwnershipPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeSystemProfilePrivilege	2700	svchost.exe
Token: SeSystemtimePrivilege	2700	svchost.exe
Token: SeProfSingleProcessPrivilege	2700	svchost.exe
Token: SeIncBasePriorityPrivilege	2700	svchost.exe
Token: SeCreatePagefilePrivilege	2700	svchost.exe
Token: SeCreatePermanentPrivilege	2700	svchost.exe
Token: SeBackupPrivilege	2700	svchost.exe
Token: SeRestorePrivilege	2700	svchost.exe
Token: SeShutdownPrivilege	2700	svchost.exe
Token: SeDebugPrivilege	2700	svchost.exe
Token: SeAuditPrivilege	2700	svchost.exe
Token: SeSystemEnvironmentPrivilege	2700	svchost.exe
Token: SeChangeNotifyPrivilege	2700	svchost.exe
Token: SeRemoteShutdownPrivilege	2700	svchost.exe
Token: SeUndockPrivilege	2700	svchost.exe
Token: SeSyncAgentPrivilege	2700	svchost.exe
Token: SeEnableDelegationPrivilege	2700	svchost.exe
Token: SeManageVolumePrivilege	2700	svchost.exe
Token: SeImpersonatePrivilege	2700	svchost.exe
Token: SeCreateGlobalPrivilege	2700	svchost.exe
Token: 31	2700	svchost.exe
Token: 32	2700	svchost.exe
Token: 33	2700	svchost.exe
Token: 34	2700	svchost.exe
Token: 35	2700	svchost.exe
Token: SeDebugPrivilege	600	rundll32 .exe
Token: SeDebugPrivilege	2116	rundll32 .exe
Token: SeDebugPrivilege	1716	rundll32 .exe
Token: SeDebugPrivilege	2724	rundll32 .exe
Token: SeDebugPrivilege	2000	rundll32 .exe
Token: SeDebugPrivilege	784	rundll32 .exe
Token: SeDebugPrivilege	2148	rundll32 .exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2624	svchost.exe
2624	svchost.exe
964	svchost.exe
964	svchost.exe
552	svchost.exe
552	svchost.exe
2720	svchost.exe
2720	svchost.exe
2980	svchost.exe
2980	svchost.exe
2836	svchost.exe
2836	svchost.exe
2288	svchost.exe
2288	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2652	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	30
PID 2244 wrote to memory of 2652	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	30
PID 2244 wrote to memory of 2652	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	30
PID 2244 wrote to memory of 2652	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	30
PID 2652 wrote to memory of 2224	2652	cmd.exe	32
PID 2652 wrote to memory of 2224	2652	cmd.exe	32
PID 2652 wrote to memory of 2224	2652	cmd.exe	32
PID 2652 wrote to memory of 2224	2652	cmd.exe	32
PID 2244 wrote to memory of 2700	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	33
PID 2244 wrote to memory of 2700	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	33
PID 2244 wrote to memory of 2700	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	33
PID 2244 wrote to memory of 2700	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	33
PID 2244 wrote to memory of 2700	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	33
PID 2244 wrote to memory of 2700	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	33
PID 2244 wrote to memory of 2700	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	33
PID 2244 wrote to memory of 2700	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	33
PID 2244 wrote to memory of 2576	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	34
PID 2244 wrote to memory of 2576	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	34
PID 2244 wrote to memory of 2576	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	34
PID 2244 wrote to memory of 2576	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	34
PID 2224 wrote to memory of 2088	2224	wscript.exe	35
PID 2224 wrote to memory of 2088	2224	wscript.exe	35
PID 2224 wrote to memory of 2088	2224	wscript.exe	35
PID 2224 wrote to memory of 2088	2224	wscript.exe	35
PID 2700 wrote to memory of 2144	2700	svchost.exe	36
PID 2700 wrote to memory of 2144	2700	svchost.exe	36
PID 2700 wrote to memory of 2144	2700	svchost.exe	36
PID 2700 wrote to memory of 2144	2700	svchost.exe	36
PID 2700 wrote to memory of 1820	2700	svchost.exe	39
PID 2700 wrote to memory of 1820	2700	svchost.exe	39
PID 2700 wrote to memory of 1820	2700	svchost.exe	39
PID 2700 wrote to memory of 1820	2700	svchost.exe	39
PID 2700 wrote to memory of 340	2700	svchost.exe	40
PID 2700 wrote to memory of 340	2700	svchost.exe	40
PID 2700 wrote to memory of 340	2700	svchost.exe	40
PID 2700 wrote to memory of 340	2700	svchost.exe	40
PID 2700 wrote to memory of 3012	2700	svchost.exe	43
PID 2700 wrote to memory of 3012	2700	svchost.exe	43
PID 2700 wrote to memory of 3012	2700	svchost.exe	43
PID 2700 wrote to memory of 3012	2700	svchost.exe	43
PID 2144 wrote to memory of 3004	2144	cmd.exe	42
PID 2144 wrote to memory of 3004	2144	cmd.exe	42
PID 2144 wrote to memory of 3004	2144	cmd.exe	42
PID 2144 wrote to memory of 3004	2144	cmd.exe	42
PID 3012 wrote to memory of 1992	3012	cmd.exe	46
PID 3012 wrote to memory of 1992	3012	cmd.exe	46
PID 3012 wrote to memory of 1992	3012	cmd.exe	46
PID 3012 wrote to memory of 1992	3012	cmd.exe	46
PID 1820 wrote to memory of 2812	1820	cmd.exe	47
PID 1820 wrote to memory of 2812	1820	cmd.exe	47
PID 1820 wrote to memory of 2812	1820	cmd.exe	47
PID 1820 wrote to memory of 2812	1820	cmd.exe	47
PID 340 wrote to memory of 2820	340	cmd.exe	48
PID 340 wrote to memory of 2820	340	cmd.exe	48
PID 340 wrote to memory of 2820	340	cmd.exe	48
PID 340 wrote to memory of 2820	340	cmd.exe	48
PID 2244 wrote to memory of 2956	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	49
PID 2244 wrote to memory of 2956	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	49
PID 2244 wrote to memory of 2956	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	49
PID 2244 wrote to memory of 2956	2244	JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe	49
PID 2956 wrote to memory of 1100	2956	cmd.exe	51
PID 2956 wrote to memory of 1100	2956	cmd.exe	51
PID 2956 wrote to memory of 1100	2956	cmd.exe	51
PID 2956 wrote to memory of 1100	2956	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f6f8b4efa3cd2ad23464fa674c66719.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:2088
- C:\Windows\Temp\svchost.exe
  C:\Windows\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1992
- C:\Windows\Temp\svchost.exe
  C:\Windows\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
    "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:600
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2624
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      PID:696
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1060
- - C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
    "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:964
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      PID:1936
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
    "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:552
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      PID:3032
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
    "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2720
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      PID:2796
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2224
- - C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
    "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2980
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      PID:3004
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:924
- - C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
    "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:784
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2836
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      PID:2952
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
    "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2288
  - - C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caca.bat

Filesize
47B

MD5
58ccb87aa1da4939df403810f1e68b6b

SHA1
dc8551f41682e5cb1dd25af3f11a789b1d37b295

SHA256
eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

SHA512
17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca2.bat

Filesize
151B

MD5
ed28c618f7d8306e3736432b58bb5d27

SHA1
441e6dab70e31d9c599fcd9e2d32009038781b42

SHA256
d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3

SHA512
4257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\per.bat

Filesize
111B

MD5
851c0e754a2e3663cbfdc09777323516

SHA1
e9f67ac8c5d22c5c47b71d2a51b6aa5076b9287a

SHA256
b97c58636ccaa18444a0e317e5a8b8112147e5c5a53777085f035779648c7eeb

SHA512
2efde32aad3b7278f6ea2bd8a688fe30ce75b2914b59dba87b2999dc199ae4a63c0dc08f476096807e2ecd96d4f860ebf988b420c68536accc038b22a7e738d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32-.txt

Filesize
786KB

MD5
5f6f8b4efa3cd2ad23464fa674c66719

SHA1
8ef67e7899ac5563e4d5ac27aea91f649da4c147

SHA256
522fb65f0ffb4c5ac19e4808a96072562fffecd1b4991ea143ee8d83a1b8e114

SHA512
5e0d10f22035dcbfd69cbb9bb469746f49ce23b2c597cf1a1cb5e8360164a6de0a5325fd5705528e64f91ce4332801ba3b767d68ee39975ae266d2d818c58c6e

Download Submit
\Windows\Temp\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/552-119-0x0000000000470000-0x00000000005F1000-memory.dmp

Filesize
1.5MB

Download
memory/552-120-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/964-101-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2244-63-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-0-0x0000000074051000-0x0000000074052000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-2-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-51-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-80-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2624-78-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2700-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-104-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-52-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-82-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-84-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-102-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-24-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-26-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-122-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-160-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-141-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2700-142-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2720-138-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2980-159-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download