Malware Analysis Report

2025-04-03 10:19

Sample ID 250130-t3vlgawpgw
Target JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2
SHA256 067299ed7032f006daf6bc418c1ec7924d62e2ef234200fbccb6528833cc7c1d
Tags
blackshades defense_evasion discovery persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

067299ed7032f006daf6bc418c1ec7924d62e2ef234200fbccb6528833cc7c1d

Threat Level: Known bad

The file JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat upx

Blackshades family

Blackshades payload

Blackshades

Modifies firewall policy service

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-30 16:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-30 16:35

Reported

2025-01-30 16:37

Platform

win7-20240708-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TnzMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2852 set thread context of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TnzMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Local\Temp\TnzMe.exe
PID 2492 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Local\Temp\TnzMe.exe
PID 2492 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Local\Temp\TnzMe.exe
PID 2492 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Local\Temp\TnzMe.exe
PID 2492 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2492 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2492 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2492 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2492 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2852 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2852 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2852 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2852 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2852 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2852 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2852 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2852 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2852 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2576 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2928 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2928 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2928 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2928 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe"

C:\Users\Admin\AppData\Local\Temp\TnzMe.exe

"C:\Users\Admin\AppData\Local\Temp\TnzMe.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sBQuc.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/2492-0-0x0000000000400000-0x00000000005DD000-memory.dmp

\Users\Admin\AppData\Local\Temp\TnzMe.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/2492-12-0x0000000002650000-0x0000000002667000-memory.dmp

memory/2492-11-0x0000000002650000-0x0000000002667000-memory.dmp

memory/2492-20-0x0000000002660000-0x0000000002677000-memory.dmp

memory/2492-19-0x0000000002660000-0x0000000002677000-memory.dmp

memory/1688-22-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sBQuc.bat

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.exe

MD5 bb023c245b6d965c60eb1710ac399a1e
SHA1 d916c70f28558ecd63905ac3781c07ebf97ae043
SHA256 c590e3dd1ea16dbacd89670c3cfabb765b7258fb3aeae4501764e9bc4ca66397
SHA512 89634c55fe6ff27351c74df69644e5a505595450f1905023dc73d599f2907271fb398b6a0aa8bd3ebb13fcbbb29213fa9a618ca4507f589728a8f41566d4b9a3

memory/2492-50-0x0000000002C30000-0x0000000002E0D000-memory.dmp

memory/2492-64-0x0000000002C30000-0x0000000002E0D000-memory.dmp

memory/2492-68-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/2852-70-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/2576-71-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-78-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-77-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2852-76-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/2576-79-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1688-85-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2576-86-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-90-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-93-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-95-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-97-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-102-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-104-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-106-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-109-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2576-114-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-30 16:35

Reported

2025-01-30 16:37

Platform

win10v2004-20250129-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\suyqZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2328 set thread context of 3608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\suyqZ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Local\Temp\suyqZ.exe
PID 3600 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Local\Temp\suyqZ.exe
PID 3600 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Local\Temp\suyqZ.exe
PID 3600 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3600 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3600 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3600 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2328 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2328 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2328 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2328 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2328 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2328 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2328 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2328 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3608 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4264 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4264 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4264 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3532 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3532 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3532 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 432 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 432 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 432 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64a33b7e57b3fd34e4e3f8c4b0fbb8a2.exe"

C:\Users\Admin\AppData\Local\Temp\suyqZ.exe

"C:\Users\Admin\AppData\Local\Temp\suyqZ.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZTSNl.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/3600-0-0x0000000000400000-0x00000000005DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\suyqZ.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/3124-11-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZTSNl.txt

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.txt

MD5 912cbfc51a52c1662322d24d3306fac9
SHA1 0462687bbf438aa095fd4a02d6ea67698fa0ad0a
SHA256 44689f3cbf86c8b71339fa72deabc4e5da5564a8f2868fdfee9389a6be30709a
SHA512 9307d33f00ef170d1bde812c288c04789e75c703c5dccdb97a5aa2d997255fc363c8901d6c017beba77bd6930a153d9d48a064ef8d63eb4746c3316413ff1e4e

memory/3600-38-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/3608-41-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-44-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-46-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2328-49-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/3124-54-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3608-56-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-59-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-62-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-64-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-66-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-69-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-71-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-76-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3608-78-0x0000000000400000-0x000000000045D000-memory.dmp