Malware Analysis Report

2025-04-03 10:18

Sample ID 250130-yzqkkatmcq
Target JaffaCakes118_662c1630a308be12b5726d239b316d61
SHA256 64bb7bd73e3ef0ba90ce8ccba5a634caddb4ecbfe1a0826218a5c8a9b3193258
Tags
blackshades defense_evasion discovery persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64bb7bd73e3ef0ba90ce8ccba5a634caddb4ecbfe1a0826218a5c8a9b3193258

Threat Level: Known bad

The file JaffaCakes118_662c1630a308be12b5726d239b316d61 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat upx

Blackshades payload

Blackshades family

Blackshades

Modifies firewall policy service

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Executes dropped EXE

Adds Run key to start application

UPX packed file

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry key

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-30 20:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-30 20:13

Reported

2025-01-30 20:16

Platform

win7-20240903-en

Max time kernel

147s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrss.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\csrss.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB} C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB} C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe C:\Users\Admin\AppData\Local\Temp\csrss.exe
PID 2624 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe C:\Users\Admin\AppData\Local\Temp\csrss.exe
PID 2624 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe C:\Users\Admin\AppData\Local\Temp\csrss.exe
PID 2624 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe C:\Users\Admin\AppData\Local\Temp\csrss.exe
PID 2628 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 536 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 536 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 536 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 536 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 484 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 484 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 484 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 484 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1796 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1796 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1796 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1796 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe"

C:\Users\Admin\AppData\Local\Temp\csrss.exe

"C:\Users\Admin\AppData\Local\Temp\csrss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrss.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrss.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 hommy.no-ip.info udp
US 8.8.8.8:53 1hommy.no-ip.info udp
US 8.8.8.8:53 2hommy.no-ip.info udp
US 8.8.8.8:53 3hommy.no-ip.info udp
ID 212.117.48.248:4443 3hommy.no-ip.info tcp
US 8.8.8.8:53 4hommy.no-ip.info udp
US 8.8.8.8:53 5hommy.no-ip.info udp
US 8.8.8.8:53 6hommy.no-ip.info udp
US 8.8.8.8:53 7hommy.no-ip.info udp
US 8.8.8.8:53 8hommy.no-ip.info udp

Files

memory/2624-0-0x000007FEF553E000-0x000007FEF553F000-memory.dmp

memory/2624-2-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2624-3-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2624-4-0x0000000000F30000-0x0000000000F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss.exe

MD5 e634a32d5fd87d3f13544fa3e7fb7f88
SHA1 a4ea07351d69ec977417bb60e02ddf4e9dd81b2b
SHA256 b11fd7676f1b0957819db09147e0a0f233813f408d676f169c29e7d3ec4bb8ca
SHA512 31bee58fd931bb30f00b8d74acecf61df1f9543a529a58c5c64af84078750eccd1063aa659a185de0fa97fcbb28608cd9af8fb4fed2c689ac67b7cf3e5a990b0

memory/2624-13-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2628-12-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-18-0x0000000074F68000-0x0000000074F69000-memory.dmp

memory/2628-20-0x0000000074F50000-0x0000000075060000-memory.dmp

memory/2628-19-0x0000000074F50000-0x0000000075060000-memory.dmp

memory/2628-21-0x0000000074F50000-0x0000000075060000-memory.dmp

memory/2628-22-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-23-0x0000000074F50000-0x0000000075060000-memory.dmp

memory/2628-24-0x0000000074F50000-0x0000000075060000-memory.dmp

memory/2628-26-0x0000000074F50000-0x0000000075060000-memory.dmp

memory/2628-27-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-29-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-30-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-31-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-34-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-35-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-39-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-42-0x0000000000400000-0x0000000000473000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-30 20:13

Reported

2025-01-30 20:16

Platform

win10v2004-20250129-en

Max time kernel

93s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe"

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 1052

Network

Country Destination Domain Proto
US 8.8.8.8:53 130.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/628-0-0x00007FF870575000-0x00007FF870576000-memory.dmp

memory/628-1-0x000000001BF10000-0x000000001BFB6000-memory.dmp

memory/628-2-0x00007FF8702C0000-0x00007FF870C61000-memory.dmp

memory/628-4-0x00007FF8702C0000-0x00007FF870C61000-memory.dmp

memory/628-11-0x00007FF8702C0000-0x00007FF870C61000-memory.dmp