Analysis Overview
SHA256
af6f75b881058f848849b41c52674189d40c6df247fb5f634a80ecd57b8946ee
Threat Level: Known bad
The file JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e was found to be: Known bad.
Malicious Activity Summary
Blackshades family
Modifies firewall policy service
Blackshades payload
Blackshades
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
UPX packed file
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-31 17:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-31 17:27
Reported
2025-01-31 17:30
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Active Setup\Installed Components\{V9XXB0GJ-4DV6-ZU36-EHTF-MK6TWJ6Q1ICC} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{V9XXB0GJ-4DV6-ZU36-EHTF-MK6TWJ6Q1ICC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V9XXB0GJ-4DV6-ZU36-EHTF-MK6TWJ6Q1ICC} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V9XXB0GJ-4DV6-ZU36-EHTF-MK6TWJ6Q1ICC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DisplayDrivers = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 684 set thread context of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe |
| PID 1624 set thread context of 1440 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsXj5zHWvaxkMZ4YsX.bat" "
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bss-crypt.no-ip.info | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/1624-2-0x0000000000400000-0x0000000000492000-memory.dmp
memory/1624-4-0x0000000000400000-0x0000000000492000-memory.dmp
memory/1624-3-0x0000000000400000-0x0000000000492000-memory.dmp
memory/1624-5-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CsXj5zHWvaxkMZ4YsX.bat
| MD5 | a9dba16d694c2dc7d45b062d5d679eb7 |
| SHA1 | 617539e4a13f018f186e52ced61fcb30e08d2410 |
| SHA256 | d4466c300d57a27b3459720a16f2b7b92b4c3a1c54e7ad04eb432e2c10cfcfb2 |
| SHA512 | f55498776a9817efc3fba090aa6a8ab447f1b662dda7f410f85e942879999a54bd3e6dc8660b000e9aa7815efca12fedd537039faf8dc8e33b698003dd3b33b5 |
memory/1440-12-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1440-14-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1440-16-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1440-15-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1624-22-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 6c66d7620909b6a4a93f7c01ace7b84e |
| SHA1 | 6f648783d296e0da9edb0beaaa41dc846d4a14e2 |
| SHA256 | af6f75b881058f848849b41c52674189d40c6df247fb5f634a80ecd57b8946ee |
| SHA512 | 8fd3532b471d7d14faf8d0518072d2e1d316343ac340c3013332e7969503b53e847268291f42bb48b8c3079e490d78e5e0379fadeb5638f1504e497155fe3604 |
memory/1440-24-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1440-25-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1440-26-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1440-30-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Roaming\data.dat
| MD5 | 32f05b6f6cc07510c3a63d76a5ae119a |
| SHA1 | 21f7dbcc82d6beb22f5565ecc14cbddc939b1dec |
| SHA256 | 24709db103970ec2a9b061fc961006254697e4ed162e8d305a7ffd642bfe9a09 |
| SHA512 | f23f5e5b718ac99b6813ce350485e303180023f0b4b3783fdcf30639ceaa2cb813fcdd6ad849376febe2d24c2846894da1d389cead2f42df49c0091f159ec16b |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-31 17:27
Reported
2025-01-31 17:30
Platform
win7-20240708-en
Max time kernel
146s
Max time network
140s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V9XXB0GJ-4DV6-ZU36-EHTF-MK6TWJ6Q1ICC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Active Setup\Installed Components\{V9XXB0GJ-4DV6-ZU36-EHTF-MK6TWJ6Q1ICC} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Active Setup\Installed Components\{V9XXB0GJ-4DV6-ZU36-EHTF-MK6TWJ6Q1ICC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{V9XXB0GJ-4DV6-ZU36-EHTF-MK6TWJ6Q1ICC} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\DisplayDrivers = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1796 set thread context of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe |
| PID 2644 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsXj5zHWvaxkMZ4YsX.bat" "
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c66d7620909b6a4a93f7c01ace7b84e.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bss-crypt.no-ip.info | udp |
Files
memory/2644-2-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2644-4-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2644-6-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2644-8-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2644-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2644-10-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2644-14-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2644-16-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CsXj5zHWvaxkMZ4YsX.bat
| MD5 | a9dba16d694c2dc7d45b062d5d679eb7 |
| SHA1 | 617539e4a13f018f186e52ced61fcb30e08d2410 |
| SHA256 | d4466c300d57a27b3459720a16f2b7b92b4c3a1c54e7ad04eb432e2c10cfcfb2 |
| SHA512 | f55498776a9817efc3fba090aa6a8ab447f1b662dda7f410f85e942879999a54bd3e6dc8660b000e9aa7815efca12fedd537039faf8dc8e33b698003dd3b33b5 |
memory/2644-18-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 6c66d7620909b6a4a93f7c01ace7b84e |
| SHA1 | 6f648783d296e0da9edb0beaaa41dc846d4a14e2 |
| SHA256 | af6f75b881058f848849b41c52674189d40c6df247fb5f634a80ecd57b8946ee |
| SHA512 | 8fd3532b471d7d14faf8d0518072d2e1d316343ac340c3013332e7969503b53e847268291f42bb48b8c3079e490d78e5e0379fadeb5638f1504e497155fe3604 |
memory/2528-35-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2528-33-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2528-32-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2528-34-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2528-30-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2644-41-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2528-45-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2528-46-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2528-48-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2528-55-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2528-59-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Roaming\data.dat
| MD5 | 8fc2c93e15290b49be95191eb87d2958 |
| SHA1 | 77d5436e72aae3ad82a67416c2b487d55b666279 |
| SHA256 | f62c1e74ec93499faab97b93b838db705bbb7b1286435b3f7e08739c32238a2b |
| SHA512 | 475060908851f38743e065186134d273988bcc7a5deae38c6b91b3964fa82d05ae87dcc3e1961cd9da0dce030360c3a52918499ca80385701dd09704d5903b70 |
memory/2528-63-0x0000000000400000-0x0000000000474000-memory.dmp