Analysis Overview
SHA256
508a8f15683250a5e1c3c0b46ab024fa74ebba1eda5e508860f3db06515faac9
Threat Level: Known bad
The file JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1 was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Blackshades family
Modifies firewall policy service
Blackshades
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-31 18:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-31 18:48
Reported
2025-01-31 18:50
Platform
win10v2004-20250129-en
Max time kernel
148s
Max time network
138s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\Protected.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD31C8E4-003D-FC99-DA72-B10DA6A7FE3C} | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD31C8E4-003D-FC99-DA72-B10DA6A7FE3C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DD31C8E4-003D-FC99-DA72-B10DA6A7FE3C} | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DD31C8E4-003D-FC99-DA72-B10DA6A7FE3C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4948 set thread context of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe"
C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
"C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe"
C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ilolle.no-ip.org | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ilolle.no-ip.org | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1ilolle.no-ip.org | udp |
| US | 8.8.8.8:53 | 96.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2ilolle.no-ip.org | udp |
| ID | 212.117.50.228:90 | 2ilolle.no-ip.org | tcp |
| US | 8.8.8.8:53 | 3ilolle.no-ip.org | udp |
| US | 8.8.8.8:53 | 4ilolle.no-ip.org | udp |
| US | 8.8.8.8:53 | 5ilolle.no-ip.org | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6ilolle.no-ip.org | udp |
| US | 8.8.8.8:53 | 7ilolle.no-ip.org | udp |
| US | 8.8.8.8:53 | 8ilolle.no-ip.org | udp |
Files
memory/1116-0-0x0000000075532000-0x0000000075533000-memory.dmp
memory/1116-1-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/1116-2-0x0000000075530000-0x0000000075AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
| MD5 | 1eb486fa6291baa043d8558201f6a3aa |
| SHA1 | b5da2ab73ed9c1fd7b19925b4ed5475500139a71 |
| SHA256 | e27926aab5635abff5cc672148cd58c991bbf9867e51ac49d0fadd22afe7242c |
| SHA512 | aa38a937c2c16b344025e6360fe993d73b9388902abf62df2d7d675cdb86d30b5105b2c3078dcf844438f35d1a06610bbcfa578b3abd1abb3e78026a9ae27ab4 |
memory/3768-21-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/1116-22-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/3768-23-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/4948-25-0x0000000075530000-0x0000000075AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
| MD5 | e39f16b8ee508db0af0ee84322f466ea |
| SHA1 | e1b09005ff4bbbe94d67e282bb8e7bd2860a7df9 |
| SHA256 | 136b41f230870f55cf21fe88923a0089ce9bd64555c5f839ca5ed3ca0e467218 |
| SHA512 | 8cb4675bc185e32c1ca06194b811995c531ef4a7bca2a1371715fd994358de1f9904cd0583e02919d02406cbf328f3638437f1bb0a5e785e636cc5830bce0518 |
memory/4000-33-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3768-38-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/4948-34-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/4000-32-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4000-31-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4000-27-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4948-24-0x0000000075530000-0x0000000075AE1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-31 18:48
Reported
2025-01-31 18:50
Platform
win7-20240903-en
Max time kernel
148s
Max time network
138s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\svchost.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Adobe Update Manager = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components\{AAFA00DE-F7F2-AFA9-383C-F4B9B4BE5EC6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAFA00DE-F7F2-AFA9-383C-F4B9B4BE5EC6} | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAFA00DE-F7F2-AFA9-383C-F4B9B4BE5EC6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{AAFA00DE-F7F2-AFA9-383C-F4B9B4BE5EC6} | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Update Manager = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Update Manager = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2744 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe"
C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
"C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe"
C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ppwng.zapto.org | udp |
| US | 8.8.8.8:53 | 1ppwng.zapto.org | udp |
| US | 8.8.8.8:53 | 2ppwng.zapto.org | udp |
| US | 8.8.8.8:53 | 3ppwng.zapto.org | udp |
| US | 8.8.8.8:53 | 4ppwng.zapto.org | udp |
| US | 8.8.8.8:53 | 5ppwng.zapto.org | udp |
| US | 8.8.8.8:53 | 6ppwng.zapto.org | udp |
| US | 8.8.8.8:53 | 7ppwng.zapto.org | udp |
| US | 8.8.8.8:53 | 8ppwng.zapto.org | udp |
Files
memory/2780-0-0x0000000074701000-0x0000000074702000-memory.dmp
memory/2780-1-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2780-3-0x0000000074700000-0x0000000074CAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
| MD5 | 1eb486fa6291baa043d8558201f6a3aa |
| SHA1 | b5da2ab73ed9c1fd7b19925b4ed5475500139a71 |
| SHA256 | e27926aab5635abff5cc672148cd58c991bbf9867e51ac49d0fadd22afe7242c |
| SHA512 | aa38a937c2c16b344025e6360fe993d73b9388902abf62df2d7d675cdb86d30b5105b2c3078dcf844438f35d1a06610bbcfa578b3abd1abb3e78026a9ae27ab4 |
C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
| MD5 | e39f16b8ee508db0af0ee84322f466ea |
| SHA1 | e1b09005ff4bbbe94d67e282bb8e7bd2860a7df9 |
| SHA256 | 136b41f230870f55cf21fe88923a0089ce9bd64555c5f839ca5ed3ca0e467218 |
| SHA512 | 8cb4675bc185e32c1ca06194b811995c531ef4a7bca2a1371715fd994358de1f9904cd0583e02919d02406cbf328f3638437f1bb0a5e785e636cc5830bce0518 |
memory/2744-25-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2744-24-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2780-26-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2600-36-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-38-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-37-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-33-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2600-31-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-30-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-29-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2744-42-0x0000000074700000-0x0000000074CAB000-memory.dmp