Malware Analysis Report

2025-04-03 10:18

Sample ID 250131-xfxzvstngx
Target JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1
SHA256 508a8f15683250a5e1c3c0b46ab024fa74ebba1eda5e508860f3db06515faac9
Tags
blackshades defense_evasion discovery persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

508a8f15683250a5e1c3c0b46ab024fa74ebba1eda5e508860f3db06515faac9

Threat Level: Known bad

The file JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat upx

Blackshades payload

Blackshades family

Modifies firewall policy service

Blackshades

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-31 18:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-31 18:48

Reported

2025-01-31 18:50

Platform

win10v2004-20250129-en

Max time kernel

148s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\Protected.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD31C8E4-003D-FC99-DA72-B10DA6A7FE3C} C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD31C8E4-003D-FC99-DA72-B10DA6A7FE3C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DD31C8E4-003D-FC99-DA72-B10DA6A7FE3C} C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DD31C8E4-003D-FC99-DA72-B10DA6A7FE3C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4948 set thread context of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 1116 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 1116 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 1116 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 1116 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 1116 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 3768 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 3768 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 3768 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 4948 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 4948 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 4948 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 4948 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 4948 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 4948 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 4948 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 4948 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 4000 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 32 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 32 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3860 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3860 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3860 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5064 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5064 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5064 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe"

C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe

"C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe"

C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe

C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe

C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe

C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ilolle.no-ip.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ilolle.no-ip.org udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 1ilolle.no-ip.org udp
US 8.8.8.8:53 96.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 2ilolle.no-ip.org udp
ID 212.117.50.228:90 2ilolle.no-ip.org tcp
US 8.8.8.8:53 3ilolle.no-ip.org udp
US 8.8.8.8:53 4ilolle.no-ip.org udp
US 8.8.8.8:53 5ilolle.no-ip.org udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6ilolle.no-ip.org udp
US 8.8.8.8:53 7ilolle.no-ip.org udp
US 8.8.8.8:53 8ilolle.no-ip.org udp

Files

memory/1116-0-0x0000000075532000-0x0000000075533000-memory.dmp

memory/1116-1-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/1116-2-0x0000000075530000-0x0000000075AE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe

MD5 1eb486fa6291baa043d8558201f6a3aa
SHA1 b5da2ab73ed9c1fd7b19925b4ed5475500139a71
SHA256 e27926aab5635abff5cc672148cd58c991bbf9867e51ac49d0fadd22afe7242c
SHA512 aa38a937c2c16b344025e6360fe993d73b9388902abf62df2d7d675cdb86d30b5105b2c3078dcf844438f35d1a06610bbcfa578b3abd1abb3e78026a9ae27ab4

memory/3768-21-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/1116-22-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/3768-23-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/4948-25-0x0000000075530000-0x0000000075AE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe

MD5 e39f16b8ee508db0af0ee84322f466ea
SHA1 e1b09005ff4bbbe94d67e282bb8e7bd2860a7df9
SHA256 136b41f230870f55cf21fe88923a0089ce9bd64555c5f839ca5ed3ca0e467218
SHA512 8cb4675bc185e32c1ca06194b811995c531ef4a7bca2a1371715fd994358de1f9904cd0583e02919d02406cbf328f3638437f1bb0a5e785e636cc5830bce0518

memory/4000-33-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3768-38-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/4948-34-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/4000-32-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4000-31-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4000-27-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4948-24-0x0000000075530000-0x0000000075AE1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-31 18:48

Reported

2025-01-31 18:50

Platform

win7-20240903-en

Max time kernel

148s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\svchost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Adobe Update Manager = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components\{AAFA00DE-F7F2-AFA9-383C-F4B9B4BE5EC6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAFA00DE-F7F2-AFA9-383C-F4B9B4BE5EC6} C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAFA00DE-F7F2-AFA9-383C-F4B9B4BE5EC6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{AAFA00DE-F7F2-AFA9-383C-F4B9B4BE5EC6} C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Update Manager = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Update Manager = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2744 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2780 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2780 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2780 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2780 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 2780 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 2780 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 2780 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 2584 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 2584 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 2584 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 2584 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe
PID 2744 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2744 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2744 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2744 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2744 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2744 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2744 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2744 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe
PID 2600 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1160 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1160 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1160 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d02b421775eecdf310f2c0e1b48b4b1.exe"

C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe

"C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe"

C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe

C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe

C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe

C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ppwng.zapto.org udp
US 8.8.8.8:53 1ppwng.zapto.org udp
US 8.8.8.8:53 2ppwng.zapto.org udp
US 8.8.8.8:53 3ppwng.zapto.org udp
US 8.8.8.8:53 4ppwng.zapto.org udp
US 8.8.8.8:53 5ppwng.zapto.org udp
US 8.8.8.8:53 6ppwng.zapto.org udp
US 8.8.8.8:53 7ppwng.zapto.org udp
US 8.8.8.8:53 8ppwng.zapto.org udp

Files

memory/2780-0-0x0000000074701000-0x0000000074702000-memory.dmp

memory/2780-1-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2780-3-0x0000000074700000-0x0000000074CAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Software\svchost.exe

MD5 1eb486fa6291baa043d8558201f6a3aa
SHA1 b5da2ab73ed9c1fd7b19925b4ed5475500139a71
SHA256 e27926aab5635abff5cc672148cd58c991bbf9867e51ac49d0fadd22afe7242c
SHA512 aa38a937c2c16b344025e6360fe993d73b9388902abf62df2d7d675cdb86d30b5105b2c3078dcf844438f35d1a06610bbcfa578b3abd1abb3e78026a9ae27ab4

C:\Users\Admin\AppData\Local\Temp\Software\Protected.exe

MD5 e39f16b8ee508db0af0ee84322f466ea
SHA1 e1b09005ff4bbbe94d67e282bb8e7bd2860a7df9
SHA256 136b41f230870f55cf21fe88923a0089ce9bd64555c5f839ca5ed3ca0e467218
SHA512 8cb4675bc185e32c1ca06194b811995c531ef4a7bca2a1371715fd994358de1f9904cd0583e02919d02406cbf328f3638437f1bb0a5e785e636cc5830bce0518

memory/2744-25-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2744-24-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2780-26-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2600-36-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2600-38-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2600-37-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2600-33-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2600-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2600-31-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2600-30-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2600-29-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2744-42-0x0000000074700000-0x0000000074CAB000-memory.dmp