Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 10:35
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe
-
Size
644KB
-
MD5
70c9d1cd6056c6ed265dea8d413cfc97
-
SHA1
a653507de24c71577d431a5cd4d5bbd10e613299
-
SHA256
bcec96017b538e00d13e8836cf1f2ff922a24dd1d30a6e50b08144304476ed5a
-
SHA512
a2eef39593ee4e752cae90d67c589caa6df22df29d70b325f26d6930e26c4d56f8b87a0f4b82b5011b9aef67151d68e8c6164ffc3bb4b29db18f21e0dfcc9aae
-
SSDEEP
6144:B41m5vbRoTASrqzusXCOf0sTDFiE+t0nrZ7Q4Qo0SiWe6uxIHN:BZx3Srq6sXCqTDFihtIt4SNe6uxS
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 15 IoCs
resource yara_rule behavioral2/memory/4728-59-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-65-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-69-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-73-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-76-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-79-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-83-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-86-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-89-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-93-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-96-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-99-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-103-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-106-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/4728-109-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RacunLast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\racun\rracun.exe = "C:\\Windows\\racun\\rracun.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run rracun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\RacunSys = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" rracun.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA} rracun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" rracun.exe Key created \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA} rracun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" rracun.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe -
Executes dropped EXE 2 IoCs
pid Process 2712 rracun.exe 4728 rracun.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RacunSys = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" rracun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RacunSys = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" rracun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kluc name = "C:\\Windows\\racun\\rracun.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2712 set thread context of 4728 2712 rracun.exe 94 -
resource yara_rule behavioral2/memory/4728-54-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-57-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-59-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-65-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-69-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-73-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-76-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-79-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-83-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-86-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-89-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-93-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-96-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-99-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-103-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-106-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4728-109-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\racun\rracun.exe JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe File opened for modification C:\Windows\racun\rracun.exe JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rracun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rracun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1328 reg.exe 4588 reg.exe 2948 reg.exe 5056 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 4728 rracun.exe Token: SeCreateTokenPrivilege 4728 rracun.exe Token: SeAssignPrimaryTokenPrivilege 4728 rracun.exe Token: SeLockMemoryPrivilege 4728 rracun.exe Token: SeIncreaseQuotaPrivilege 4728 rracun.exe Token: SeMachineAccountPrivilege 4728 rracun.exe Token: SeTcbPrivilege 4728 rracun.exe Token: SeSecurityPrivilege 4728 rracun.exe Token: SeTakeOwnershipPrivilege 4728 rracun.exe Token: SeLoadDriverPrivilege 4728 rracun.exe Token: SeSystemProfilePrivilege 4728 rracun.exe Token: SeSystemtimePrivilege 4728 rracun.exe Token: SeProfSingleProcessPrivilege 4728 rracun.exe Token: SeIncBasePriorityPrivilege 4728 rracun.exe Token: SeCreatePagefilePrivilege 4728 rracun.exe Token: SeCreatePermanentPrivilege 4728 rracun.exe Token: SeBackupPrivilege 4728 rracun.exe Token: SeRestorePrivilege 4728 rracun.exe Token: SeShutdownPrivilege 4728 rracun.exe Token: SeDebugPrivilege 4728 rracun.exe Token: SeAuditPrivilege 4728 rracun.exe Token: SeSystemEnvironmentPrivilege 4728 rracun.exe Token: SeChangeNotifyPrivilege 4728 rracun.exe Token: SeRemoteShutdownPrivilege 4728 rracun.exe Token: SeUndockPrivilege 4728 rracun.exe Token: SeSyncAgentPrivilege 4728 rracun.exe Token: SeEnableDelegationPrivilege 4728 rracun.exe Token: SeManageVolumePrivilege 4728 rracun.exe Token: SeImpersonatePrivilege 4728 rracun.exe Token: SeCreateGlobalPrivilege 4728 rracun.exe Token: 31 4728 rracun.exe Token: 32 4728 rracun.exe Token: 33 4728 rracun.exe Token: 34 4728 rracun.exe Token: 35 4728 rracun.exe Token: SeDebugPrivilege 4728 rracun.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 2712 rracun.exe 2712 rracun.exe 4728 rracun.exe 4728 rracun.exe 4728 rracun.exe 4728 rracun.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 552 wrote to memory of 3792 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 86 PID 552 wrote to memory of 3792 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 86 PID 552 wrote to memory of 3792 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 86 PID 3792 wrote to memory of 2016 3792 cmd.exe 89 PID 3792 wrote to memory of 2016 3792 cmd.exe 89 PID 3792 wrote to memory of 2016 3792 cmd.exe 89 PID 552 wrote to memory of 3212 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 90 PID 552 wrote to memory of 3212 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 90 PID 552 wrote to memory of 3212 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 90 PID 3212 wrote to memory of 3876 3212 cmd.exe 92 PID 3212 wrote to memory of 3876 3212 cmd.exe 92 PID 3212 wrote to memory of 3876 3212 cmd.exe 92 PID 552 wrote to memory of 2712 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 93 PID 552 wrote to memory of 2712 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 93 PID 552 wrote to memory of 2712 552 JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe 93 PID 2712 wrote to memory of 4728 2712 rracun.exe 94 PID 2712 wrote to memory of 4728 2712 rracun.exe 94 PID 2712 wrote to memory of 4728 2712 rracun.exe 94 PID 2712 wrote to memory of 4728 2712 rracun.exe 94 PID 2712 wrote to memory of 4728 2712 rracun.exe 94 PID 2712 wrote to memory of 4728 2712 rracun.exe 94 PID 2712 wrote to memory of 4728 2712 rracun.exe 94 PID 2712 wrote to memory of 4728 2712 rracun.exe 94 PID 4728 wrote to memory of 3216 4728 rracun.exe 95 PID 4728 wrote to memory of 3216 4728 rracun.exe 95 PID 4728 wrote to memory of 3216 4728 rracun.exe 95 PID 4728 wrote to memory of 1884 4728 rracun.exe 96 PID 4728 wrote to memory of 1884 4728 rracun.exe 96 PID 4728 wrote to memory of 1884 4728 rracun.exe 96 PID 4728 wrote to memory of 3732 4728 rracun.exe 98 PID 4728 wrote to memory of 3732 4728 rracun.exe 98 PID 4728 wrote to memory of 3732 4728 rracun.exe 98 PID 4728 wrote to memory of 1500 4728 rracun.exe 99 PID 4728 wrote to memory of 1500 4728 rracun.exe 99 PID 4728 wrote to memory of 1500 4728 rracun.exe 99 PID 3216 wrote to memory of 1328 3216 cmd.exe 103 PID 3216 wrote to memory of 1328 3216 cmd.exe 103 PID 3216 wrote to memory of 1328 3216 cmd.exe 103 PID 1884 wrote to memory of 2948 1884 cmd.exe 105 PID 1884 wrote to memory of 2948 1884 cmd.exe 105 PID 1884 wrote to memory of 2948 1884 cmd.exe 105 PID 3732 wrote to memory of 4588 3732 cmd.exe 106 PID 3732 wrote to memory of 4588 3732 cmd.exe 106 PID 3732 wrote to memory of 4588 3732 cmd.exe 106 PID 1500 wrote to memory of 5056 1500 cmd.exe 107 PID 1500 wrote to memory of 5056 1500 cmd.exe 107 PID 1500 wrote to memory of 5056 1500 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240614531.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240620953.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "kluc name" /t REG_SZ /d "C:\Windows\racun\rracun.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3876
-
-
-
C:\Windows\racun\rracun.exe"C:\Windows\racun\rracun.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\racun\rracun.exe"C:\Windows\racun\rracun.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\racun\rracun.exe" /t REG_SZ /d "C:\Windows\racun\rracun.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\racun\rracun.exe" /t REG_SZ /d "C:\Windows\racun\rracun.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RacunLast.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RacunLast.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RacunLast.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RacunLast.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5056
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118B
MD5a7abd9bdc5677f68c18d7524eb9ec1ab
SHA1948db612bae78b17e4df26d1884f9d2129e6ac9f
SHA25679192d9e9ebc7f9a864fdae37e771650afe5d41b8ba7da7a6ffeaff12b32e7b7
SHA512bfcbbb6f9a76457427000e05b241755c13f1a6def8f0b0afc5d491409b812bacceed8545bd3e781779b2e2cd3fe8b1c323c17d3665df868cacc063c2e38c465d
-
Filesize
121B
MD5ee46813d644e2f3527f7332b0e55af02
SHA10db88b645364c64e942c85f3c5e4a503ba940f21
SHA2569509158dad0060a9fb3cb8fbaef9957103df755a3f79d17c1029d1efc1e2aafe
SHA5127da3f1c6b6ed4ceb4307c2bbd43fb9b5fb969485e4388abfe07d5488b6da76f82a55d186ee5b59f7802f10e85e7f70d2f96fb0dd1f99be6f0aab4334cfce483e
-
Filesize
644KB
MD580e18361819c4f030c5e4d01fded06a3
SHA1756c79f570717f7a7973d6b4b53c1e203fc00289
SHA256db0fc46ff8418892ef63b42c95c88dafe659d2e7439367d9e2deaa320d329009
SHA51268e7e8b8634a612cb633218ba422e59396bbeaa08caf42b8b0cbdbc37dd7439937bfa8088cef784d4766394bce7209de321a407e78d575166f323f34ee155c75