Malware Analysis Report

2025-04-03 10:18

Sample ID 250201-mmndwsyjf1
Target JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97
SHA256 bcec96017b538e00d13e8836cf1f2ff922a24dd1d30a6e50b08144304476ed5a
Tags
blackshades defense_evasion discovery persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcec96017b538e00d13e8836cf1f2ff922a24dd1d30a6e50b08144304476ed5a

Threat Level: Known bad

The file JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat trojan upx

Blackshades

Modifies firewall policy service

Blackshades family

UAC bypass

Blackshades payload

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-01 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-01 10:35

Reported

2025-02-01 10:37

Platform

win7-20240903-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RacunLast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\racun\rracun.exe = "C:\\Windows\\racun\\rracun.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Windows\racun\rracun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\RacunSys = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA} C:\Windows\racun\rracun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA} C:\Windows\racun\rracun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\racun\rracun.exe N/A
N/A N/A C:\Windows\racun\rracun.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kluc name = "C:\\Windows\\racun\\rracun.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RacunSys = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RacunSys = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 183248 set thread context of 182324 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\racun\rracun.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe N/A
File opened for modification C:\Windows\racun\rracun.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\racun\rracun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\racun\rracun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Windows\racun\rracun.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: 31 N/A C:\Windows\racun\rracun.exe N/A
Token: 32 N/A C:\Windows\racun\rracun.exe N/A
Token: 33 N/A C:\Windows\racun\rracun.exe N/A
Token: 34 N/A C:\Windows\racun\rracun.exe N/A
Token: 35 N/A C:\Windows\racun\rracun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\racun\rracun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 153704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 153704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 153704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 153704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 153704 wrote to memory of 24676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 153704 wrote to memory of 24676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 153704 wrote to memory of 24676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 153704 wrote to memory of 24676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 165604 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 165604 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 165604 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 165604 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 165604 wrote to memory of 166540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 165604 wrote to memory of 166540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 165604 wrote to memory of 166540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 165604 wrote to memory of 166540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 183248 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\racun\rracun.exe
PID 2228 wrote to memory of 183248 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\racun\rracun.exe
PID 2228 wrote to memory of 183248 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\racun\rracun.exe
PID 2228 wrote to memory of 183248 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\racun\rracun.exe
PID 183248 wrote to memory of 182324 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 183248 wrote to memory of 182324 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 183248 wrote to memory of 182324 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 183248 wrote to memory of 182324 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 183248 wrote to memory of 182324 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 183248 wrote to memory of 182324 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 183248 wrote to memory of 182324 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 183248 wrote to memory of 182324 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 182324 wrote to memory of 182552 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182552 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182552 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182552 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182592 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182592 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182592 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182592 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182596 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182596 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182596 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182596 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182656 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182656 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182656 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182324 wrote to memory of 182656 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 182592 wrote to memory of 182832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182592 wrote to memory of 182832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182592 wrote to memory of 182832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182592 wrote to memory of 182832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182552 wrote to memory of 182852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182552 wrote to memory of 182852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182552 wrote to memory of 182852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182552 wrote to memory of 182852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182656 wrote to memory of 182860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182656 wrote to memory of 182860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182656 wrote to memory of 182860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182656 wrote to memory of 182860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182596 wrote to memory of 182888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182596 wrote to memory of 182888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182596 wrote to memory of 182888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 182596 wrote to memory of 182888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\259428539.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\259432299.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "kluc name" /t REG_SZ /d "C:\Windows\racun\rracun.exe" /f

C:\Windows\racun\rracun.exe

"C:\Windows\racun\rracun.exe"

C:\Windows\racun\rracun.exe

"C:\Windows\racun\rracun.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\racun\rracun.exe" /t REG_SZ /d "C:\Windows\racun\rracun.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RacunLast.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RacunLast.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\racun\rracun.exe" /t REG_SZ /d "C:\Windows\racun\rracun.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RacunLast.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RacunLast.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 balkanboy.zapto.org udp
US 8.8.8.8:53 1balkanboy.zapto.org udp
US 8.8.8.8:53 2balkanboy.zapto.org udp
US 8.8.8.8:53 3balkanboy.zapto.org udp
US 8.8.8.8:53 4balkanboy.zapto.org udp
US 8.8.8.8:53 5balkanboy.zapto.org udp

Files

memory/2228-81558-0x00000000002C0000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259428539.bat

MD5 a7abd9bdc5677f68c18d7524eb9ec1ab
SHA1 948db612bae78b17e4df26d1884f9d2129e6ac9f
SHA256 79192d9e9ebc7f9a864fdae37e771650afe5d41b8ba7da7a6ffeaff12b32e7b7
SHA512 bfcbbb6f9a76457427000e05b241755c13f1a6def8f0b0afc5d491409b812bacceed8545bd3e781779b2e2cd3fe8b1c323c17d3665df868cacc063c2e38c465d

C:\Users\Admin\AppData\Local\Temp\259432299.bat

MD5 ee46813d644e2f3527f7332b0e55af02
SHA1 0db88b645364c64e942c85f3c5e4a503ba940f21
SHA256 9509158dad0060a9fb3cb8fbaef9957103df755a3f79d17c1029d1efc1e2aafe
SHA512 7da3f1c6b6ed4ceb4307c2bbd43fb9b5fb969485e4388abfe07d5488b6da76f82a55d186ee5b59f7802f10e85e7f70d2f96fb0dd1f99be6f0aab4334cfce483e

memory/2228-99541-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2228-99543-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2228-99545-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2228-99547-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2228-99549-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2228-99551-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2228-99553-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2228-99555-0x0000000000530000-0x0000000000630000-memory.dmp

\Windows\racun\rracun.exe

MD5 80e18361819c4f030c5e4d01fded06a3
SHA1 756c79f570717f7a7973d6b4b53c1e203fc00289
SHA256 db0fc46ff8418892ef63b42c95c88dafe659d2e7439367d9e2deaa320d329009
SHA512 68e7e8b8634a612cb633218ba422e59396bbeaa08caf42b8b0cbdbc37dd7439937bfa8088cef784d4766394bce7209de321a407e78d575166f323f34ee155c75

memory/182324-200625-0x0000000000400000-0x0000000000473000-memory.dmp

memory/182324-200637-0x0000000000400000-0x0000000000473000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-01 10:35

Reported

2025-02-01 10:37

Platform

win10v2004-20250129-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RacunLast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\racun\rracun.exe = "C:\\Windows\\racun\\rracun.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Windows\racun\rracun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\RacunSys = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA} C:\Windows\racun\rracun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA} C:\Windows\racun\rracun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D7EAAC8-DA69-DFD3-FCC1-AC5FCEFDD6DA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\racun\rracun.exe N/A
N/A N/A C:\Windows\racun\rracun.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RacunSys = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RacunSys = "C:\\Users\\Admin\\AppData\\Roaming\\RacunLast.exe" C:\Windows\racun\rracun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kluc name = "C:\\Windows\\racun\\rracun.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2712 set thread context of 4728 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\racun\rracun.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe N/A
File opened for modification C:\Windows\racun\rracun.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\racun\rracun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\racun\rracun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Windows\racun\rracun.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\racun\rracun.exe N/A
Token: 31 N/A C:\Windows\racun\rracun.exe N/A
Token: 32 N/A C:\Windows\racun\rracun.exe N/A
Token: 33 N/A C:\Windows\racun\rracun.exe N/A
Token: 34 N/A C:\Windows\racun\rracun.exe N/A
Token: 35 N/A C:\Windows\racun\rracun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\racun\rracun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 3792 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3792 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3792 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 552 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3212 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3212 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 552 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\racun\rracun.exe
PID 552 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\racun\rracun.exe
PID 552 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe C:\Windows\racun\rracun.exe
PID 2712 wrote to memory of 4728 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 2712 wrote to memory of 4728 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 2712 wrote to memory of 4728 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 2712 wrote to memory of 4728 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 2712 wrote to memory of 4728 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 2712 wrote to memory of 4728 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 2712 wrote to memory of 4728 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 2712 wrote to memory of 4728 N/A C:\Windows\racun\rracun.exe C:\Windows\racun\rracun.exe
PID 4728 wrote to memory of 3216 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3216 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3216 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 1884 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 1884 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 1884 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3732 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3732 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3732 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 1500 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 1500 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 1500 N/A C:\Windows\racun\rracun.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3216 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3216 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1500 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1500 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1500 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240614531.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240620953.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "kluc name" /t REG_SZ /d "C:\Windows\racun\rracun.exe" /f

C:\Windows\racun\rracun.exe

"C:\Windows\racun\rracun.exe"

C:\Windows\racun\rracun.exe

"C:\Windows\racun\rracun.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\racun\rracun.exe" /t REG_SZ /d "C:\Windows\racun\rracun.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RacunLast.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RacunLast.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\racun\rracun.exe" /t REG_SZ /d "C:\Windows\racun\rracun.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RacunLast.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RacunLast.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 balkanboy.zapto.org udp
US 8.8.8.8:53 balkanboy.zapto.org udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 1balkanboy.zapto.org udp
US 8.8.8.8:53 2balkanboy.zapto.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3balkanboy.zapto.org udp
US 8.8.8.8:53 4balkanboy.zapto.org udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 5balkanboy.zapto.org udp
US 8.8.8.8:53 6balkanboy.zapto.org udp
US 8.8.8.8:53 7balkanboy.zapto.org udp
US 8.8.8.8:53 8balkanboy.zapto.org udp

Files

memory/552-2-0x0000000002240000-0x0000000002241000-memory.dmp

memory/552-3-0x0000000002290000-0x0000000002291000-memory.dmp

memory/552-4-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/552-5-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/552-6-0x0000000002300000-0x0000000002301000-memory.dmp

memory/552-7-0x0000000002240000-0x0000000002241000-memory.dmp

memory/552-8-0x0000000002280000-0x0000000002281000-memory.dmp

memory/552-10-0x0000000002290000-0x0000000002291000-memory.dmp

memory/552-11-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/552-14-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/552-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/552-12-0x00000000022B0000-0x00000000022B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240614531.bat

MD5 a7abd9bdc5677f68c18d7524eb9ec1ab
SHA1 948db612bae78b17e4df26d1884f9d2129e6ac9f
SHA256 79192d9e9ebc7f9a864fdae37e771650afe5d41b8ba7da7a6ffeaff12b32e7b7
SHA512 bfcbbb6f9a76457427000e05b241755c13f1a6def8f0b0afc5d491409b812bacceed8545bd3e781779b2e2cd3fe8b1c323c17d3665df868cacc063c2e38c465d

memory/552-18-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/552-19-0x0000000002310000-0x0000000002311000-memory.dmp

memory/552-21-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240620953.bat

MD5 ee46813d644e2f3527f7332b0e55af02
SHA1 0db88b645364c64e942c85f3c5e4a503ba940f21
SHA256 9509158dad0060a9fb3cb8fbaef9957103df755a3f79d17c1029d1efc1e2aafe
SHA512 7da3f1c6b6ed4ceb4307c2bbd43fb9b5fb969485e4388abfe07d5488b6da76f82a55d186ee5b59f7802f10e85e7f70d2f96fb0dd1f99be6f0aab4334cfce483e

memory/552-25-0x00000000036E0000-0x00000000036E1000-memory.dmp

C:\Windows\racun\rracun.exe

MD5 80e18361819c4f030c5e4d01fded06a3
SHA1 756c79f570717f7a7973d6b4b53c1e203fc00289
SHA256 db0fc46ff8418892ef63b42c95c88dafe659d2e7439367d9e2deaa320d329009
SHA512 68e7e8b8634a612cb633218ba422e59396bbeaa08caf42b8b0cbdbc37dd7439937bfa8088cef784d4766394bce7209de321a407e78d575166f323f34ee155c75

memory/2712-40-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/2712-41-0x0000000002160000-0x0000000002161000-memory.dmp

memory/2712-42-0x0000000002190000-0x0000000002191000-memory.dmp

memory/2712-43-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/2712-44-0x0000000002160000-0x0000000002161000-memory.dmp

memory/2712-45-0x0000000002180000-0x0000000002181000-memory.dmp

memory/2712-46-0x0000000002190000-0x0000000002191000-memory.dmp

memory/2712-47-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/2712-52-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/2712-51-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/2712-50-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/2712-49-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/2712-53-0x0000000002F30000-0x0000000002F31000-memory.dmp

memory/4728-54-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-57-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-59-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-65-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-69-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-73-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-76-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-79-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-83-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-86-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-89-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-93-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-96-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-99-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-103-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-106-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4728-109-0x0000000000400000-0x0000000000473000-memory.dmp