Analysis Overview
SHA256
ae3b0ec48c6fe450677181f97d83fee2092d578c796012d9273721e3b19e3a32
Threat Level: Known bad
The file JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Modifies firewall policy service
Blackshades
Blackshades family
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-02 04:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-02 04:36
Reported
2025-02-02 04:38
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WinDefender.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components\{E9EEEB4B-4F6F-F8BC-AECA-FCBA3FA43FF0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9EEEB4B-4F6F-F8BC-AECA-FCBA3FA43FF0} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9EEEB4B-4F6F-F8BC-AECA-FCBA3FA43FF0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{E9EEEB4B-4F6F-F8BC-AECA-FCBA3FA43FF0} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2240 set thread context of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
Files
memory/2900-2-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-4-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-6-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2900-10-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-12-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinDefender.exe
| MD5 | 790cc414d59d606495f9c942ab7f2d2d |
| SHA1 | ebafafe5576bb96a59ead7168c44168e3e29f675 |
| SHA256 | ae3b0ec48c6fe450677181f97d83fee2092d578c796012d9273721e3b19e3a32 |
| SHA512 | 7adb31700ad13d2fdb4f64e83a8fff278bc474021932a087a67756009d8c7ca8cc509672f656a973ccd99916ea67dc019ceec1cb743bccd1144856cf4fd7f68a |
memory/2900-39-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-40-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-63-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-88-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-109-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-132-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-156-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-175-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-243-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2900-266-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Roaming\data.dat
| MD5 | 961d6f58c7be33d2be1b097841919f62 |
| SHA1 | 5f69b82fc1eac6be7ffaafb3bd240bacb197513f |
| SHA256 | 669472b3fdbcc0bf8031d1626040d609e0de9322773aca6e97b4768bc3552f89 |
| SHA512 | b7606692ed206b513aca6a278a5c5b9002a317c7573fd7a0c31209e4742839fecdba65a3abda889e9d9a4e7cb8b0db093607b94588e5ad64e606a751020ec777 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-02 04:36
Reported
2025-02-02 04:38
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WinDefender.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9EEEB4B-4F6F-F8BC-AECA-FCBA3FA43FF0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{E9EEEB4B-4F6F-F8BC-AECA-FCBA3FA43FF0} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{E9EEEB4B-4F6F-F8BC-AECA-FCBA3FA43FF0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9EEEB4B-4F6F-F8BC-AECA-FCBA3FA43FF0} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1176 set thread context of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_790cc414d59d606495f9c942ab7f2d2d.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
| US | 8.8.8.8:53 | 11.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
| US | 8.8.8.8:53 | speedtest.zapto.org | udp |
Files
memory/3052-2-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-4-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-11-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-12-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-13-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-14-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-17-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-18-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-23-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-26-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-29-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-33-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-36-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-42-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-46-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-49-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Roaming\data.dat
| MD5 | 961d6f58c7be33d2be1b097841919f62 |
| SHA1 | 5f69b82fc1eac6be7ffaafb3bd240bacb197513f |
| SHA256 | 669472b3fdbcc0bf8031d1626040d609e0de9322773aca6e97b4768bc3552f89 |
| SHA512 | b7606692ed206b513aca6a278a5c5b9002a317c7573fd7a0c31209e4742839fecdba65a3abda889e9d9a4e7cb8b0db093607b94588e5ad64e606a751020ec777 |
memory/3052-53-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3052-59-0x0000000000400000-0x000000000043F000-memory.dmp