Analysis Overview
SHA256
6099d3db49deb0b3e10f6ec70b77890facf037312ad54c3a5d279d7837ab3342
Threat Level: Known bad
The file JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c was found to be: Known bad.
Malicious Activity Summary
Blackshades family
Blackshades
Blackshades payload
Modifies firewall policy service
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Enumerates system info in registry
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-02 14:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-02 14:02
Reported
2025-02-02 14:05
Platform
win7-20240729-en
Max time kernel
148s
Max time network
139s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\lf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\lf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lf.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe"
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Users\Admin\AppData\Local\Temp\lf.exe
"C:\Users\Admin\AppData\Local\Temp\lf.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | automation.whatismyip.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | bambou.devsoluce.net | udp |
| US | 8.8.8.8:53 | 1jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 2jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 3jl-team76.no-ip.info | udp |
| US | 78.159.140.203:8030 | 3jl-team76.no-ip.info | tcp |
| US | 8.8.8.8:53 | 4jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 5jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 6jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 7jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 8jl-team76.no-ip.info | udp |
Files
memory/2536-0-0x0000000074731000-0x0000000074732000-memory.dmp
memory/2536-1-0x0000000074730000-0x0000000074CDB000-memory.dmp
memory/2536-2-0x0000000074730000-0x0000000074CDB000-memory.dmp
\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | 905275d0ae6990d7bedbb9d73798a3dc |
| SHA1 | c645701c8a28bc0baea626220588579793f55379 |
| SHA256 | 5e92fc7ff5e192de2edb60c1a58647c00a3613ec7d6868f06de910c9bee2967a |
| SHA512 | af3541b5d11a3faf80bdf5f3bdb508ebf4272d05099c66667062f20a46653b34c464598d9207e9b78d9cc89a53602781fed73352a3fdcc12561e4b64efdcc372 |
memory/1884-14-0x0000000074730000-0x0000000074CDB000-memory.dmp
memory/1884-26-0x0000000074730000-0x0000000074CDB000-memory.dmp
memory/2536-31-0x0000000004870000-0x00000000048E1000-memory.dmp
memory/2108-30-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2536-29-0x0000000004870000-0x00000000048E1000-memory.dmp
memory/1884-28-0x0000000074730000-0x0000000074CDB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lf.exe
| MD5 | 26f12296da8d7d93a4113d03d255c6e7 |
| SHA1 | 04c423ea8b5d9a4f4ec6ca872ee3455536371a3a |
| SHA256 | fc95ecc78c16f9fa946adfa8df03a4c5effc8f1b19b70a14d2a18530641c9739 |
| SHA512 | 9fc7a593a2c2241e732053f2f0ad028eabbb3a00565e11d9f96a921345ef93a2c62e21d7c189ea25428122aa97565d6223423fccf8dc622c646ef66c5f648c6b |
C:\Users\Admin\AppData\Roaming\WinSec.exe
| MD5 | ed797d8dc2c92401985d162e42ffa450 |
| SHA1 | 0f02fc517c7facc4baefde4fe9467fb6488ebabe |
| SHA256 | b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e |
| SHA512 | e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2 |
memory/2536-34-0x0000000074730000-0x0000000074CDB000-memory.dmp
memory/1884-41-0x0000000074730000-0x0000000074CDB000-memory.dmp
memory/2108-42-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-44-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-46-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-47-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-48-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-50-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-51-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-52-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-55-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-56-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2108-60-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-02 14:02
Reported
2025-02-02 14:05
Platform
win10v2004-20250129-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\lf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lf.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\lf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe"
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Users\Admin\AppData\Local\Temp\lf.exe
"C:\Users\Admin\AppData\Local\Temp\lf.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 1.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | automation.whatismyip.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| GB | 95.101.143.177:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bambou.devsoluce.net | udp |
| US | 8.8.8.8:53 | jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 3jl-team76.no-ip.info | udp |
| US | 78.159.140.203:8030 | 3jl-team76.no-ip.info | tcp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 5jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 7jl-team76.no-ip.info | udp |
| US | 8.8.8.8:53 | 8jl-team76.no-ip.info | udp |
Files
memory/3284-0-0x0000000074892000-0x0000000074893000-memory.dmp
memory/3284-1-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/3284-2-0x0000000074890000-0x0000000074E41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | 905275d0ae6990d7bedbb9d73798a3dc |
| SHA1 | c645701c8a28bc0baea626220588579793f55379 |
| SHA256 | 5e92fc7ff5e192de2edb60c1a58647c00a3613ec7d6868f06de910c9bee2967a |
| SHA512 | af3541b5d11a3faf80bdf5f3bdb508ebf4272d05099c66667062f20a46653b34c464598d9207e9b78d9cc89a53602781fed73352a3fdcc12561e4b64efdcc372 |
memory/4960-15-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4960-16-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4960-24-0x0000000074890000-0x0000000074E41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lf.exe
| MD5 | 26f12296da8d7d93a4113d03d255c6e7 |
| SHA1 | 04c423ea8b5d9a4f4ec6ca872ee3455536371a3a |
| SHA256 | fc95ecc78c16f9fa946adfa8df03a4c5effc8f1b19b70a14d2a18530641c9739 |
| SHA512 | 9fc7a593a2c2241e732053f2f0ad028eabbb3a00565e11d9f96a921345ef93a2c62e21d7c189ea25428122aa97565d6223423fccf8dc622c646ef66c5f648c6b |
memory/5068-31-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinSec.exe
| MD5 | e118330b4629b12368d91b9df6488be0 |
| SHA1 | ce90218c7e3b90df2a3409ec253048bb6472c2fd |
| SHA256 | 3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9 |
| SHA512 | ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0 |
memory/5068-39-0x00000000759B0000-0x0000000075AA0000-memory.dmp
memory/3284-40-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/5068-38-0x00000000759D1000-0x00000000759D2000-memory.dmp
memory/5068-37-0x00000000771A6000-0x00000000771A7000-memory.dmp
memory/4960-48-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/5068-49-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-50-0x00000000759B0000-0x0000000075AA0000-memory.dmp
memory/5068-54-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-58-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-61-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-64-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-68-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-71-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-81-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-84-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-88-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5068-91-0x0000000000400000-0x0000000000471000-memory.dmp