Malware Analysis Report

2025-04-03 10:17

Sample ID 250202-rcca4awrcn
Target JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c
SHA256 6099d3db49deb0b3e10f6ec70b77890facf037312ad54c3a5d279d7837ab3342
Tags
blackshades defense_evasion discovery persistence rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6099d3db49deb0b3e10f6ec70b77890facf037312ad54c3a5d279d7837ab3342

Threat Level: Known bad

The file JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat spyware stealer upx

Blackshades family

Blackshades

Blackshades payload

Modifies firewall policy service

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Enumerates system info in registry

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-02 14:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-02 14:02

Reported

2025-02-02 14:05

Platform

win7-20240729-en

Max time kernel

148s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\lf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\lf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lf.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2536 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2536 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2536 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2536 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\lf.exe
PID 2536 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\lf.exe
PID 2536 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\lf.exe
PID 2536 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\lf.exe
PID 2108 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2820 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2820 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2820 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2820 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1884 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1884 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1884 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\lf.exe

"C:\Users\Admin\AppData\Local\Temp\lf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 jl-team76.no-ip.info udp
US 8.8.8.8:53 automation.whatismyip.com udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 bambou.devsoluce.net udp
US 8.8.8.8:53 1jl-team76.no-ip.info udp
US 8.8.8.8:53 2jl-team76.no-ip.info udp
US 8.8.8.8:53 3jl-team76.no-ip.info udp
US 78.159.140.203:8030 3jl-team76.no-ip.info tcp
US 8.8.8.8:53 4jl-team76.no-ip.info udp
US 8.8.8.8:53 5jl-team76.no-ip.info udp
US 8.8.8.8:53 6jl-team76.no-ip.info udp
US 8.8.8.8:53 7jl-team76.no-ip.info udp
US 8.8.8.8:53 8jl-team76.no-ip.info udp

Files

memory/2536-0-0x0000000074731000-0x0000000074732000-memory.dmp

memory/2536-1-0x0000000074730000-0x0000000074CDB000-memory.dmp

memory/2536-2-0x0000000074730000-0x0000000074CDB000-memory.dmp

\Users\Admin\AppData\Local\Temp\Server.exe

MD5 905275d0ae6990d7bedbb9d73798a3dc
SHA1 c645701c8a28bc0baea626220588579793f55379
SHA256 5e92fc7ff5e192de2edb60c1a58647c00a3613ec7d6868f06de910c9bee2967a
SHA512 af3541b5d11a3faf80bdf5f3bdb508ebf4272d05099c66667062f20a46653b34c464598d9207e9b78d9cc89a53602781fed73352a3fdcc12561e4b64efdcc372

memory/1884-14-0x0000000074730000-0x0000000074CDB000-memory.dmp

memory/1884-26-0x0000000074730000-0x0000000074CDB000-memory.dmp

memory/2536-31-0x0000000004870000-0x00000000048E1000-memory.dmp

memory/2108-30-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2536-29-0x0000000004870000-0x00000000048E1000-memory.dmp

memory/1884-28-0x0000000074730000-0x0000000074CDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lf.exe

MD5 26f12296da8d7d93a4113d03d255c6e7
SHA1 04c423ea8b5d9a4f4ec6ca872ee3455536371a3a
SHA256 fc95ecc78c16f9fa946adfa8df03a4c5effc8f1b19b70a14d2a18530641c9739
SHA512 9fc7a593a2c2241e732053f2f0ad028eabbb3a00565e11d9f96a921345ef93a2c62e21d7c189ea25428122aa97565d6223423fccf8dc622c646ef66c5f648c6b

C:\Users\Admin\AppData\Roaming\WinSec.exe

MD5 ed797d8dc2c92401985d162e42ffa450
SHA1 0f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256 b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512 e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

memory/2536-34-0x0000000074730000-0x0000000074CDB000-memory.dmp

memory/1884-41-0x0000000074730000-0x0000000074CDB000-memory.dmp

memory/2108-42-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-44-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-46-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-47-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-48-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-50-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-51-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-52-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-55-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-56-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2108-60-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-02 14:02

Reported

2025-02-02 14:05

Platform

win10v2004-20250129-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\lf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lf.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\lf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3284 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 3284 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 3284 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 3284 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\lf.exe
PID 3284 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\lf.exe
PID 3284 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe C:\Users\Admin\AppData\Local\Temp\lf.exe
PID 5068 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\lf.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2252 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2252 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2252 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3104 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3104 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3104 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4960 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 4960 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 4960 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\lf.exe

"C:\Users\Admin\AppData\Local\Temp\lf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1620

Network

Country Destination Domain Proto
US 8.8.8.8:53 jl-team76.no-ip.info udp
US 8.8.8.8:53 1.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 automation.whatismyip.com udp
N/A 127.0.0.1:80 tcp
GB 95.101.143.177:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 177.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 bambou.devsoluce.net udp
US 8.8.8.8:53 jl-team76.no-ip.info udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1jl-team76.no-ip.info udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2jl-team76.no-ip.info udp
US 8.8.8.8:53 3jl-team76.no-ip.info udp
US 78.159.140.203:8030 3jl-team76.no-ip.info tcp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 4jl-team76.no-ip.info udp
US 8.8.8.8:53 5jl-team76.no-ip.info udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 6jl-team76.no-ip.info udp
US 8.8.8.8:53 7jl-team76.no-ip.info udp
US 8.8.8.8:53 8jl-team76.no-ip.info udp

Files

memory/3284-0-0x0000000074892000-0x0000000074893000-memory.dmp

memory/3284-1-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/3284-2-0x0000000074890000-0x0000000074E41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 905275d0ae6990d7bedbb9d73798a3dc
SHA1 c645701c8a28bc0baea626220588579793f55379
SHA256 5e92fc7ff5e192de2edb60c1a58647c00a3613ec7d6868f06de910c9bee2967a
SHA512 af3541b5d11a3faf80bdf5f3bdb508ebf4272d05099c66667062f20a46653b34c464598d9207e9b78d9cc89a53602781fed73352a3fdcc12561e4b64efdcc372

memory/4960-15-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4960-16-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4960-24-0x0000000074890000-0x0000000074E41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lf.exe

MD5 26f12296da8d7d93a4113d03d255c6e7
SHA1 04c423ea8b5d9a4f4ec6ca872ee3455536371a3a
SHA256 fc95ecc78c16f9fa946adfa8df03a4c5effc8f1b19b70a14d2a18530641c9739
SHA512 9fc7a593a2c2241e732053f2f0ad028eabbb3a00565e11d9f96a921345ef93a2c62e21d7c189ea25428122aa97565d6223423fccf8dc622c646ef66c5f648c6b

memory/5068-31-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSec.exe

MD5 e118330b4629b12368d91b9df6488be0
SHA1 ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA256 3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512 ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

memory/5068-39-0x00000000759B0000-0x0000000075AA0000-memory.dmp

memory/3284-40-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/5068-38-0x00000000759D1000-0x00000000759D2000-memory.dmp

memory/5068-37-0x00000000771A6000-0x00000000771A7000-memory.dmp

memory/4960-48-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/5068-49-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-50-0x00000000759B0000-0x0000000075AA0000-memory.dmp

memory/5068-54-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-58-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-61-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-64-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-68-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-88-0x0000000000400000-0x0000000000471000-memory.dmp

memory/5068-91-0x0000000000400000-0x0000000000471000-memory.dmp