Analysis Overview
SHA256
588b2bdeefdea9998bf5c62cfc69b29180c58860f4b317db573401a4b7bc1b2f
Threat Level: Known bad
The file JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Blackshades
Blackshades family
Blackshades payload
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
Drops startup file
Loads dropped DLL
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-02 19:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-02 19:27
Reported
2025-02-02 19:29
Platform
win7-20241010-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\9ZTII0WRFN.exe = "C:\\Users\\Admin\\AppData\\Roaming\\9ZTII0WRFN.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2372 set thread context of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WinRAR\File_Id.diz | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\TechNote.txt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinRAR.exe | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\7z.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\uue.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarFiles.lst | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Rar.exe | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Uninstall.exe | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinCon.SFX | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\ace.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\lzh.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\ReadMe.txt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\UnrarSrc.txt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Order.htm | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Default.SFX | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExt32.dll | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\UNACEV2.DLL | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\iso.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Uninstall.lst | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\UnRAR.exe | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\rarnew.dat | C:\Program Files\WinRAR\uninstall.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Rar.exe | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\7zxa.dll | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\gz.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\z.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Descript.ion | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Rar.txt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExt32.dll | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\UNACEV2.DLL | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\cab.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinCon64.SFX | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\ReadMe.txt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\WhatsNew.txt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\RarFiles.lst | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Uninstall.lst | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\lzh.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WhatsNew.txt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\WinRAR.chm | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\7zxa.dll | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\arj.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\tar.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\z.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Zip64.SFX | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Default64.SFX | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259433781 | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Descript.ion | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\License.txt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExt.dll | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Zip.SFX | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\ace32loader.exe | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\ace32loader.exe | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinRAR.chm | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\WinCon.SFX | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\uue.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\File_Id.diz | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Rar.txt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\WinRAR.exe | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Zip.SFX | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\ace.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\bz2.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats\tar.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Formats | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| File created | C:\Program Files\WinRAR\Formats\cab.fmt | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r24 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r22 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.uue | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r19 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.arj | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r08 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r23 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.z | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r18 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r00\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r06 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r17 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ace | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r01 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r05 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Program Files\WinRAR\uninstall.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\WinRAR\WinRAR.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\35221.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nta9p5ic.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C78.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8C77.tmp"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\9ZTII0WRFN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\9ZTII0WRFN.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\9ZTII0WRFN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\9ZTII0WRFN.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Users\Admin\AppData\Roaming\35221.exe
"C:\Users\Admin\AppData\Roaming\35221.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | microsoft11a.dyndns.org | udp |
| US | 8.8.8.8:53 | albertino.serveftp.com | udp |
| US | 8.8.8.8:53 | microsoft11a.dyndns.org | udp |
| US | 8.8.8.8:53 | albertino.serveftp.com | udp |
| US | 8.8.8.8:53 | microsoft11a.dyndns.org | udp |
| US | 8.8.8.8:53 | albertino.serveftp.com | udp |
| US | 8.8.8.8:53 | microsoft11a.dyndns.org | udp |
| US | 8.8.8.8:53 | albertino.serveftp.com | udp |
| US | 8.8.8.8:53 | microsoft11a.dyndns.org | udp |
| US | 8.8.8.8:53 | albertino.serveftp.com | udp |
Files
memory/2372-0-0x0000000074091000-0x0000000074092000-memory.dmp
memory/2372-1-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2372-2-0x0000000074090000-0x000000007463B000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\nta9p5ic.cmdline
| MD5 | 38423cbd09220ad011d309248ff88d01 |
| SHA1 | e0de86c59633d13ea56222726457aec3aa142dce |
| SHA256 | 383dfa9e2ae196ce630f90c7017fe9a6130dc507ca655ac3414779ebbbbc71d7 |
| SHA512 | 53247a24ff9ab6429715d2beb9f0d9742233f4760c29126c27e6a9a3c2464175f86bb8e3ef3e264dce9661fd0236ccf74d11ad54de814ba4a082395b5bf733bb |
\??\c:\Users\Admin\AppData\Local\Temp\nta9p5ic.0.cs
| MD5 | 2216d197bc442e875016eba15c07a937 |
| SHA1 | 37528e21ea3271b85d276c6bd003e6c60c81545d |
| SHA256 | 2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af |
| SHA512 | 7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f |
memory/2724-11-0x0000000074090000-0x000000007463B000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC8C77.tmp
| MD5 | d2401c745d193354983a6beee5851bcb |
| SHA1 | 31de9e1cf097f8cb171d7a64fa3055da13ae3595 |
| SHA256 | 8dd3d362b78d3429fb55d5f82896b252033aa20d7d57bfc9649ab07f0a504b65 |
| SHA512 | c83af8ed4e50d0c95606d051d51df614e85eb663e285108efce3a0c944e1858885f932fab6f41ff17dabf4d760599aae2b9001f11e59172201c3f160e097e57b |
C:\Users\Admin\AppData\Local\Temp\RES8C78.tmp
| MD5 | 0437b9d1e6ba6b20c385f684ff2438f6 |
| SHA1 | e87503f68a824f827f4fb6a66aa11989e0cebeae |
| SHA256 | b92c4bb44de001c6a7e621f4c27ef4beac98c9b831aa6882bb16a76281b616dc |
| SHA512 | ff3a2ae0e90825d729002afec8826c067f7efb4f1ef867e5449b14b0dfb005d58db1b57ee41d2b3247fd4193e78e6bdc45f2647a3ab82d298c3b7b3e56ca70eb |
memory/2724-16-0x0000000074090000-0x000000007463B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nta9p5ic.dll
| MD5 | 0c17b0c6ecaa729190b80f89a6633093 |
| SHA1 | 132ed1ed1b20e97aa91783b80b4d88b3d8e53eec |
| SHA256 | 798aeff5be58a6949b4e20ba54f7bc951c2e63eb1e45d866596c9582ec38a4e7 |
| SHA512 | c07df2542d2475fb0ce329e36953ce7d8ce3a2390cdda0923e347ed7c5ea6efe4e12573ee82851b27d7c7bdc4a5fac623d57c6bb63f2ae0ca70b5d129adde386 |
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 6d113eeb783f5e44495450dc85ef2a07 |
| SHA1 | 2a7e5daec7a4dc3b8bc0eb8ea9b77bfb72ceabc7 |
| SHA256 | c43191fa6761eb78e4c82ccb5f2324a3ed6fbc910d099ecca9abf517d567dab3 |
| SHA512 | 4b1e3b823c5d2054ed806bd82a9d0db61db4f9bb48b8c26a0e09773d7956cc74814c355d908de4c9f0c2007ac616eb6308c38250149a7f59883bce76ed36a01f |
memory/2684-27-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-25-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-37-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2684-29-0x0000000000400000-0x000000000045A000-memory.dmp
\Users\Admin\AppData\Roaming\35221.exe
| MD5 | 4c0f858d4183d733510dc7dbb6fe63dd |
| SHA1 | 289a882f79ad36b3b10b0e2d9e4d8747f6228680 |
| SHA256 | 5c8638fcb844252de93afbc2d94c3156960e6957907d8e357fe3abd053a36d51 |
| SHA512 | 48b01c8aa791e585451020b53eb16bff0d9d1b641b1c3b9ce001c41b95c06639ef65e80af44fd336d9912bd9e59b40c9c42892518d21c7218f6015b07e52b894 |
memory/2372-49-0x0000000074090000-0x000000007463B000-memory.dmp
C:\Program Files\WinRAR\Uninstall.exe
| MD5 | 8f43f3d36c23963256b192660a7c06d8 |
| SHA1 | aae9f054c2e5455332a01200054c397d6841abea |
| SHA256 | c2cc1b9980670e01e6bd3bc02cdc0fac5251012b99a5fb6d133b23514362237f |
| SHA512 | e206ea0d4a7915b96f4e7c24f5894777f35d6fa468d841254294e27b4acba789a6149b16af9a9fa92bc77c794771efc8b398fe61cd1ee600a318efca217ed834 |
memory/2684-141-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Program Files\WinRAR\WinRAR.exe
| MD5 | a670c582665d54aebe52f20376b0be20 |
| SHA1 | 3a6320c6424ff42c60b8e2c17e3b7aa4b2c8c37a |
| SHA256 | c70e299fb30291c0d3fddbe0608806399d25997d6c3d9b8169af90266a51f4c9 |
| SHA512 | 48fb73cd3c61311c55d9dc2de891a65af12ebd610fa9b8ab20c2a747cb4f15e54df9f8d02e2624f9243ffbfb56e14978009b8726fac7378cc62bc83011b3d35b |
C:\Program Files\WinRAR\WinRAR.chm
| MD5 | 0df61c8cfcab975405cebb376cadf4be |
| SHA1 | fb08fb3816cb419ec66073f71b9dd6ae6084c17e |
| SHA256 | 10a812e9a675f524bc4d762ea0d3bf84a0a83b23d9abd78026d55b1c421fb578 |
| SHA512 | 58041d14b421de87c6d1ed5f5528351cf538d269b6662e40b8c1f7502256ec3bd2a757df1fde49a0a5e17caa6588c067c66a155cbdbac084d46a7012593fb745 |
C:\Program Files\WinRAR\Rar.txt
| MD5 | ab1fd76cb8e9500ec9e02ed05ff4f6cf |
| SHA1 | abb2845d83142fc91e9d49fc4f5f1e1be45ae6e9 |
| SHA256 | f6dc30c7dae1b066389e9ec92ce1e75b2a412bb86a26d0a8eb2910127b5be300 |
| SHA512 | 695f376492a2f2b217c00fdb943fc2829138505d777f4ad40f4a1a867162b4047dc59cb57e0a2455d3cc65c914c0e56f3c609d186f9d534b976c8c88e8ae2eca |
\Program Files\WinRAR\Formats\ace.fmt
| MD5 | bad80d32ef10c9c53ed09cd9567d43b0 |
| SHA1 | 3ce5baf2f7d835fc606cac13c21b846257e89da8 |
| SHA256 | 82148600bdf4d778fed1202763972d8d090a16758582b3a687ece3865c299759 |
| SHA512 | 44708aa9deeb1161795a9beaa9fe1c45cc484e1e657841442abd88abcc741e005c328a99bd8331afb8f1ed45120fcef365c4fa054efe43a537944c3f1a16905f |
\Program Files\WinRAR\Formats\7z.fmt
| MD5 | f46fa945ba9dd6ce6b46f35d380f9835 |
| SHA1 | 7e24c67f473b079397cbaa18239d61c6f0038d17 |
| SHA256 | 7d1adae9da7f2e263d56c41b5417c483b851c7bf2fd05fbd7d95a9a6abe72a13 |
| SHA512 | 5199fb2c558df35495f9e8da165add93178acef52580ccdf85936c5529d7e32bdcb431fa509d4748335e0b1e42bae1a510514f922c1405b7bc5f8d0c80bbfa22 |
C:\Program Files\WinRAR\Formats\arj.fmt
| MD5 | 8f83cfdd62fdd463456185551fd33e69 |
| SHA1 | dda89d66fae6c30b2eabbede0c7b8bb526c9954e |
| SHA256 | edf0ce087a4b982c38a4262a28d8b9737e84fdb36785f74242cdf404a0ca9e93 |
| SHA512 | 1e1035fea0b50413014b95b666be4d1635db79a7fd6b777f580837c76b71554e97b7157ad8781fe92494e003bcdbc0060015729ec43088333e8c1f1c1ab59004 |
C:\Program Files\WinRAR\Formats\bz2.fmt
| MD5 | 73638529b9663eed95f5514d8bd5602e |
| SHA1 | 1e0befb9b13c7584d406b63eb6d03f2b50659b36 |
| SHA256 | 9d2be5cf2c51fd744968c905d7c8e768df823bfd0b39b828ea43718f6d625798 |
| SHA512 | db752ab9e3e4ead02c35aa475dab3dd019ec6d823a30d7477951064ee812c160156bf35f198d0272f74c88b70c5c20e9a2b81b6c497e489149bfc919c2f19109 |
C:\Program Files\WinRAR\Formats\cab.fmt
| MD5 | 3ed0986882d8e9dfb9230ef0e8f7f11d |
| SHA1 | c864212390293566a7be6a2fd4d0c5893c9e1001 |
| SHA256 | c8e2dae1f8900419debaa6dc2e216e13eaeb00610ebd41afbb20eec4af699f66 |
| SHA512 | d2db5332e7d0c499cf37c12c1a814fb253de8dd56bdc9659ba69f9bcbb494e8dda60d893d353636751703d471352ba950e39ebfe2148e30083231a53f7251151 |
C:\Program Files\WinRAR\Formats\gz.fmt
| MD5 | 63888438c5ec3ad5f8ad878a32cfe645 |
| SHA1 | 72f7b118f2b5da080927b84dc791b070c9d0fdd7 |
| SHA256 | b5f09786ca15ab9216a70aed827a94c10b51d2854d8e49f59b08806cd8b52e79 |
| SHA512 | c85d506dbbe05062ebf6a4868647be0a3e582e871024f8cd5448a1a56d0d2db7893d5ac233cf56ca3dcf972e290ed7fc6976d3227546f3ef536ea3e12bbe7eb0 |
\Program Files\WinRAR\Formats\lzh.fmt
| MD5 | 081629d67cab50d94f80ed2b60cd56e9 |
| SHA1 | f13d4b28a0e1b1d282215b5b4cb46af4fea95e5f |
| SHA256 | 6d8dc44af88a90c0a3dd8669366195743e8f2f043191d8719b4a031fb55a8ad5 |
| SHA512 | 693d4985d0c216c9dc9f76e4d3148743c96da038748ab81badd95db417436ea8a94420a5a5d5ac0cbd1d063f2a1b8972a647e6c218c0f3526e255cccfecfeacf |
\Program Files\WinRAR\Formats\iso.fmt
| MD5 | f4fc8b3ba53a7c498293dd429f95744f |
| SHA1 | 747ad3cb19d7936fb64dfb2a1e4874d9f8e17b06 |
| SHA256 | b132aa675288dd52cb8975d5b51b6d581bc6b5025e6a39c285da3d0cbd5c67ff |
| SHA512 | 70c90c667c678b9e232009d76ccd8d60f0ca43a427801007ddc3055ee4ec75c65e1158553e3bb352b3d91d57709e7dec63823dd13770162c7d6d9a641194aa08 |
C:\Program Files\WinRAR\Formats\z.fmt
| MD5 | c6e164fd3ccc129998b5694b0bc1d469 |
| SHA1 | 5dda182d8d526ef9b5df56aa6aa19478b1e5fb0b |
| SHA256 | 3f65af710cabe8c7dea58224e9cb003965ba9fb07d5acc8ca74a499ee84689bb |
| SHA512 | 5052f1018a045c66fe53219b72d890c00a14ca37e59adfe789962ab3388ebf9dfd751cc8bed7583a45c24e97b2c6d5d9b4634d1e2c224f04a0581191471d98cb |
\Program Files\WinRAR\Formats\uue.fmt
| MD5 | 2d767faa3ea1bb8dd3020f9821828fab |
| SHA1 | 9e748b2268db9f59ac55901560d76483f13a8596 |
| SHA256 | 37747b457a4222d9386544c0f1a3d0cfcda109e7dce1112b572f00c4a8079b6f |
| SHA512 | 24af2909f742b0a253c7b3c5cfc3542f2530d09691cddce38bdf5eef369b66a7f806a30c79b13995ec95598ec01ea62c68dd316d03111ac8ecd5875173390a79 |
\Program Files\WinRAR\Formats\tar.fmt
| MD5 | 13aad24b30d7fefaeff36a75498d674d |
| SHA1 | f03b05565b7dc34b7ada7318b60188fb510cdb17 |
| SHA256 | 928c2ffa97e7d923a77134f4f1a292c2cec7d56d58040fbac6d2051c0bd50433 |
| SHA512 | 8486cc65ae02fb210f5b0db50b4cc0c79bf712cba78d615f41f3ff8297eb9457ef9cf23cba77c16f10d906a149dead044c53aa6f1868b11afcac777b0d91ad0c |
C:\Program Files\WinRAR\Order.htm
| MD5 | 3458285036e0f1b8b5a66c4957028640 |
| SHA1 | 43304d07209e2010e838ecd7f855fafdb83f3750 |
| SHA256 | cb5b689527604d058ceb6926ac496a40e416a7641b6f9c940ad930e8f16f303f |
| SHA512 | e09d36554efd2608a31a93bc5c483b8f93fe8e5c7b5d6d5118e0859b16492cadc1c7e1634505c175dba50971f405283631555d88573558ec3006adbb30086319 |
\Program Files\WinRAR\Rar.exe
| MD5 | f0601ba57aeab9c035703b725e216d05 |
| SHA1 | 8454535306c685f492aac5b477a5aa24956dd44f |
| SHA256 | 37f861e5baafa47999eafe2bead6061d3af0a9a5d7ca59ea88e6b98f308ba335 |
| SHA512 | 81021072f226182e8da8467c3059f44088fda74cd46236d295b093843203aba6b082aed3e1d8ab8addd9501276fb515a3116b46f7e8d7473c4184013b92c2e4b |
memory/2684-189-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-191-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
| MD5 | 2ceed88bc7b08cae8c425861e55bdba9 |
| SHA1 | cd5944c15f04eb27d586371b341d02bd1529e1f2 |
| SHA256 | 2f36e006672b0acedb8fbb3d0674f5fb41799d7a4eecbe534ba978f2310a5812 |
| SHA512 | 060cfd879d814da4fb3030b58de63bd95e71ddfcba355d51318ea0dcd5bdfa7eb1cb50083f01820ac5de9f615b4385ff7e6cfb585d4bb42d574f4d8cc2a3a148 |
memory/2684-199-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-204-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-206-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-207-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-210-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-211-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-212-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-215-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2684-216-0x0000000000400000-0x000000000045A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-02 19:27
Reported
2025-02-02 19:27
Platform
win10v2004-20250129-en
Max time kernel
0s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_800dd2aeba8bce13665e587b9efdfe9f.exe"
Network
Files
memory/968-0-0x0000000075352000-0x0000000075353000-memory.dmp
memory/968-1-0x0000000075350000-0x0000000075901000-memory.dmp
memory/968-2-0x0000000075350000-0x0000000075901000-memory.dmp