Analysis Overview
SHA256
269fe1396c7ff18f950672c66093b32796f5445cc986a2237b9b8f87dc6afc7a
Threat Level: Known bad
The file JaffaCakes118_e5931f3edadb44983ba778efb59d16a9 was found to be: Known bad.
Malicious Activity Summary
Blackshades family
Blackshades payload
Modifies firewall policy service
Blackshades
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-11 10:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-11 10:51
Reported
2025-02-11 10:54
Platform
win10v2004-20250207-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WINdefender\\svchost.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sysglobl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sysglobl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mscordbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\© Windows Live Messenger Music Status Plugin Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sysglobl.exe" | C:\Users\Admin\AppData\Local\Temp\sysglobl.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 392 set thread context of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe |
| PID 468 set thread context of 4776 | N/A | C:\Users\Admin\AppData\Local\Temp\mscordbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mscordbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sysglobl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Users\Admin\AppData\Local\Temp\sysglobl.exe
"C:\Users\Admin\AppData\Local\Temp\sysglobl.exe"
C:\Users\Admin\AppData\Local\Temp\mscordbc.exe
"C:\Users\Admin\AppData\Local\Temp\mscordbc.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUU5Q0Q1OUUtN0NFQi00RUU2LUFCMTgtNUYyQzhEMUI5RUYxfSIgdXNlcmlkPSJ7RUY0ODk1NDMtODMxNy00MTEyLThGNDktNjI0NTZGQ0YyNjBGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDc3MkQ5REMtQkRCRC00OUIyLTk4M0EtMUU2MDY1MTczOUYzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTEyMDE4OTAzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.16.153.198:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 1r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 2r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| NL | 4.175.87.113:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 3r3dz80.no-ip.biz | udp |
| FR | 78.159.135.230:100 | 3r3dz80.no-ip.biz | tcp |
| US | 8.8.8.8:53 | 4r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 5r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 6r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 7r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 8r3dz80.no-ip.biz | udp |
Files
memory/392-0-0x00000000748C2000-0x00000000748C3000-memory.dmp
memory/392-1-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/392-2-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/2620-7-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2620-9-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sysglobl.exe
| MD5 | b3bfc1012e5c3e37e879096b8be8c930 |
| SHA1 | 54b4cbb9fe8ae21517dd7cb80c1d15a661eeaaa0 |
| SHA256 | 0dad1a5c922fb81f4b4c1838330b6b33122d3cd8d4cd76b9770137b32e3e17fe |
| SHA512 | 9d46861485ab0f03752b9e973977f2c7f94465c186336536b270b5ff305389fff0a87f98f47d486bdb192ff3c32e40eb475e6bfbb707e133ce64d1f05387422e |
C:\Users\Admin\AppData\Local\Temp\mscordbc.exe
| MD5 | e5931f3edadb44983ba778efb59d16a9 |
| SHA1 | 1e29390a28bd647bc11060d804a98f6527c3493e |
| SHA256 | 269fe1396c7ff18f950672c66093b32796f5445cc986a2237b9b8f87dc6afc7a |
| SHA512 | f7ce1424e921f2213c9478a60b7b45afea873a04ba917f60a3de714f54341cce43f2214cb73edd89244b458b2a52385beaac5ed5b3d3e721f6e3a9c9eb850950 |
memory/392-31-0x00000000748C2000-0x00000000748C3000-memory.dmp
memory/392-32-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/392-33-0x00000000748C0000-0x0000000074E71000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-11 10:51
Reported
2025-02-11 10:54
Platform
win7-20240903-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WINdefender\\svchost.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sysglobl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mscordbc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sysglobl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sysglobl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\© Windows Live Messenger Music Status Plugin Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sysglobl.exe" | C:\Users\Admin\AppData\Local\Temp\sysglobl.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2788 set thread context of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe |
| PID 1048 set thread context of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\mscordbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sysglobl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mscordbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5931f3edadb44983ba778efb59d16a9.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Users\Admin\AppData\Local\Temp\sysglobl.exe
"C:\Users\Admin\AppData\Local\Temp\sysglobl.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Users\Admin\AppData\Local\Temp\mscordbc.exe
"C:\Users\Admin\AppData\Local\Temp\mscordbc.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WINdefender\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 1r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 2r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 3r3dz80.no-ip.biz | udp |
| FR | 78.159.135.230:100 | 3r3dz80.no-ip.biz | tcp |
| US | 8.8.8.8:53 | 4r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 5r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 6r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 7r3dz80.no-ip.biz | udp |
| US | 8.8.8.8:53 | 8r3dz80.no-ip.biz | udp |
Files
memory/2788-0-0x0000000074601000-0x0000000074602000-memory.dmp
memory/2788-1-0x0000000074600000-0x0000000074BAB000-memory.dmp
memory/2788-2-0x0000000074600000-0x0000000074BAB000-memory.dmp
memory/2748-7-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2748-15-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2748-18-0x0000000000020000-0x0000000000037000-memory.dmp
memory/2748-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2748-11-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2748-9-0x0000000000400000-0x0000000000470000-memory.dmp
\Users\Admin\AppData\Local\Temp\sysglobl.exe
| MD5 | b3bfc1012e5c3e37e879096b8be8c930 |
| SHA1 | 54b4cbb9fe8ae21517dd7cb80c1d15a661eeaaa0 |
| SHA256 | 0dad1a5c922fb81f4b4c1838330b6b33122d3cd8d4cd76b9770137b32e3e17fe |
| SHA512 | 9d46861485ab0f03752b9e973977f2c7f94465c186336536b270b5ff305389fff0a87f98f47d486bdb192ff3c32e40eb475e6bfbb707e133ce64d1f05387422e |
C:\Users\Admin\AppData\Local\Temp\mscordbc.exe
| MD5 | e5931f3edadb44983ba778efb59d16a9 |
| SHA1 | 1e29390a28bd647bc11060d804a98f6527c3493e |
| SHA256 | 269fe1396c7ff18f950672c66093b32796f5445cc986a2237b9b8f87dc6afc7a |
| SHA512 | f7ce1424e921f2213c9478a60b7b45afea873a04ba917f60a3de714f54341cce43f2214cb73edd89244b458b2a52385beaac5ed5b3d3e721f6e3a9c9eb850950 |
memory/2788-46-0x0000000074600000-0x0000000074BAB000-memory.dmp
memory/2748-47-0x0000000000400000-0x0000000000470000-memory.dmp