Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14/02/2025, 07:54
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe
Resource
win10v2004-20250211-en
General
-
Target
JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe
-
Size
784KB
-
MD5
f556539439da85b1bfb46dc17444349c
-
SHA1
c805585d22c592adca4b35ec0ddcce0b1156836b
-
SHA256
44a8a3928c9f10f6b19bed527d7ce020db4f3a8efa635e5ef77ffca47ebfdfaa
-
SHA512
bfeebc9f6fcfd1e830eba4a74587ecde805abcef8d41865e603151ee6f81bce7b2dd1af28036bdec548f49ea2039dde1bd1988a88bf6564a26afc9db6c9fd832
-
SSDEEP
24576:iFmcH5C0jCDwUvNprLyIj6bjgICOj5mWeHoFS:iFmOODvfr5j4jQOFmfHoFS
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 19 IoCs
resource yara_rule behavioral1/memory/2960-31-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-27-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-52-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-64-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2368-80-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-82-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-84-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1116-100-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-101-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-102-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/556-119-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-120-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-121-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2644-136-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-138-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-140-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-144-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/428-156-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2960-158-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\drivergen.exe = "C:\\Users\\Admin\\AppData\\Roaming\\drivergen.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\svchost.exe = "C:\\Windows\\Temp\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe cmd.exe -
Executes dropped EXE 20 IoCs
pid Process 2960 svchost.exe 2616 svchost.exe 876 rundll32 .exe 2368 svchost.exe 2164 svchost.exe 1328 rundll32 .exe 1116 svchost.exe 1088 svchost.exe 1932 rundll32 .exe 556 svchost.exe 2184 svchost.exe 2868 rundll32 .exe 2644 svchost.exe 2636 svchost.exe 2304 rundll32 .exe 428 svchost.exe 1252 svchost.exe 1160 rundll32 .exe 2696 svchost.exe 1956 svchost.exe -
Loads dropped DLL 14 IoCs
pid Process 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe 852 cmd.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 2092 set thread context of 2960 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 33 PID 876 set thread context of 2368 876 rundll32 .exe 53 PID 1328 set thread context of 1116 1328 rundll32 .exe 57 PID 1932 set thread context of 556 1932 rundll32 .exe 61 PID 2868 set thread context of 2644 2868 rundll32 .exe 66 PID 2304 set thread context of 428 2304 rundll32 .exe 70 PID 1160 set thread context of 2696 1160 rundll32 .exe 74 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 564 PING.EXE 1600 PING.EXE 1384 PING.EXE 748 PING.EXE 2744 PING.EXE 2888 PING.EXE -
Modifies registry key 1 TTPs 4 IoCs
pid Process 796 reg.exe 1104 reg.exe 2500 reg.exe 2304 reg.exe -
Runs ping.exe 1 TTPs 6 IoCs
pid Process 1600 PING.EXE 1384 PING.EXE 748 PING.EXE 2744 PING.EXE 2888 PING.EXE 564 PING.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 876 rundll32 .exe 876 rundll32 .exe 876 rundll32 .exe 876 rundll32 .exe 876 rundll32 .exe 876 rundll32 .exe 876 rundll32 .exe 1328 rundll32 .exe 1328 rundll32 .exe 1328 rundll32 .exe 1328 rundll32 .exe 1328 rundll32 .exe 1328 rundll32 .exe 1328 rundll32 .exe 1932 rundll32 .exe 1932 rundll32 .exe 1932 rundll32 .exe 1932 rundll32 .exe 1932 rundll32 .exe 1932 rundll32 .exe 1932 rundll32 .exe 2868 rundll32 .exe 2868 rundll32 .exe 2868 rundll32 .exe 2868 rundll32 .exe 2868 rundll32 .exe 2868 rundll32 .exe 2868 rundll32 .exe 2304 rundll32 .exe 2304 rundll32 .exe 2304 rundll32 .exe 2304 rundll32 .exe 2304 rundll32 .exe 2304 rundll32 .exe 2304 rundll32 .exe 1160 rundll32 .exe 1160 rundll32 .exe 1160 rundll32 .exe 1160 rundll32 .exe 1160 rundll32 .exe 1160 rundll32 .exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe Token: 1 2960 svchost.exe Token: SeCreateTokenPrivilege 2960 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2960 svchost.exe Token: SeLockMemoryPrivilege 2960 svchost.exe Token: SeIncreaseQuotaPrivilege 2960 svchost.exe Token: SeMachineAccountPrivilege 2960 svchost.exe Token: SeTcbPrivilege 2960 svchost.exe Token: SeSecurityPrivilege 2960 svchost.exe Token: SeTakeOwnershipPrivilege 2960 svchost.exe Token: SeLoadDriverPrivilege 2960 svchost.exe Token: SeSystemProfilePrivilege 2960 svchost.exe Token: SeSystemtimePrivilege 2960 svchost.exe Token: SeProfSingleProcessPrivilege 2960 svchost.exe Token: SeIncBasePriorityPrivilege 2960 svchost.exe Token: SeCreatePagefilePrivilege 2960 svchost.exe Token: SeCreatePermanentPrivilege 2960 svchost.exe Token: SeBackupPrivilege 2960 svchost.exe Token: SeRestorePrivilege 2960 svchost.exe Token: SeShutdownPrivilege 2960 svchost.exe Token: SeDebugPrivilege 2960 svchost.exe Token: SeAuditPrivilege 2960 svchost.exe Token: SeSystemEnvironmentPrivilege 2960 svchost.exe Token: SeChangeNotifyPrivilege 2960 svchost.exe Token: SeRemoteShutdownPrivilege 2960 svchost.exe Token: SeUndockPrivilege 2960 svchost.exe Token: SeSyncAgentPrivilege 2960 svchost.exe Token: SeEnableDelegationPrivilege 2960 svchost.exe Token: SeManageVolumePrivilege 2960 svchost.exe Token: SeImpersonatePrivilege 2960 svchost.exe Token: SeCreateGlobalPrivilege 2960 svchost.exe Token: 31 2960 svchost.exe Token: 32 2960 svchost.exe Token: 33 2960 svchost.exe Token: 34 2960 svchost.exe Token: 35 2960 svchost.exe Token: SeDebugPrivilege 876 rundll32 .exe Token: SeDebugPrivilege 1328 rundll32 .exe Token: SeDebugPrivilege 1932 rundll32 .exe Token: SeDebugPrivilege 2868 rundll32 .exe Token: SeDebugPrivilege 2304 rundll32 .exe Token: SeDebugPrivilege 1160 rundll32 .exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2960 svchost.exe 2960 svchost.exe 2960 svchost.exe 2368 svchost.exe 2368 svchost.exe 1116 svchost.exe 1116 svchost.exe 556 svchost.exe 556 svchost.exe 2644 svchost.exe 2644 svchost.exe 428 svchost.exe 428 svchost.exe 2696 svchost.exe 2696 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2860 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 30 PID 2092 wrote to memory of 2860 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 30 PID 2092 wrote to memory of 2860 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 30 PID 2092 wrote to memory of 2860 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 30 PID 2860 wrote to memory of 2656 2860 cmd.exe 32 PID 2860 wrote to memory of 2656 2860 cmd.exe 32 PID 2860 wrote to memory of 2656 2860 cmd.exe 32 PID 2860 wrote to memory of 2656 2860 cmd.exe 32 PID 2092 wrote to memory of 2960 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 33 PID 2092 wrote to memory of 2960 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 33 PID 2092 wrote to memory of 2960 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 33 PID 2092 wrote to memory of 2960 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 33 PID 2092 wrote to memory of 2960 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 33 PID 2092 wrote to memory of 2960 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 33 PID 2092 wrote to memory of 2960 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 33 PID 2092 wrote to memory of 2960 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 33 PID 2092 wrote to memory of 2616 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 34 PID 2092 wrote to memory of 2616 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 34 PID 2092 wrote to memory of 2616 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 34 PID 2092 wrote to memory of 2616 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 34 PID 2656 wrote to memory of 2888 2656 wscript.exe 35 PID 2656 wrote to memory of 2888 2656 wscript.exe 35 PID 2656 wrote to memory of 2888 2656 wscript.exe 35 PID 2656 wrote to memory of 2888 2656 wscript.exe 35 PID 2960 wrote to memory of 2604 2960 svchost.exe 37 PID 2960 wrote to memory of 2604 2960 svchost.exe 37 PID 2960 wrote to memory of 2604 2960 svchost.exe 37 PID 2960 wrote to memory of 2604 2960 svchost.exe 37 PID 2960 wrote to memory of 1252 2960 svchost.exe 38 PID 2960 wrote to memory of 1252 2960 svchost.exe 38 PID 2960 wrote to memory of 1252 2960 svchost.exe 38 PID 2960 wrote to memory of 1252 2960 svchost.exe 38 PID 2960 wrote to memory of 2660 2960 svchost.exe 40 PID 2960 wrote to memory of 2660 2960 svchost.exe 40 PID 2960 wrote to memory of 2660 2960 svchost.exe 40 PID 2960 wrote to memory of 2660 2960 svchost.exe 40 PID 2960 wrote to memory of 428 2960 svchost.exe 41 PID 2960 wrote to memory of 428 2960 svchost.exe 41 PID 2960 wrote to memory of 428 2960 svchost.exe 41 PID 2960 wrote to memory of 428 2960 svchost.exe 41 PID 2660 wrote to memory of 796 2660 cmd.exe 45 PID 2660 wrote to memory of 796 2660 cmd.exe 45 PID 2660 wrote to memory of 796 2660 cmd.exe 45 PID 2660 wrote to memory of 796 2660 cmd.exe 45 PID 2604 wrote to memory of 1104 2604 cmd.exe 47 PID 2604 wrote to memory of 1104 2604 cmd.exe 47 PID 2604 wrote to memory of 1104 2604 cmd.exe 47 PID 2604 wrote to memory of 1104 2604 cmd.exe 47 PID 428 wrote to memory of 2304 428 cmd.exe 46 PID 428 wrote to memory of 2304 428 cmd.exe 46 PID 428 wrote to memory of 2304 428 cmd.exe 46 PID 428 wrote to memory of 2304 428 cmd.exe 46 PID 1252 wrote to memory of 2500 1252 cmd.exe 48 PID 1252 wrote to memory of 2500 1252 cmd.exe 48 PID 1252 wrote to memory of 2500 1252 cmd.exe 48 PID 1252 wrote to memory of 2500 1252 cmd.exe 48 PID 2092 wrote to memory of 852 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 49 PID 2092 wrote to memory of 852 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 49 PID 2092 wrote to memory of 852 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 49 PID 2092 wrote to memory of 852 2092 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 49 PID 852 wrote to memory of 1600 852 cmd.exe 51 PID 852 wrote to memory of 1600 852 cmd.exe 51 PID 852 wrote to memory of 1600 852 cmd.exe 51 PID 852 wrote to memory of 1600 852 cmd.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2888
-
-
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2304
-
-
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1600
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2368
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
PID:2164
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1384
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1116
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
PID:1088
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:556
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
PID:2184
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
PID:2636
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:428
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
PID:1252
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:564
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
PID:1956
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47B
MD558ccb87aa1da4939df403810f1e68b6b
SHA1dc8551f41682e5cb1dd25af3f11a789b1d37b295
SHA256eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b
SHA51217ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0
-
Filesize
151B
MD5ed28c618f7d8306e3736432b58bb5d27
SHA1441e6dab70e31d9c599fcd9e2d32009038781b42
SHA256d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3
SHA5124257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
111B
MD5851c0e754a2e3663cbfdc09777323516
SHA1e9f67ac8c5d22c5c47b71d2a51b6aa5076b9287a
SHA256b97c58636ccaa18444a0e317e5a8b8112147e5c5a53777085f035779648c7eeb
SHA5122efde32aad3b7278f6ea2bd8a688fe30ce75b2914b59dba87b2999dc199ae4a63c0dc08f476096807e2ecd96d4f860ebf988b420c68536accc038b22a7e738d0
-
Filesize
784KB
MD5f556539439da85b1bfb46dc17444349c
SHA1c805585d22c592adca4b35ec0ddcce0b1156836b
SHA25644a8a3928c9f10f6b19bed527d7ce020db4f3a8efa635e5ef77ffca47ebfdfaa
SHA512bfeebc9f6fcfd1e830eba4a74587ecde805abcef8d41865e603151ee6f81bce7b2dd1af28036bdec548f49ea2039dde1bd1988a88bf6564a26afc9db6c9fd832
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98