Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2025, 07:54
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe
Resource
win10v2004-20250211-en
General
-
Target
JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe
-
Size
784KB
-
MD5
f556539439da85b1bfb46dc17444349c
-
SHA1
c805585d22c592adca4b35ec0ddcce0b1156836b
-
SHA256
44a8a3928c9f10f6b19bed527d7ce020db4f3a8efa635e5ef77ffca47ebfdfaa
-
SHA512
bfeebc9f6fcfd1e830eba4a74587ecde805abcef8d41865e603151ee6f81bce7b2dd1af28036bdec548f49ea2039dde1bd1988a88bf6564a26afc9db6c9fd832
-
SSDEEP
24576:iFmcH5C0jCDwUvNprLyIj6bjgICOj5mWeHoFS:iFmOODvfr5j4jQOFmfHoFS
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 19 IoCs
resource yara_rule behavioral2/memory/2580-19-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-20-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-35-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-42-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/5076-53-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-55-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-56-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3108-68-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-69-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-72-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2932-82-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-83-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1704-94-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-97-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2004-107-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-108-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/336-120-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-121-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2580-122-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\svchost.exe = "C:\\Windows\\Temp\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\drivergen.exe = "C:\\Users\\Admin\\AppData\\Roaming\\drivergen.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 51 5080 Process not Found -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe cmd.exe -
Executes dropped EXE 13 IoCs
pid Process 2580 svchost.exe 5008 rundll32 .exe 5076 svchost.exe 388 rundll32 .exe 3108 svchost.exe 3884 rundll32 .exe 2932 svchost.exe 544 rundll32 .exe 1704 svchost.exe 220 rundll32 .exe 2004 svchost.exe 4200 rundll32 .exe 336 svchost.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" rundll32 .exe Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 3640 set thread context of 2580 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 93 PID 5008 set thread context of 5076 5008 rundll32 .exe 119 PID 388 set thread context of 3108 388 rundll32 .exe 127 PID 3884 set thread context of 2932 3884 rundll32 .exe 132 PID 544 set thread context of 1704 544 rundll32 .exe 137 PID 220 set thread context of 2004 220 rundll32 .exe 141 PID 4200 set thread context of 336 4200 rundll32 .exe 146 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5088 PING.EXE 1756 PING.EXE 4772 PING.EXE 4860 PING.EXE 3020 PING.EXE 968 PING.EXE 3772 MicrosoftEdgeUpdate.exe 3928 PING.EXE -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4716 reg.exe 4200 reg.exe 3608 reg.exe 4240 reg.exe -
Runs ping.exe 1 TTPs 7 IoCs
pid Process 5088 PING.EXE 1756 PING.EXE 4772 PING.EXE 4860 PING.EXE 3020 PING.EXE 968 PING.EXE 3928 PING.EXE -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 5008 rundll32 .exe 5008 rundll32 .exe 5008 rundll32 .exe 5008 rundll32 .exe 5008 rundll32 .exe 5008 rundll32 .exe 5008 rundll32 .exe 5008 rundll32 .exe 5008 rundll32 .exe 388 rundll32 .exe 388 rundll32 .exe 388 rundll32 .exe 388 rundll32 .exe 388 rundll32 .exe 388 rundll32 .exe 388 rundll32 .exe 388 rundll32 .exe 388 rundll32 .exe 3884 rundll32 .exe 3884 rundll32 .exe 3884 rundll32 .exe 3884 rundll32 .exe 3884 rundll32 .exe 3884 rundll32 .exe 3884 rundll32 .exe 3884 rundll32 .exe 3884 rundll32 .exe 544 rundll32 .exe 544 rundll32 .exe 544 rundll32 .exe 544 rundll32 .exe 544 rundll32 .exe 544 rundll32 .exe 544 rundll32 .exe 544 rundll32 .exe 544 rundll32 .exe 220 rundll32 .exe 220 rundll32 .exe 220 rundll32 .exe 220 rundll32 .exe 220 rundll32 .exe 220 rundll32 .exe 220 rundll32 .exe 220 rundll32 .exe 220 rundll32 .exe 4200 rundll32 .exe 4200 rundll32 .exe 4200 rundll32 .exe 4200 rundll32 .exe 4200 rundll32 .exe 4200 rundll32 .exe 4200 rundll32 .exe 4200 rundll32 .exe 4200 rundll32 .exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe Token: 1 2580 svchost.exe Token: SeCreateTokenPrivilege 2580 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeLockMemoryPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeMachineAccountPrivilege 2580 svchost.exe Token: SeTcbPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemProfilePrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeProfSingleProcessPrivilege 2580 svchost.exe Token: SeIncBasePriorityPrivilege 2580 svchost.exe Token: SeCreatePagefilePrivilege 2580 svchost.exe Token: SeCreatePermanentPrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeDebugPrivilege 2580 svchost.exe Token: SeAuditPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeChangeNotifyPrivilege 2580 svchost.exe Token: SeRemoteShutdownPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe Token: SeSyncAgentPrivilege 2580 svchost.exe Token: SeEnableDelegationPrivilege 2580 svchost.exe Token: SeManageVolumePrivilege 2580 svchost.exe Token: SeImpersonatePrivilege 2580 svchost.exe Token: SeCreateGlobalPrivilege 2580 svchost.exe Token: 31 2580 svchost.exe Token: 32 2580 svchost.exe Token: 33 2580 svchost.exe Token: 34 2580 svchost.exe Token: 35 2580 svchost.exe Token: SeDebugPrivilege 5008 rundll32 .exe Token: SeDebugPrivilege 388 rundll32 .exe Token: SeDebugPrivilege 3884 rundll32 .exe Token: SeDebugPrivilege 544 rundll32 .exe Token: SeDebugPrivilege 220 rundll32 .exe Token: SeDebugPrivilege 4200 rundll32 .exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 5076 svchost.exe 5076 svchost.exe 3108 svchost.exe 3108 svchost.exe 2932 svchost.exe 2932 svchost.exe 1704 svchost.exe 1704 svchost.exe 2004 svchost.exe 2004 svchost.exe 336 svchost.exe 336 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3640 wrote to memory of 2016 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 91 PID 3640 wrote to memory of 2016 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 91 PID 3640 wrote to memory of 2016 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 91 PID 3640 wrote to memory of 2580 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 93 PID 3640 wrote to memory of 2580 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 93 PID 3640 wrote to memory of 2580 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 93 PID 3640 wrote to memory of 2580 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 93 PID 3640 wrote to memory of 2580 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 93 PID 3640 wrote to memory of 2580 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 93 PID 3640 wrote to memory of 2580 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 93 PID 3640 wrote to memory of 2580 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 93 PID 3640 wrote to memory of 2040 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 94 PID 3640 wrote to memory of 2040 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 94 PID 3640 wrote to memory of 2040 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 94 PID 2016 wrote to memory of 2288 2016 cmd.exe 95 PID 2016 wrote to memory of 2288 2016 cmd.exe 95 PID 2016 wrote to memory of 2288 2016 cmd.exe 95 PID 2580 wrote to memory of 4540 2580 svchost.exe 96 PID 2580 wrote to memory of 4540 2580 svchost.exe 96 PID 2580 wrote to memory of 4540 2580 svchost.exe 96 PID 2580 wrote to memory of 5016 2580 svchost.exe 97 PID 2580 wrote to memory of 5016 2580 svchost.exe 97 PID 2580 wrote to memory of 5016 2580 svchost.exe 97 PID 2580 wrote to memory of 4676 2580 svchost.exe 99 PID 2580 wrote to memory of 4676 2580 svchost.exe 99 PID 2580 wrote to memory of 4676 2580 svchost.exe 99 PID 2580 wrote to memory of 3528 2580 svchost.exe 101 PID 2580 wrote to memory of 3528 2580 svchost.exe 101 PID 2580 wrote to memory of 3528 2580 svchost.exe 101 PID 5016 wrote to memory of 4716 5016 cmd.exe 104 PID 5016 wrote to memory of 4716 5016 cmd.exe 104 PID 5016 wrote to memory of 4716 5016 cmd.exe 104 PID 4676 wrote to memory of 3608 4676 cmd.exe 105 PID 4676 wrote to memory of 3608 4676 cmd.exe 105 PID 4676 wrote to memory of 3608 4676 cmd.exe 105 PID 3528 wrote to memory of 4200 3528 cmd.exe 106 PID 3528 wrote to memory of 4200 3528 cmd.exe 106 PID 3528 wrote to memory of 4200 3528 cmd.exe 106 PID 4540 wrote to memory of 4240 4540 cmd.exe 107 PID 4540 wrote to memory of 4240 4540 cmd.exe 107 PID 4540 wrote to memory of 4240 4540 cmd.exe 107 PID 2288 wrote to memory of 3004 2288 wscript.exe 108 PID 2288 wrote to memory of 3004 2288 wscript.exe 108 PID 2288 wrote to memory of 3004 2288 wscript.exe 108 PID 3640 wrote to memory of 3112 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 115 PID 3640 wrote to memory of 3112 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 115 PID 3640 wrote to memory of 3112 3640 JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe 115 PID 3112 wrote to memory of 968 3112 cmd.exe 117 PID 3112 wrote to memory of 968 3112 cmd.exe 117 PID 3112 wrote to memory of 968 3112 cmd.exe 117 PID 3112 wrote to memory of 5008 3112 cmd.exe 118 PID 3112 wrote to memory of 5008 3112 cmd.exe 118 PID 3112 wrote to memory of 5008 3112 cmd.exe 118 PID 5008 wrote to memory of 5076 5008 rundll32 .exe 119 PID 5008 wrote to memory of 5076 5008 rundll32 .exe 119 PID 5008 wrote to memory of 5076 5008 rundll32 .exe 119 PID 5008 wrote to memory of 5076 5008 rundll32 .exe 119 PID 5008 wrote to memory of 5076 5008 rundll32 .exe 119 PID 5008 wrote to memory of 5076 5008 rundll32 .exe 119 PID 5008 wrote to memory of 5076 5008 rundll32 .exe 119 PID 5008 wrote to memory of 5076 5008 rundll32 .exe 119 PID 5008 wrote to memory of 4380 5008 rundll32 .exe 120 PID 5008 wrote to memory of 4380 5008 rundll32 .exe 120 PID 5008 wrote to memory of 4380 5008 rundll32 .exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:3004
-
-
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4240
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4200
-
-
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe2⤵PID:2040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:968
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5076
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵PID:4380
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3108
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵PID:748
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2932
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵PID:2224
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵PID:4956
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2004
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵PID:588
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4860
-
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200 -
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:336
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe4⤵PID:932
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3020
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkZCNkU4NjAtOEEwRS00RTgyLUJCMDUtMTI0QURGRjFCMkU2fSIgdXNlcmlkPSJ7NDhGRjlFQTgtODVBMi00NjFELUEwNTUtNjBFRDY1MjUzQzRFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDJENkU3NkEtRkEzRS00NjA0LTk4MzctNjYyQUI0QjA5MzZDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mjc2NDUwNjI0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3772
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588B
MD5bbc3cfe1a58732a0477f72ea3d36c7bf
SHA1fb801263330aa243f63270138ab467a627dffc2e
SHA2569269d4383b8effa928b7b4a7b38ffa07587b23851f9430fbfe8e7284f845e722
SHA5125bfdc6520a7a0884e3ccdf26ab0fe536327c9f3330f7f78bed2ed4c89fc31b04ad0c4b4bd6f8f1bca08ef04e46b833b798726dca7f40ccc27c871847ec041be4
-
Filesize
47B
MD558ccb87aa1da4939df403810f1e68b6b
SHA1dc8551f41682e5cb1dd25af3f11a789b1d37b295
SHA256eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b
SHA51217ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0
-
Filesize
151B
MD5ed28c618f7d8306e3736432b58bb5d27
SHA1441e6dab70e31d9c599fcd9e2d32009038781b42
SHA256d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3
SHA5124257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
111B
MD5851c0e754a2e3663cbfdc09777323516
SHA1e9f67ac8c5d22c5c47b71d2a51b6aa5076b9287a
SHA256b97c58636ccaa18444a0e317e5a8b8112147e5c5a53777085f035779648c7eeb
SHA5122efde32aad3b7278f6ea2bd8a688fe30ce75b2914b59dba87b2999dc199ae4a63c0dc08f476096807e2ecd96d4f860ebf988b420c68536accc038b22a7e738d0
-
Filesize
784KB
MD5f556539439da85b1bfb46dc17444349c
SHA1c805585d22c592adca4b35ec0ddcce0b1156836b
SHA25644a8a3928c9f10f6b19bed527d7ce020db4f3a8efa635e5ef77ffca47ebfdfaa
SHA512bfeebc9f6fcfd1e830eba4a74587ecde805abcef8d41865e603151ee6f81bce7b2dd1af28036bdec548f49ea2039dde1bd1988a88bf6564a26afc9db6c9fd832
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34