Malware Analysis Report

2025-04-03 10:13

Sample ID 250214-vkggkavjcp
Target JaffaCakes118_fa0875613ba59041df0416e786cd91c7
SHA256 c02a39afdc5f43b1bc9a10b7b2a87051d77f6e938e830b94b8b8c25e61795672
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c02a39afdc5f43b1bc9a10b7b2a87051d77f6e938e830b94b8b8c25e61795672

Threat Level: Known bad

The file JaffaCakes118_fa0875613ba59041df0416e786cd91c7 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Modifies firewall policy service

Blackshades

Blackshades family

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Modifies registry key

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-14 17:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-14 17:02

Reported

2025-02-14 17:05

Platform

win10v2004-20250211-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bswm.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bswm.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pirate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalware = "C:\\Users\\Admin\\AppData\\Roaming\\bsdone.exe" C:\Users\Admin\AppData\Local\Temp\bsdone.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1964 set thread context of 4408 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bsdone.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pirate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1318997816-2171176372-1451785247-1000\{3E0F848D-59D4-4C9D-BE54-3C7CEB58157F} C:\Windows\system32\svchost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 1 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 2884 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 2884 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 2884 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 2884 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 2884 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 1964 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1964 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1964 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1964 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1964 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1964 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1964 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1964 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 4408 wrote to memory of 420 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 420 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 420 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 420 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 420 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 420 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4940 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4940 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4940 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe"

C:\Users\Admin\AppData\Local\Temp\bsdone.exe

"C:\Users\Admin\AppData\Local\Temp\bsdone.exe"

C:\Users\Admin\AppData\Local\Temp\pirate.exe

"C:\Users\Admin\AppData\Local\Temp\pirate.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4c0 0x338

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bswm.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bswm.exe:*:Enabled:Windows Messanger" /f

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bswm.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bswm.exe:*:Enabled:Windows Messanger" /f

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjdGRjREQUQtOTdFNC00NEE0LTk4OTUtMEVFREQzQTU3RDhBfSIgdXNlcmlkPSJ7RkNCMkNBMDctNDJDOC00NTdDLTkxQzktMEM1MkY2NUVGNjE5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkM5QzIyRUItQUYxMi00QzQ4LTk3M0MtRDhEOTQ0RDhBMDk4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mzc0Mjk0MjEzIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 8.8.8.8:53 ubuntu666box.no-ip.org udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
GB 2.16.34.80:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
NL 4.175.87.113:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\bsdone.exe

MD5 8383f44534f16f7951b0a485006ed7c0
SHA1 e15b9dd6432ebc8a005622697e295aa6551811b9
SHA256 5dc18afaa4d54d02f53e2f26cecb7c25133a34567882884bdc4ef9ed5156a21a
SHA512 56752380a0fad49f916de3ad59ae0a8f0395592ce745742f67d4c33904538c9beaad0bba0e69852776c45c7fea00ad0f80d60a9d4d782bfcc22d3330f5c259dd

C:\Users\Admin\AppData\Local\Temp\pirate.exe

MD5 5fa762608ab11c579fb0c373ea6f3f5c
SHA1 9324cd2813b01d19051e18fcbdb5aad17d152ece
SHA256 6b14a44674acd8e1062736dff4199e3cd8647dd5f45f108f8c5a07a43eeb3129
SHA512 f5edb631b49fdb366a34b9e6cf590571464db39eaa91c9bb151c2275ab8a4f05732d39ec1171e66d8adc4df6a4e8a00fb8497d78a037b17e5f44516f04e1f6bf

memory/1964-19-0x0000000072C82000-0x0000000072C83000-memory.dmp

memory/1964-20-0x0000000072C80000-0x0000000073231000-memory.dmp

memory/1964-21-0x0000000072C80000-0x0000000073231000-memory.dmp

memory/4408-25-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-30-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Roaming\explorer.exe

MD5 bd1829843641d264c9ef57ee175a68ae
SHA1 298cdbc7f30583f964a6533bf62fb7aff501aa52
SHA256 87cff8f9ae3660c6ff6fc7d6262c61b7c19b2271ae9a95abe7b9d744d386259c
SHA512 6165d8d47c2e32407c0888b28989ae293f592c4e4771e43d8d09d303e3ad73f895f1c852a176677b3fbd78449536579570cac67a17b2e9135774236b159b2827

memory/1964-32-0x0000000072C80000-0x0000000073231000-memory.dmp

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

memory/4408-51-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-52-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-54-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-55-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-56-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-58-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-59-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-61-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-65-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-66-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4408-69-0x0000000000400000-0x000000000045A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-14 17:02

Reported

2025-02-14 17:05

Platform

win7-20241023-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bswm.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bswm.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pirate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalware = "C:\\Users\\Admin\\AppData\\Roaming\\bsdone.exe" C:\Users\Admin\AppData\Local\Temp\bsdone.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3056 set thread context of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bsdone.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pirate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 1460 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 1460 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 1460 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 1460 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 1460 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 1460 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\bsdone.exe
PID 1460 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 1460 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 1460 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 1460 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 1460 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 1460 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 1460 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe C:\Users\Admin\AppData\Local\Temp\pirate.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bsdone.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1044 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1044 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1044 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe"

C:\Users\Admin\AppData\Local\Temp\bsdone.exe

"C:\Users\Admin\AppData\Local\Temp\bsdone.exe"

C:\Users\Admin\AppData\Local\Temp\pirate.exe

"C:\Users\Admin\AppData\Local\Temp\pirate.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bswm.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bswm.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bswm.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bswm.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ubuntu666box.no-ip.org udp

Files

\Users\Admin\AppData\Local\Temp\bsdone.exe

MD5 8383f44534f16f7951b0a485006ed7c0
SHA1 e15b9dd6432ebc8a005622697e295aa6551811b9
SHA256 5dc18afaa4d54d02f53e2f26cecb7c25133a34567882884bdc4ef9ed5156a21a
SHA512 56752380a0fad49f916de3ad59ae0a8f0395592ce745742f67d4c33904538c9beaad0bba0e69852776c45c7fea00ad0f80d60a9d4d782bfcc22d3330f5c259dd

\Users\Admin\AppData\Local\Temp\pirate.exe

MD5 5fa762608ab11c579fb0c373ea6f3f5c
SHA1 9324cd2813b01d19051e18fcbdb5aad17d152ece
SHA256 6b14a44674acd8e1062736dff4199e3cd8647dd5f45f108f8c5a07a43eeb3129
SHA512 f5edb631b49fdb366a34b9e6cf590571464db39eaa91c9bb151c2275ab8a4f05732d39ec1171e66d8adc4df6a4e8a00fb8497d78a037b17e5f44516f04e1f6bf

\Users\Admin\AppData\Roaming\explorer.exe

MD5 bd1829843641d264c9ef57ee175a68ae
SHA1 298cdbc7f30583f964a6533bf62fb7aff501aa52
SHA256 87cff8f9ae3660c6ff6fc7d6262c61b7c19b2271ae9a95abe7b9d744d386259c
SHA512 6165d8d47c2e32407c0888b28989ae293f592c4e4771e43d8d09d303e3ad73f895f1c852a176677b3fbd78449536579570cac67a17b2e9135774236b159b2827

memory/2920-34-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-46-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-47-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-49-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-50-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-51-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-53-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-54-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-58-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-59-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2920-61-0x0000000000400000-0x000000000045A000-memory.dmp