Malware Analysis Report

2025-05-06 00:12

Sample ID 250223-wp9vcatndz
Target JaffaCakes118_21975899b65652222255a5c663a34b9e
SHA256 6907c8a0c3e6fb03fde042da76510e8a002eea4ec3b67a1e32eb35202299aae2
Tags
blackshades defense_evasion discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6907c8a0c3e6fb03fde042da76510e8a002eea4ec3b67a1e32eb35202299aae2

Threat Level: Known bad

The file JaffaCakes118_21975899b65652222255a5c663a34b9e was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery rat

Blackshades

Blackshades family

Modifies firewall policy service

Blackshades payload

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-23 18:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-23 18:07

Reported

2025-02-23 18:09

Platform

win7-20241010-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\rundll.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2600 set thread context of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2600 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2600 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2600 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2144 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2144 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2144 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2144 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2808 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2808 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2808 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2808 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2284 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2284 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2284 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmxi_d58.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7DE7.tmp"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmxi_d58.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80C5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC80C4.tmp"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ttalbertino.no-ip.biz udp
SG 78.159.141.204:5444 ttalbertino.no-ip.biz tcp
SG 78.159.141.204:5444 ttalbertino.no-ip.biz tcp
US 8.8.8.8:53 1ttalbertino.no-ip.biz udp
US 8.8.8.8:53 2ttalbertino.no-ip.biz udp
US 8.8.8.8:53 3ttalbertino.no-ip.biz udp
PS 94.73.22.65:5444 3ttalbertino.no-ip.biz tcp
US 8.8.8.8:53 4ttalbertino.no-ip.biz udp
US 8.8.8.8:53 5ttalbertino.no-ip.biz udp
US 8.8.8.8:53 6ttalbertino.no-ip.biz udp
US 8.8.8.8:53 7ttalbertino.no-ip.biz udp
US 8.8.8.8:53 8ttalbertino.no-ip.biz udp

Files

memory/2600-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

memory/2600-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2600-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xmxi_d58.cmdline

MD5 c8709d8ebbd49b391d2f8443275f155d
SHA1 fae81a9d67900362411ef9aa6f15395dfcae48d2
SHA256 b8808f00a8813152a32a6cc20876bf3dab169ae3d16b82c03a3a86379b95a0e0
SHA512 a548060671bfbaf43bbce14cbb0e97d65af8442058ec528cf5354a041e1b4da18ffd8ab04687a767d564c4b62616c8eade43fdef787d1632ae88039937b17078

\??\c:\Users\Admin\AppData\Local\Temp\xmxi_d58.0.cs

MD5 164dc3f006aea54e9f83a8d96e366164
SHA1 a32fb4dd0b29075a0f94000b61ee441be21c879e
SHA256 38ce0b573e1aa8eac080f26b57829a5bbc49104f98305932cc8bc1e3cc226d14
SHA512 b6391ccf6e150039056e98c82e47a45f328c699a130412863c633d1506af50c9babe2a299383ce1c32a8abdb7fe61a9b3724a5afda61605e2844114ca0e47ee7

memory/2144-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC7DE7.tmp

MD5 d9755b2e4731075e0b0fc5693217c3bb
SHA1 149c99e1567a0a187a8db36a59c49f82f7b65442
SHA256 00ea8e6f1ac378b388a83951c00e391d403e6b37f59599b82c9a849d889321dd
SHA512 cb576015f0211e5f5e0288fc10677c9d4adcec8998ddf797ded46a6883f3f8d134246694b496951c442ee5eed78944ff3949d696030999e7b7c1f9513e32c930

C:\Users\Admin\AppData\Local\Temp\RES7DF7.tmp

MD5 826742820580d9911d4d99a8566efaee
SHA1 2f897e4c9fca96a4e59a3dc4f09f780bad5e0b6e
SHA256 3c13f9d25c35f863dada15a2a384f240d3c385a6f27445e9d3169d6fc091d3ef
SHA512 8a7db43e0e0b9cb75119fae7d997cc2574561e4b89dafef1b7ac318bbeb24446df9ab033087369fb55c477bb6a754a00087f971b516248a05e4a64a6f30b67f3

memory/2144-15-0x0000000074B30000-0x00000000750DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmxi_d58.dll

MD5 96dbb19afa4c97165e741d958d6db2d3
SHA1 dbbf3c7a4b4515e70ea65e840c0585041861e4cf
SHA256 931b7ced00baac0831e3330acf98fb40634aa19a1e3b252c32838d11d780657a
SHA512 8043e4aea00835c9cc911355b0bf9857efacf63f3684d43c00d604a881c503988459eb9bbbe49a59b57f2adfe725542d4278285402490be27382fbe277551dbd

\Users\Admin\AppData\Roaming\svchost.exe

MD5 caf7ad8a6755ca9190121f60fc7d1886
SHA1 434e415c5db0560ac70a22546ce138a9190d0fbd
SHA256 7bfaa18112edd91b95795d1a080c3b768b585d1ed559e60d0d7368cfd9513d89
SHA512 d9b924cb49c2ebcaf58cfd0ecaa7c026076c22ddc75008b40bc0f62a9d76d464e20cae93028974f73ee1232e6ad6f9927882a20f42a728ec6d821d030002f1ae

memory/2788-34-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2788-27-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-26-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-25-0x0000000000400000-0x0000000000470000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xmxi_d58.0.cs

MD5 ffbf968e7e7ddb392daa00f9ff61f4eb
SHA1 569a6f2b38fb6971c766b39d21f74aee2e3d2765
SHA256 e6085f3cf5b1b4b91c4cb1efd863a115920283a566d9484e9288829b40119d69
SHA512 9438c30d52a01b4923daee6733547db95bc933338358959c40658abf5a5dcd394e890eb2ad5ff07d1c5f4d33596c6d5bf1e0b6f76a274c50cd5a5bdf920b2340

memory/2788-43-0x0000000000400000-0x0000000000470000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xmxi_d58.cmdline

MD5 28eb06d4549a9cf388217a9e9aa418aa
SHA1 90714c4922ab665bdb3a89300c1128abd5f93ba4
SHA256 d08936b1024a8b3efdada90f64889db833381b4830b6702a50f400ba78f4dc01
SHA512 c89b9ede2a501ced80963a520ac9f6bc90bfae4ecd96e901b594a394932b11e5fdde7e0a35aeec31e5ae1d06877abd5f8753cb130e18c0fd4118c70b651da6d3

C:\Users\Admin\AppData\Local\Temp\RES80C5.tmp

MD5 c5ac7d7cf19969a1be994b5950febb81
SHA1 a7ec93087ce90fdcfc05e9deff0c432fdd8db142
SHA256 0db2a29c32c724112e680eff5a96cee0a612f1528a84130df4f7fc34d8ec58d4
SHA512 60e5d93aa7b243ca53e9710bacd925cf418cf0eee8f71f76960ac78aecc1a6294b0a8200bd1cb3b9447176e382666b8059be5d19917e675fd85014dc1882e34b

C:\Users\Admin\AppData\Local\Temp\xmxi_d58.dll

MD5 4609d79db0b99e787143cbd9d97fcf64
SHA1 049bee435e1c93d6ee6f39fb039228822b607c7a
SHA256 d8badcc25983b7a7eb8f9b8e3ac1c1874ff32531b25adc77ffd2aa65788aa9ed
SHA512 f1df4e2de09d245b27966e1a7417d289e2ef43bb9b75dd5d47b783f47ea2de4ec436ca1649c90e3a5402601ffb60ad5f4dec9a6b84329d81f99dcc26abaa53b4

memory/2600-55-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2788-56-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-57-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-59-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-60-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-61-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-64-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-65-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-67-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-70-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2788-72-0x0000000000400000-0x0000000000470000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-23 18:07

Reported

2025-02-23 18:09

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\rundll.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 220 set thread context of 3320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 220 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 220 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2784 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2784 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2784 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 220 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 220 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 220 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 220 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 220 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 220 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 220 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 220 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 220 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 220 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 220 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3600 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3600 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3600 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3320 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1224 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1224 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1224 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3508 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3508 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3508 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD0FC.tmp"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD40A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD409.tmp"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ttalbertino.no-ip.biz udp
SG 78.159.141.204:5444 ttalbertino.no-ip.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
SG 78.159.141.204:5444 ttalbertino.no-ip.biz tcp
US 8.8.8.8:53 1ttalbertino.no-ip.biz udp
US 8.8.8.8:53 2ttalbertino.no-ip.biz udp
US 8.8.8.8:53 3ttalbertino.no-ip.biz udp
PS 94.73.22.65:5444 3ttalbertino.no-ip.biz tcp
US 8.8.8.8:53 4ttalbertino.no-ip.biz udp
US 8.8.8.8:53 5ttalbertino.no-ip.biz udp
US 8.8.8.8:53 6ttalbertino.no-ip.biz udp
US 8.8.8.8:53 7ttalbertino.no-ip.biz udp
US 8.8.8.8:53 8ttalbertino.no-ip.biz udp

Files

memory/220-0-0x0000000075382000-0x0000000075383000-memory.dmp

memory/220-1-0x0000000075380000-0x0000000075931000-memory.dmp

memory/220-2-0x0000000075380000-0x0000000075931000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline

MD5 ae040102f7f1b0f54f999afde9452abf
SHA1 caeef0a429887f6a10669767655ea26fae90ec37
SHA256 f4284c5cd990f7bd09f5752516ddd680fa8beb3b0e9dfbd777a172f514654593
SHA512 715856860ea50c6f77054141e0fd948ce5dc35930827c879e061e34d3d55065adf44b0c357edff09abcf405b8da0909943a83f2aff368f6e369b6e2f56eeb69d

\??\c:\Users\Admin\AppData\Local\Temp\xrij8ax5.0.cs

MD5 164dc3f006aea54e9f83a8d96e366164
SHA1 a32fb4dd0b29075a0f94000b61ee441be21c879e
SHA256 38ce0b573e1aa8eac080f26b57829a5bbc49104f98305932cc8bc1e3cc226d14
SHA512 b6391ccf6e150039056e98c82e47a45f328c699a130412863c633d1506af50c9babe2a299383ce1c32a8abdb7fe61a9b3724a5afda61605e2844114ca0e47ee7

\??\c:\Users\Admin\AppData\Local\Temp\CSCD0FC.tmp

MD5 e608a1545e05698b7f44314b7436cc73
SHA1 5c1c5111311dc5de3ad172d7de5a89d85573fc29
SHA256 f79d7d9c87b18b35cdaebd73211b53a8c3d89906f9e84c9d3c1ed863507479c2
SHA512 9f88d7e62eeaf0da6faf711bfc764bfad06380d9569e52626484eb4b9f27960b6ce5fa0f77d65621b12e9eb2afc9c0cc4cbdfb5abc2b2e4148991ad2e50bba16

memory/2784-11-0x0000000075380000-0x0000000075931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESD0FD.tmp

MD5 c027b134c82f4b2c2aca822ac01fd97a
SHA1 094cccc04af87bf4bb6577c1cf9454da1ad1a2ff
SHA256 4a11a1bfba0e8a0cfb7236c0b8cf75c53ba975dd880d5238921fe1a4c2069aa3
SHA512 5c2d15d3150198872f479a49447d92c8ba8c096622c14b957122c6c108f116a3430ce9eff72f90457019909684f7be53ac2fb2f65383bd287139fbab67fe6b1c

memory/2784-15-0x0000000075380000-0x0000000075931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xrij8ax5.dll

MD5 7873d235dfd29c5c9dabb34839980c7a
SHA1 fe0f31c78cdd8528974754e24bdd9ca4659594d9
SHA256 de27931715bb12052801a6598b5b737048166ceb873aa4e33d47a2af835e566f
SHA512 e4496ed2bc1bfc14455671f0e5cac59ac5d25c546ff8e61e4ea8f9b2dbf4dd27c97ac60534e758d887b2831368de1eedbfb1b34455c7e6bf2a49d588fe1d1a34

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 caf7ad8a6755ca9190121f60fc7d1886
SHA1 434e415c5db0560ac70a22546ce138a9190d0fbd
SHA256 7bfaa18112edd91b95795d1a080c3b768b585d1ed559e60d0d7368cfd9513d89
SHA512 d9b924cb49c2ebcaf58cfd0ecaa7c026076c22ddc75008b40bc0f62a9d76d464e20cae93028974f73ee1232e6ad6f9927882a20f42a728ec6d821d030002f1ae

memory/3320-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-27-0x0000000000400000-0x0000000000470000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline

MD5 685b406b25bb74f2edea8e2c352381f4
SHA1 4607038c233c137a3b01ff92fe979f3ba6090407
SHA256 a05eac72245ef2df4f437adbdd30e58daede9173061778401f264f8390334296
SHA512 f2b9c3b4fad090c84a68033c573ef83c862081ad0e56f1213d356929af48faed82aa5cda44f6acd7a4b7a92decc0160e33fda935f9b546c48f9b1004044b2845

\??\c:\Users\Admin\AppData\Local\Temp\xrij8ax5.0.cs

MD5 ffbf968e7e7ddb392daa00f9ff61f4eb
SHA1 569a6f2b38fb6971c766b39d21f74aee2e3d2765
SHA256 e6085f3cf5b1b4b91c4cb1efd863a115920283a566d9484e9288829b40119d69
SHA512 9438c30d52a01b4923daee6733547db95bc933338358959c40658abf5a5dcd394e890eb2ad5ff07d1c5f4d33596c6d5bf1e0b6f76a274c50cd5a5bdf920b2340

memory/3600-35-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESD40A.tmp

MD5 ddceb3e125aadcb7eb3379c21b7cbfe7
SHA1 9b2a73a5889665552493bc7db47ee10243bd5c31
SHA256 665ad0a339eb3babc9fa9dbb9630b84cda59df1f019edc064d9c4f384043e990
SHA512 01502d1e3942275ef8a76826cb26382e6949aeaed24533d7ab5d54b70f653b4399a118a506629675797a6a34ecbae8b7cae0fbb1b0e13b0f1e40a18b488e4089

memory/3600-42-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xrij8ax5.dll

MD5 7bcc5c8e9d4df5cf1e705db5d2e87d41
SHA1 7fb1c339b7b1b2a19dcf2b5185756bab849012ad
SHA256 c66f4ed614cc01dbcc84d6b2c2161c0c5188346b101936a710543bdb2aedca35
SHA512 e6bf00c19f31e7706a3e12dfc3893366a5d038b703802c801bb4090ee0cb24d91241d17602abc303d96d1461d710b57c7039fdccea475faa98b09b6a8b6aeb51

memory/220-46-0x0000000075382000-0x0000000075383000-memory.dmp

memory/220-47-0x0000000075380000-0x0000000075931000-memory.dmp

memory/3320-48-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-50-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-52-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-53-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-54-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-57-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-58-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-61-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-62-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3320-65-0x0000000000400000-0x0000000000470000-memory.dmp