Malware Analysis Report

2025-05-06 00:12

Sample ID 250225-2fhx6a1mw3
Target JaffaCakes118_2303e482b151168c841b60df960d6d39
SHA256 7f70a8d1f09dcb87e6ee114eca9e386757590c8731d9aa5f1bb17706616a137f
Tags
blackshades defense_evasion discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f70a8d1f09dcb87e6ee114eca9e386757590c8731d9aa5f1bb17706616a137f

Threat Level: Known bad

The file JaffaCakes118_2303e482b151168c841b60df960d6d39 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery rat

Blackshades

Blackshades payload

Blackshades family

Modifies firewall policy service

Drops file in Drivers directory

Drops startup file

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-25 22:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-25 22:31

Reported

2025-02-25 22:33

Platform

win7-20240903-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\rundll.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2472 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe N/A
Token: 1 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 31 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 32 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2472 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2472 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2472 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2472 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2472 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2472 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2472 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2472 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Grand Theft Auto IV.bat""

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ttalbertino.no-ip.biz udp
SG 78.159.141.204:5444 ttalbertino.no-ip.biz tcp
SG 78.159.141.204:5444 ttalbertino.no-ip.biz tcp
US 8.8.8.8:53 1ttalbertino.no-ip.biz udp
US 8.8.8.8:53 2ttalbertino.no-ip.biz udp
US 8.8.8.8:53 3ttalbertino.no-ip.biz udp
PS 94.73.22.65:5444 3ttalbertino.no-ip.biz tcp
US 8.8.8.8:53 4ttalbertino.no-ip.biz udp
US 8.8.8.8:53 5ttalbertino.no-ip.biz udp
US 8.8.8.8:53 6ttalbertino.no-ip.biz udp
US 8.8.8.8:53 7ttalbertino.no-ip.biz udp
US 8.8.8.8:53 8ttalbertino.no-ip.biz udp

Files

memory/2472-0-0x00000000743E1000-0x00000000743E2000-memory.dmp

memory/2472-2-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/2472-1-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/2492-3-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-8-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2492-5-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-4-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Roaming\Grand Theft Auto IV.bat

MD5 49c02c68e9c1ac925c36d778cf8ad2b7
SHA1 25fed8cf04a4eb4f2cbfdd1e605efb7936a707bf
SHA256 f94b188ddfcacebbaf9f92c38409575636b1f6501e03b55ab097544b6ff987bd
SHA512 1118f12e997d1cc20ecb473882d4280015c654c63eec5b32f79949e6a3e72e55f0afd600db3e9eee78bd822aa0db910dec3df3eb4785e4c877c3b2babfc26b35

C:\Users\Admin\AppData\Roaming\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe

MD5 2303e482b151168c841b60df960d6d39
SHA1 c70d7aa2c1631af197306908db8c62e125d6baa4
SHA256 7f70a8d1f09dcb87e6ee114eca9e386757590c8731d9aa5f1bb17706616a137f
SHA512 fadf96ca12012fd6e2eb6908899dff6f072e11fadacc7dbf67ac5f45edb578803e02c5893518ee533cd611046d87094fe98b228164093ed986149a0c6664403a

memory/2472-29-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/2492-30-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-31-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-33-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-34-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-35-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-37-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-38-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-41-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-42-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-45-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2492-46-0x0000000000400000-0x0000000000470000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-25 22:31

Reported

2025-02-25 22:33

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\rundll.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1928 set thread context of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe N/A
Token: 1 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 31 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 32 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1928 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1928 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1928 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1928 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1928 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1928 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1928 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1928 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 4380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 4380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 4380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4380 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4380 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4380 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 956 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 956 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 956 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Grand Theft Auto IV.bat""

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ttalbertino.no-ip.biz udp
SG 78.159.141.204:5444 ttalbertino.no-ip.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
SG 78.159.141.204:5444 ttalbertino.no-ip.biz tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 1ttalbertino.no-ip.biz udp
US 8.8.8.8:53 2ttalbertino.no-ip.biz udp
US 8.8.8.8:53 3ttalbertino.no-ip.biz udp
PS 94.73.22.65:5444 3ttalbertino.no-ip.biz tcp
US 8.8.8.8:53 4ttalbertino.no-ip.biz udp
US 8.8.8.8:53 5ttalbertino.no-ip.biz udp
US 8.8.8.8:53 6ttalbertino.no-ip.biz udp
US 8.8.8.8:53 7ttalbertino.no-ip.biz udp
US 8.8.8.8:53 8ttalbertino.no-ip.biz udp

Files

memory/1928-0-0x0000000075492000-0x0000000075493000-memory.dmp

memory/1928-1-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/1928-2-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/4188-3-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-5-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1928-16-0x0000000075490000-0x0000000075A41000-memory.dmp

C:\Users\Admin\AppData\Roaming\Grand Theft Auto IV.bat

MD5 49c02c68e9c1ac925c36d778cf8ad2b7
SHA1 25fed8cf04a4eb4f2cbfdd1e605efb7936a707bf
SHA256 f94b188ddfcacebbaf9f92c38409575636b1f6501e03b55ab097544b6ff987bd
SHA512 1118f12e997d1cc20ecb473882d4280015c654c63eec5b32f79949e6a3e72e55f0afd600db3e9eee78bd822aa0db910dec3df3eb4785e4c877c3b2babfc26b35

C:\Users\Admin\AppData\Roaming\JaffaCakes118_2303e482b151168c841b60df960d6d39.exe

MD5 2303e482b151168c841b60df960d6d39
SHA1 c70d7aa2c1631af197306908db8c62e125d6baa4
SHA256 7f70a8d1f09dcb87e6ee114eca9e386757590c8731d9aa5f1bb17706616a137f
SHA512 fadf96ca12012fd6e2eb6908899dff6f072e11fadacc7dbf67ac5f45edb578803e02c5893518ee533cd611046d87094fe98b228164093ed986149a0c6664403a

memory/4188-21-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-22-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-24-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-25-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-26-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-29-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-30-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-33-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-35-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4188-37-0x0000000000400000-0x0000000000470000-memory.dmp