Malware Analysis Report

2025-05-06 00:12

Sample ID 250226-a6ngsaxpv8
Target JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1
SHA256 68bc40092822ce3fc9e7d1c1763cb9841801cddef8218ca44401bb5599cebd5b
Tags
upx blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68bc40092822ce3fc9e7d1c1763cb9841801cddef8218ca44401bb5599cebd5b

Threat Level: Known bad

The file JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1 was found to be: Known bad.

Malicious Activity Summary

upx blackshades defense_evasion discovery persistence rat

Blackshades family

Modifies firewall policy service

Blackshades payload

Blackshades

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-26 00:49

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-26 00:49

Reported

2025-02-26 00:52

Platform

win7-20241023-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\conhost\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost\\conhost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost\\conhost.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2516 set thread context of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 set thread context of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 1 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1716 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1716 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1716 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2628 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2628 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2628 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2516 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2248 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hEbwF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe" /f

C:\Users\Admin\AppData\Roaming\conhost\conhost.exe

"C:\Users\Admin\AppData\Roaming\conhost\conhost.exe"

C:\Users\Admin\AppData\Roaming\conhost\conhost.exe

False

C:\Users\Admin\AppData\Roaming\conhost\conhost.exe

False

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 dopeaddicts.dyndns.org udp

Files

memory/2628-0-0x0000000000400000-0x0000000000728000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hEbwF.bat

MD5 021642ee17b7444db0c075faa3f54a91
SHA1 0ce3898040d9a2f00771f785c6f96842498b8579
SHA256 1689135a9d358016450b26dc2f7dba8f09096c482c1168dda192248d2376cd4a
SHA512 644ac4f23b68de7ea978bbd42a45191323e02beb8c797fca685138544c35bd57d9019ae71ce2b4fffa0f83e326b84a70e70c1084c510a3ff184428ce88322603

\Users\Admin\AppData\Roaming\conhost\conhost.exe

MD5 234d145eca32e47ec6c36e0ced3a29c1
SHA1 fc85acb963946201a7421dc096d35610f6bab2ab
SHA256 68bc40092822ce3fc9e7d1c1763cb9841801cddef8218ca44401bb5599cebd5b
SHA512 5f203b61eafd34dad5fed8eaf5021d8ce769168ce131898024cfc96b878cb91f4c091553e7bf452b385245a950e804c475d35e51d4d449ca5c554240d5c1ed33

memory/2628-34-0x0000000003890000-0x0000000003BB8000-memory.dmp

memory/2516-40-0x0000000000400000-0x0000000000728000-memory.dmp

memory/2628-39-0x0000000000400000-0x0000000000728000-memory.dmp

memory/2628-36-0x0000000003890000-0x0000000003BB8000-memory.dmp

memory/2628-35-0x0000000003890000-0x0000000003BB8000-memory.dmp

memory/2248-44-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2516-57-0x0000000000400000-0x0000000000728000-memory.dmp

memory/2248-56-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2900-55-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2900-53-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2900-49-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2248-47-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2900-65-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2248-66-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2248-69-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2248-72-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2248-74-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2248-76-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2248-79-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2248-83-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2248-88-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2248-93-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-26 00:49

Reported

2025-02-26 00:52

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\conhost\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost\\conhost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost\\conhost.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3584 set thread context of 4840 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 set thread context of 3208 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4468 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4468 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2172 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 2172 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 3584 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Users\Admin\AppData\Roaming\conhost\conhost.exe
PID 4840 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\conhost\conhost.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3216 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3216 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3148 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3148 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3148 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4396 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4396 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4396 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3904 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3904 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3904 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_234d145eca32e47ec6c36e0ced3a29c1.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HVQyh.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe" /f

C:\Users\Admin\AppData\Roaming\conhost\conhost.exe

"C:\Users\Admin\AppData\Roaming\conhost\conhost.exe"

C:\Users\Admin\AppData\Roaming\conhost\conhost.exe

False

C:\Users\Admin\AppData\Roaming\conhost\conhost.exe

False

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost\conhost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp
GB 104.86.110.90:443 www.bing.com tcp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp
US 8.8.8.8:53 dopeaddicts.dyndns.org udp

Files

memory/2172-0-0x0000000000400000-0x0000000000728000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HVQyh.bat

MD5 021642ee17b7444db0c075faa3f54a91
SHA1 0ce3898040d9a2f00771f785c6f96842498b8579
SHA256 1689135a9d358016450b26dc2f7dba8f09096c482c1168dda192248d2376cd4a
SHA512 644ac4f23b68de7ea978bbd42a45191323e02beb8c797fca685138544c35bd57d9019ae71ce2b4fffa0f83e326b84a70e70c1084c510a3ff184428ce88322603

C:\Users\Admin\AppData\Roaming\conhost\conhost.exe

MD5 234d145eca32e47ec6c36e0ced3a29c1
SHA1 fc85acb963946201a7421dc096d35610f6bab2ab
SHA256 68bc40092822ce3fc9e7d1c1763cb9841801cddef8218ca44401bb5599cebd5b
SHA512 5f203b61eafd34dad5fed8eaf5021d8ce769168ce131898024cfc96b878cb91f4c091553e7bf452b385245a950e804c475d35e51d4d449ca5c554240d5c1ed33

memory/2172-19-0x0000000000400000-0x0000000000728000-memory.dmp

memory/4840-22-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4840-27-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3208-28-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4840-25-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3208-34-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3208-36-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3584-39-0x0000000000400000-0x0000000000728000-memory.dmp

memory/4840-43-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3208-44-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4840-45-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4840-47-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4840-50-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4840-52-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4840-54-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4840-57-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4840-59-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4840-64-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4840-66-0x0000000000400000-0x000000000045D000-memory.dmp