Analysis Overview
SHA256
733db86b3ebceee1b42aa2f2276a867aa4446159e3dcf69c9de1f9ed69786c32
Threat Level: Known bad
The file JaffaCakes118_253507afe0df86a8ebb94bc53d95642d was found to be: Known bad.
Malicious Activity Summary
Blackshades
Modifies firewall policy service
Blackshades payload
Blackshades family
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-26 10:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-26 10:08
Reported
2025-02-26 10:11
Platform
win7-20240903-en
Max time kernel
148s
Max time network
120s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\kim.exe = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\KimChanJun = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD1FAA09-FD5E-2E00-EAB1-2EDDEBEF8AAA} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD1FAA09-FD5E-2E00-EAB1-2EDDEBEF8AAA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{BD1FAA09-FD5E-2E00-EAB1-2EDDEBEF8AAA} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components\{BD1FAA09-FD5E-2E00-EAB1-2EDDEBEF8AAA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KimChanJun = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\KimChanJun = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1112 set thread context of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_253507afe0df86a8ebb94bc53d95642d.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_253507afe0df86a8ebb94bc53d95642d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_253507afe0df86a8ebb94bc53d95642d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_253507afe0df86a8ebb94bc53d95642d.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\kim.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\kim.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\kim.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\kim.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
Files
memory/1112-0-0x0000000074361000-0x0000000074362000-memory.dmp
memory/1112-1-0x0000000074360000-0x000000007490B000-memory.dmp
memory/1112-2-0x0000000074360000-0x000000007490B000-memory.dmp
memory/2332-3-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-9-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-12-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-14-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-13-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/1112-16-0x0000000074360000-0x000000007490B000-memory.dmp
memory/2332-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2332-6-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-5-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-19-0x0000000076248000-0x0000000076249000-memory.dmp
memory/2332-22-0x0000000076230000-0x0000000076340000-memory.dmp
memory/2332-21-0x0000000076230000-0x0000000076340000-memory.dmp
memory/2332-20-0x0000000076230000-0x0000000076340000-memory.dmp
memory/2332-23-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-24-0x0000000076230000-0x0000000076340000-memory.dmp
memory/2332-25-0x0000000076230000-0x0000000076340000-memory.dmp
memory/2332-26-0x0000000076230000-0x0000000076340000-memory.dmp
memory/2332-28-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-30-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-31-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-32-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-33-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-35-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-36-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-38-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-39-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2332-40-0x0000000000400000-0x00000000005D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-26 10:08
Reported
2025-02-26 10:11
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
138s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\kim.exe = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\KimChanJun = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1FAA09-FD5E-2E00-EAB1-2EDDEBEF8AAA} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1FAA09-FD5E-2E00-EAB1-2EDDEBEF8AAA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{BD1FAA09-FD5E-2E00-EAB1-2EDDEBEF8AAA} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{BD1FAA09-FD5E-2E00-EAB1-2EDDEBEF8AAA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KimChanJun = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KimChanJun = "C:\\Users\\Admin\\AppData\\Roaming\\kim.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3128 set thread context of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_253507afe0df86a8ebb94bc53d95642d.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_253507afe0df86a8ebb94bc53d95642d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_253507afe0df86a8ebb94bc53d95642d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_253507afe0df86a8ebb94bc53d95642d.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\kim.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\kim.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\kim.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\kim.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
| US | 8.8.8.8:53 | kimnetwork.myvnc.com | udp |
Files
memory/3128-0-0x0000000075262000-0x0000000075263000-memory.dmp
memory/3128-1-0x0000000075260000-0x0000000075811000-memory.dmp
memory/3128-2-0x0000000075260000-0x0000000075811000-memory.dmp
memory/2200-3-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-7-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-9-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-5-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-13-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/3128-14-0x0000000075260000-0x0000000075811000-memory.dmp
memory/2200-15-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-16-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-20-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-24-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-27-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-30-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-34-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-37-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-40-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-44-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-47-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-53-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2200-60-0x0000000000400000-0x00000000005D8000-memory.dmp