Malware Analysis Report

2025-05-28 17:56

Sample ID 250306-ren3ns1kv6
Target JaffaCakes118_56a3201e29e17e386a1e7102d44becd8
SHA256 8b89276a5097877a3e1acef6a8c833c78be3b59f1ab83b519031ef984bb06060
Tags
blackshades defense_evasion discovery persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b89276a5097877a3e1acef6a8c833c78be3b59f1ab83b519031ef984bb06060

Threat Level: Known bad

The file JaffaCakes118_56a3201e29e17e386a1e7102d44becd8 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat upx

Blackshades

Blackshades payload

Modifies firewall policy service

Blackshades family

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-06 14:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 14:06

Reported

2025-03-06 14:09

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\windowupdates_02.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\windowupdates_02.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4928 set thread context of 3624 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2948 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2948 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2948 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 4928 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 4928 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 4928 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 4928 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 4928 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 4928 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 4928 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 4928 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 3624 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4144 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4144 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4144 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZTSn.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe" /f

C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe

"C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe"

C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe

"C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp

Files

C:\Users\Admin\AppData\Local\Temp\qZTSn.txt

MD5 477c27332fc112e4f0cf76a5a09e64e1
SHA1 5a3b531dba82da553213b23ec3cd477730b4fa19
SHA256 2e7e2becf2dd46169bf1c3094e8551e2a8cc0a4401169e2ab4607ec93c630e89
SHA512 6dd0b686e0a5ec4fa88782583654f51b8a7a0c900a9bbb4ed7e4ca907e59fb657d2344350832f5c43969c481a811700d4e5beaf65189db2ab8bd8bdb301d3b15

C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.txt

MD5 336969c0b30389246e9a17437bd38302
SHA1 12f3d1d6f58d410f0f4cc16d99670a3ba3d993f2
SHA256 7aa9543acb50524b4cb846220e4355fa2853d2c456879dab65b981e846dc6882
SHA512 ecb112465e15f2b786a298a61ee8d28eacfd0e2e5ad2fba61d1b179d731f026c9b446c34caa17204a7a81da10a8cb6fa886f0fe2dbf67bdb91d6143531441c66

memory/3624-32-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-29-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-34-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-40-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-42-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-44-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-45-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-46-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-48-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-49-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-53-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3624-57-0x0000000000400000-0x000000000045C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 14:06

Reported

2025-03-06 14:09

Platform

win7-20250207-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\windowupdates_02.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\windowupdates_02.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2964 set thread context of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 268 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 268 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 268 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
PID 2848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3004 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3004 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\przNl.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe" /f

C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe

"C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe"

C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe

"C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havefunnuke.servequake.com udp

Files

C:\Users\Admin\AppData\Local\Temp\przNl.bat

MD5 477c27332fc112e4f0cf76a5a09e64e1
SHA1 5a3b531dba82da553213b23ec3cd477730b4fa19
SHA256 2e7e2becf2dd46169bf1c3094e8551e2a8cc0a4401169e2ab4607ec93c630e89
SHA512 6dd0b686e0a5ec4fa88782583654f51b8a7a0c900a9bbb4ed7e4ca907e59fb657d2344350832f5c43969c481a811700d4e5beaf65189db2ab8bd8bdb301d3b15

C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe

MD5 135c6466edfc5ca4ea2a7dd03c73e38a
SHA1 d52becc23827e7008f770fab3ae5ae98532d6306
SHA256 dea8332d4a109bb2e77ea487e0a35273614398940417cee75e0087c7a982211e
SHA512 ff87663fe4d36c973f22ffc0f8f9116d7a4b233aac675c21613dd63f6f14403a9db148af9eac922b7e41625c10f1e06852d812ee706392c70572ec5e8ae8cffb

memory/2848-46-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-55-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-59-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-49-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-63-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-65-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-66-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-68-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-69-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-73-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-74-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-76-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2848-79-0x0000000000400000-0x000000000045C000-memory.dmp