Analysis Overview
SHA256
a4e4ac00d4ba53d06796e517e5153981ceb64f6c6cec9ea2498866d31967298f
Threat Level: Known bad
The file JaffaCakes118_6453b926503f0a47ace96ee12c18bc33 was found to be: Known bad.
Malicious Activity Summary
Latentbot family
Blackshades family
Blackshades payload
LatentBot
Modifies firewall policy service
Blackshades
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Reads local data of messenger clients
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Reads data files stored by FTP clients
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-11 08:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-11 08:48
Reported
2025-03-11 08:50
Platform
win7-20240903-en
Max time kernel
148s
Max time network
123s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchoster.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC} | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC} | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2788 set thread context of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe |
| PID 2908 set thread context of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe"
C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
"C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe"
C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
"C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe"
C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
"C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
Files
\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
| MD5 | 02172c9f873de4309101c7b0aa635bb7 |
| SHA1 | fc33532d22494d1c5e841961e21dd3fcac6154cf |
| SHA256 | cfba657e65e098fc8c5c23a260b3d1f9d0769c255b03531b7aa34a2845153a13 |
| SHA512 | bfa7fb080abb825d2cdbff2d7a7ba30f21ff20c81f30e902f826b00a63f2fe1b02f6eb77c6db8487dd31140540fcdae46ce32d6314586d68c58df787f5d6e754 |
memory/2576-64-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2576-61-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-59-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-57-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\license.dll
| MD5 | b5afa963a369efefb8f905594bafa2df |
| SHA1 | 18a2375501100007a067944f6c2f494fd085528e |
| SHA256 | 58fb10a17191f36961266e5a0153e81219f6c99b464b3998e8e75d636151ae95 |
| SHA512 | 7ac1c5c9c9a66dff9a43aa055288a7ec8deec1c7e2b74a18a7e2509409df4094b0bf6d789bca59fd2ef3045cb768d1d9979779dcf68a91332ec1cf9c6bf118de |
memory/2288-39-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2288-36-0x0000000000400000-0x0000000000458000-memory.dmp
\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
| MD5 | cc3f40aaa43594aa6bdeb476e1e734c6 |
| SHA1 | e2268857d09aa6179f6bc50579c616f34d912545 |
| SHA256 | 622997cc3aa13d63bb0a01a50082f36753d86e96b0af2b3ad78de9d46f33ffdd |
| SHA512 | 0fc5a0c3288086ffecc8149eb3bfcd585fc3cb43814df9379e738cf1d0d1ff660dfc8b1db32c7a8c62e38f5b59d4d9ed7c22e9473b19919c5c26b6c696264b77 |
memory/2288-31-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2288-29-0x0000000000400000-0x0000000000458000-memory.dmp
\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
| MD5 | a1fbc2ee381a4981c973ad8efd275e92 |
| SHA1 | ddc036889893267d8917facc48b1e3eea380f6f0 |
| SHA256 | 2b361e099e0af9eed2f67973873a189c290b1f32984dc2f560d277b8e1c87a72 |
| SHA512 | b4482c7984c5676618db162accfcd507752c1463fdb40259056e14a17bb8b05cc99763b37004f6dd12d1c5e3deb00c323e6f76703d6fe47655636979e809c277 |
memory/2576-76-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-77-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-79-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-80-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-81-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-83-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-85-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-89-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-92-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2576-93-0x0000000000400000-0x0000000000459000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-11 08:48
Reported
2025-03-11 08:50
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
138s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchoster.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC} | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC} | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3988 set thread context of 4016 | N/A | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe |
| PID 4012 set thread context of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe"
C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
"C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe"
C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
"C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe"
C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
"C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 95.100.153.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
| US | 8.8.8.8:53 | softwaredev.zapto.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
| MD5 | a1fbc2ee381a4981c973ad8efd275e92 |
| SHA1 | ddc036889893267d8917facc48b1e3eea380f6f0 |
| SHA256 | 2b361e099e0af9eed2f67973873a189c290b1f32984dc2f560d277b8e1c87a72 |
| SHA512 | b4482c7984c5676618db162accfcd507752c1463fdb40259056e14a17bb8b05cc99763b37004f6dd12d1c5e3deb00c323e6f76703d6fe47655636979e809c277 |
C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
| MD5 | cc3f40aaa43594aa6bdeb476e1e734c6 |
| SHA1 | e2268857d09aa6179f6bc50579c616f34d912545 |
| SHA256 | 622997cc3aa13d63bb0a01a50082f36753d86e96b0af2b3ad78de9d46f33ffdd |
| SHA512 | 0fc5a0c3288086ffecc8149eb3bfcd585fc3cb43814df9379e738cf1d0d1ff660dfc8b1db32c7a8c62e38f5b59d4d9ed7c22e9473b19919c5c26b6c696264b77 |
memory/4012-19-0x0000000073A72000-0x0000000073A73000-memory.dmp
memory/4012-23-0x0000000073A70000-0x0000000074021000-memory.dmp
memory/4012-24-0x0000000073A70000-0x0000000074021000-memory.dmp
memory/4016-27-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4016-30-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4016-31-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4016-34-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\license.dll
| MD5 | b5afa963a369efefb8f905594bafa2df |
| SHA1 | 18a2375501100007a067944f6c2f494fd085528e |
| SHA256 | 58fb10a17191f36961266e5a0153e81219f6c99b464b3998e8e75d636151ae95 |
| SHA512 | 7ac1c5c9c9a66dff9a43aa055288a7ec8deec1c7e2b74a18a7e2509409df4094b0bf6d789bca59fd2ef3045cb768d1d9979779dcf68a91332ec1cf9c6bf118de |
memory/1544-49-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
| MD5 | 02172c9f873de4309101c7b0aa635bb7 |
| SHA1 | fc33532d22494d1c5e841961e21dd3fcac6154cf |
| SHA256 | cfba657e65e098fc8c5c23a260b3d1f9d0769c255b03531b7aa34a2845153a13 |
| SHA512 | bfa7fb080abb825d2cdbff2d7a7ba30f21ff20c81f30e902f826b00a63f2fe1b02f6eb77c6db8487dd31140540fcdae46ce32d6314586d68c58df787f5d6e754 |
memory/1544-53-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4012-59-0x0000000073A72000-0x0000000073A73000-memory.dmp
memory/4012-60-0x0000000073A70000-0x0000000074021000-memory.dmp
memory/4012-61-0x0000000073A70000-0x0000000074021000-memory.dmp
memory/1544-62-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-63-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-65-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-66-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-69-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-70-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-71-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-73-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-74-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-76-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1544-78-0x0000000000400000-0x0000000000459000-memory.dmp