Malware Analysis Report

2025-05-28 17:58

Sample ID 250515-f9d1ea1jy8
Target JaffaCakes118_045542e9adb32b39adba08d93dd6b071
SHA256 bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f
Tags
blackshades latentbot defense_evasion discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f

Threat Level: Known bad

The file JaffaCakes118_045542e9adb32b39adba08d93dd6b071 was found to be: Known bad.

Malicious Activity Summary

blackshades latentbot defense_evasion discovery persistence rat trojan

Blackshades family

LatentBot

Modifies firewall policy service

Latentbot family

Blackshades

Blackshades payload

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 05:34

Signatures

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 05:34

Reported

2025-05-15 05:36

Platform

win10v2004-20250502-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3456 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1352 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1352 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3168 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
PID 3168 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
PID 3168 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
PID 4800 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4800 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4800 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f

C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 alternative.zapto.org udp
PL 2.18.29.139:443 www.bing.com tcp
US 8.8.8.8:53 alternative.zapto.org udp
US 8.8.8.8:53 1alternative.zapto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2alternative.zapto.org udp
US 8.8.8.8:53 3alternative.zapto.org udp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp
US 8.8.8.8:53 4alternative.zapto.org udp
US 8.8.8.8:53 5alternative.zapto.org udp
US 8.8.8.8:53 6alternative.zapto.org udp
US 8.8.8.8:53 7alternative.zapto.org udp
US 8.8.8.8:53 8alternative.zapto.org udp

Files

memory/3456-5-0x0000000075891000-0x0000000075892000-memory.dmp

memory/3456-6-0x0000000075870000-0x0000000075960000-memory.dmp

memory/3456-7-0x0000000075870000-0x0000000075960000-memory.dmp

C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

MD5 045542e9adb32b39adba08d93dd6b071
SHA1 0dea99e9cf48c1af198e05f43cf2db9138713574
SHA256 bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f
SHA512 e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f

memory/3456-14-0x0000000075870000-0x0000000075960000-memory.dmp

memory/3456-17-0x0000000075870000-0x0000000075960000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-15 05:34

Reported

2025-05-15 05:36

Platform

win11-20250502-en

Max time kernel

147s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5872 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5872 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5872 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4152 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
PID 4152 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
PID 4152 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
PID 5396 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 alternative.zapto.org udp
US 8.8.8.8:53 alternative.zapto.org udp
IE 52.111.236.21:443 tcp

Files

memory/8-5-0x0000000075E09000-0x0000000075E0A000-memory.dmp

memory/8-6-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

memory/8-8-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

memory/8-7-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

MD5 045542e9adb32b39adba08d93dd6b071
SHA1 0dea99e9cf48c1af198e05f43cf2db9138713574
SHA256 bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f
SHA512 e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f

memory/8-15-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

memory/8-16-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

memory/8-19-0x0000000075DF0000-0x0000000075EE0000-memory.dmp