Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 01:47
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe
-
Size
528KB
-
MD5
1cdb41240b577a457c4cf6932644452e
-
SHA1
fa7c0fe4935adde026603d69e430abb96bc7c9e0
-
SHA256
b7d8239141e1929891087203ef0c8d2381b3ffd8334066510e2435587ec12aac
-
SHA512
8600ca9db34d7dbef14f2541f2f1904230e986764cc60311e862498382d786f6b2c99e487a1d3d0795ffd6c746158666de071c8281a934ca7cc74cbd96a59061
-
SSDEEP
12288:O1T9O/qYv8/iWlq0bZBZsI+oG1KsFXyeIeoUN:Ak0bNs9FtyeI+N
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral1/memory/1880-8-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-4-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-16-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-17-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-19-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-20-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-21-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-23-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-25-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-29-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1880-32-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\beard.exe = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBDD63AA-FDCB-BCF4-5BEE-DFF4C9A39E24} JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBDD63AA-FDCB-BCF4-5BEE-DFF4C9A39E24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EBDD63AA-FDCB-BCF4-5BEE-DFF4C9A39E24} JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components\{EBDD63AA-FDCB-BCF4-5BEE-DFF4C9A39E24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2096 set thread context of 1880 2096 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3016 reg.exe 2636 reg.exe 1088 reg.exe 2864 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeCreateTokenPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeAssignPrimaryTokenPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeLockMemoryPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeIncreaseQuotaPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeMachineAccountPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeTcbPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSecurityPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeTakeOwnershipPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeLoadDriverPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSystemProfilePrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSystemtimePrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeProfSingleProcessPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeIncBasePriorityPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeCreatePagefilePrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeCreatePermanentPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeBackupPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeRestorePrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeShutdownPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeDebugPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeAuditPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSystemEnvironmentPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeChangeNotifyPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeRemoteShutdownPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeUndockPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSyncAgentPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeEnableDelegationPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeManageVolumePrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeImpersonatePrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeCreateGlobalPrivilege 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 31 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 32 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 33 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 34 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 35 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2096 wrote to memory of 1880 2096 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 31 PID 2096 wrote to memory of 1880 2096 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 31 PID 2096 wrote to memory of 1880 2096 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 31 PID 2096 wrote to memory of 1880 2096 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 31 PID 2096 wrote to memory of 1880 2096 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 31 PID 2096 wrote to memory of 1880 2096 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 31 PID 2096 wrote to memory of 1880 2096 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 31 PID 2096 wrote to memory of 1880 2096 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 31 PID 1880 wrote to memory of 2804 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 32 PID 1880 wrote to memory of 2804 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 32 PID 1880 wrote to memory of 2804 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 32 PID 1880 wrote to memory of 2804 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 32 PID 1880 wrote to memory of 2744 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 33 PID 1880 wrote to memory of 2744 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 33 PID 1880 wrote to memory of 2744 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 33 PID 1880 wrote to memory of 2744 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 33 PID 1880 wrote to memory of 2704 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 34 PID 1880 wrote to memory of 2704 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 34 PID 1880 wrote to memory of 2704 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 34 PID 1880 wrote to memory of 2704 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 34 PID 1880 wrote to memory of 2556 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 37 PID 1880 wrote to memory of 2556 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 37 PID 1880 wrote to memory of 2556 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 37 PID 1880 wrote to memory of 2556 1880 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 37 PID 2804 wrote to memory of 2864 2804 cmd.exe 40 PID 2804 wrote to memory of 2864 2804 cmd.exe 40 PID 2804 wrote to memory of 2864 2804 cmd.exe 40 PID 2804 wrote to memory of 2864 2804 cmd.exe 40 PID 2744 wrote to memory of 3016 2744 cmd.exe 41 PID 2744 wrote to memory of 3016 2744 cmd.exe 41 PID 2744 wrote to memory of 3016 2744 cmd.exe 41 PID 2744 wrote to memory of 3016 2744 cmd.exe 41 PID 2704 wrote to memory of 2636 2704 cmd.exe 42 PID 2704 wrote to memory of 2636 2704 cmd.exe 42 PID 2704 wrote to memory of 2636 2704 cmd.exe 42 PID 2704 wrote to memory of 2636 2704 cmd.exe 42 PID 2556 wrote to memory of 1088 2556 cmd.exe 43 PID 2556 wrote to memory of 1088 2556 cmd.exe 43 PID 2556 wrote to memory of 1088 2556 cmd.exe 43 PID 2556 wrote to memory of 1088 2556 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\beard.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\beard.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\beard.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\beard.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1088
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1