Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 01:47
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe
-
Size
528KB
-
MD5
1cdb41240b577a457c4cf6932644452e
-
SHA1
fa7c0fe4935adde026603d69e430abb96bc7c9e0
-
SHA256
b7d8239141e1929891087203ef0c8d2381b3ffd8334066510e2435587ec12aac
-
SHA512
8600ca9db34d7dbef14f2541f2f1904230e986764cc60311e862498382d786f6b2c99e487a1d3d0795ffd6c746158666de071c8281a934ca7cc74cbd96a59061
-
SSDEEP
12288:O1T9O/qYv8/iWlq0bZBZsI+oG1KsFXyeIeoUN:Ak0bNs9FtyeI+N
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 10 IoCs
resource yara_rule behavioral2/memory/2836-0-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2836-2-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2836-8-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2836-9-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2836-11-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2836-12-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2836-16-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2836-21-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2836-24-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/2836-25-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\beard.exe = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBDD63AA-FDCB-BCF4-5BEE-DFF4C9A39E24} JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBDD63AA-FDCB-BCF4-5BEE-DFF4C9A39E24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EBDD63AA-FDCB-BCF4-5BEE-DFF4C9A39E24} JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EBDD63AA-FDCB-BCF4-5BEE-DFF4C9A39E24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\beard.exe" JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2472 set thread context of 2836 2472 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4804 reg.exe 2008 reg.exe 4476 reg.exe 3948 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeCreateTokenPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeAssignPrimaryTokenPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeLockMemoryPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeIncreaseQuotaPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeMachineAccountPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeTcbPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSecurityPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeTakeOwnershipPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeLoadDriverPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSystemProfilePrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSystemtimePrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeProfSingleProcessPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeIncBasePriorityPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeCreatePagefilePrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeCreatePermanentPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeBackupPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeRestorePrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeShutdownPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeDebugPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeAuditPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSystemEnvironmentPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeChangeNotifyPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeRemoteShutdownPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeUndockPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeSyncAgentPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeEnableDelegationPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeManageVolumePrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeImpersonatePrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: SeCreateGlobalPrivilege 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 31 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 32 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 33 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 34 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe Token: 35 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2836 2472 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 82 PID 2472 wrote to memory of 2836 2472 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 82 PID 2472 wrote to memory of 2836 2472 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 82 PID 2472 wrote to memory of 2836 2472 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 82 PID 2472 wrote to memory of 2836 2472 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 82 PID 2472 wrote to memory of 2836 2472 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 82 PID 2472 wrote to memory of 2836 2472 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 82 PID 2472 wrote to memory of 2836 2472 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 82 PID 2836 wrote to memory of 3224 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 83 PID 2836 wrote to memory of 3224 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 83 PID 2836 wrote to memory of 3224 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 83 PID 2836 wrote to memory of 1572 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 84 PID 2836 wrote to memory of 1572 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 84 PID 2836 wrote to memory of 1572 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 84 PID 2836 wrote to memory of 3836 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 85 PID 2836 wrote to memory of 3836 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 85 PID 2836 wrote to memory of 3836 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 85 PID 2836 wrote to memory of 4408 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 86 PID 2836 wrote to memory of 4408 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 86 PID 2836 wrote to memory of 4408 2836 JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe 86 PID 3224 wrote to memory of 4804 3224 cmd.exe 91 PID 3224 wrote to memory of 4804 3224 cmd.exe 91 PID 3224 wrote to memory of 4804 3224 cmd.exe 91 PID 3836 wrote to memory of 2008 3836 cmd.exe 92 PID 3836 wrote to memory of 2008 3836 cmd.exe 92 PID 3836 wrote to memory of 2008 3836 cmd.exe 92 PID 4408 wrote to memory of 4476 4408 cmd.exe 93 PID 4408 wrote to memory of 4476 4408 cmd.exe 93 PID 4408 wrote to memory of 4476 4408 cmd.exe 93 PID 1572 wrote to memory of 3948 1572 cmd.exe 94 PID 1572 wrote to memory of 3948 1572 cmd.exe 94 PID 1572 wrote to memory of 3948 1572 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1cdb41240b577a457c4cf6932644452e.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\beard.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\beard.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\beard.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\beard.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4476
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1