Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe
-
Size
296KB
-
MD5
1c98b8d149e3dfaa8657b8d5a103ad40
-
SHA1
595075199403dc9a4b33415c74dd231cc59f4ef9
-
SHA256
09b0f876f56db4bf8cce72a99089fb34f4c73d91cef525fc9c08a09a044d64fc
-
SHA512
f4ac01eca34c0bf8c91489a7d9d6c9f4e0290987921354881fd5d564aa6b09f59b73da66450e3667d3e28c8826627d70f9294126420553bad7ee02a3b906d6bb
-
SSDEEP
6144:/9y/Bz9VeIwsG03aY+sKkARzzxNH9Tw3XeL73o:/MBz9VmdYXNIzj9c4
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 18 IoCs
resource yara_rule behavioral2/memory/5004-45-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-56-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-53-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-57-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-58-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-62-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-66-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-69-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-72-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-76-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-79-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-82-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-85-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-89-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-92-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-96-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-99-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades behavioral2/memory/5004-102-0x0000000000400000-0x00000000005AC000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Gun\update32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Gun\\update32.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe -
Executes dropped EXE 2 IoCs
pid Process 3352 update32.exe 5004 update32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox = "C:\\Users\\Admin\\AppData\\Roaming\\Gun\\update32.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3352 set thread context of 5004 3352 update32.exe 88 -
resource yara_rule behavioral2/memory/5004-40-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-45-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-43-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-56-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-53-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-57-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-58-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-62-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-66-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-69-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-72-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-76-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-79-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-82-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-85-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-89-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-92-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-96-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-99-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/5004-102-0x0000000000400000-0x00000000005AC000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3564 reg.exe 2664 reg.exe 972 reg.exe 4336 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 5004 update32.exe Token: SeCreateTokenPrivilege 5004 update32.exe Token: SeAssignPrimaryTokenPrivilege 5004 update32.exe Token: SeLockMemoryPrivilege 5004 update32.exe Token: SeIncreaseQuotaPrivilege 5004 update32.exe Token: SeMachineAccountPrivilege 5004 update32.exe Token: SeTcbPrivilege 5004 update32.exe Token: SeSecurityPrivilege 5004 update32.exe Token: SeTakeOwnershipPrivilege 5004 update32.exe Token: SeLoadDriverPrivilege 5004 update32.exe Token: SeSystemProfilePrivilege 5004 update32.exe Token: SeSystemtimePrivilege 5004 update32.exe Token: SeProfSingleProcessPrivilege 5004 update32.exe Token: SeIncBasePriorityPrivilege 5004 update32.exe Token: SeCreatePagefilePrivilege 5004 update32.exe Token: SeCreatePermanentPrivilege 5004 update32.exe Token: SeBackupPrivilege 5004 update32.exe Token: SeRestorePrivilege 5004 update32.exe Token: SeShutdownPrivilege 5004 update32.exe Token: SeDebugPrivilege 5004 update32.exe Token: SeAuditPrivilege 5004 update32.exe Token: SeSystemEnvironmentPrivilege 5004 update32.exe Token: SeChangeNotifyPrivilege 5004 update32.exe Token: SeRemoteShutdownPrivilege 5004 update32.exe Token: SeUndockPrivilege 5004 update32.exe Token: SeSyncAgentPrivilege 5004 update32.exe Token: SeEnableDelegationPrivilege 5004 update32.exe Token: SeManageVolumePrivilege 5004 update32.exe Token: SeImpersonatePrivilege 5004 update32.exe Token: SeCreateGlobalPrivilege 5004 update32.exe Token: 31 5004 update32.exe Token: 32 5004 update32.exe Token: 33 5004 update32.exe Token: 34 5004 update32.exe Token: 35 5004 update32.exe Token: SeDebugPrivilege 5004 update32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4284 JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe 3352 update32.exe 5004 update32.exe 5004 update32.exe 5004 update32.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 4284 wrote to memory of 2424 4284 JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe 83 PID 4284 wrote to memory of 2424 4284 JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe 83 PID 4284 wrote to memory of 2424 4284 JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe 83 PID 2424 wrote to memory of 3748 2424 cmd.exe 86 PID 2424 wrote to memory of 3748 2424 cmd.exe 86 PID 2424 wrote to memory of 3748 2424 cmd.exe 86 PID 4284 wrote to memory of 3352 4284 JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe 87 PID 4284 wrote to memory of 3352 4284 JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe 87 PID 4284 wrote to memory of 3352 4284 JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe 87 PID 3352 wrote to memory of 5004 3352 update32.exe 88 PID 3352 wrote to memory of 5004 3352 update32.exe 88 PID 3352 wrote to memory of 5004 3352 update32.exe 88 PID 3352 wrote to memory of 5004 3352 update32.exe 88 PID 3352 wrote to memory of 5004 3352 update32.exe 88 PID 3352 wrote to memory of 5004 3352 update32.exe 88 PID 3352 wrote to memory of 5004 3352 update32.exe 88 PID 3352 wrote to memory of 5004 3352 update32.exe 88 PID 5004 wrote to memory of 4544 5004 update32.exe 89 PID 5004 wrote to memory of 4544 5004 update32.exe 89 PID 5004 wrote to memory of 4544 5004 update32.exe 89 PID 5004 wrote to memory of 2140 5004 update32.exe 90 PID 5004 wrote to memory of 2140 5004 update32.exe 90 PID 5004 wrote to memory of 2140 5004 update32.exe 90 PID 5004 wrote to memory of 2652 5004 update32.exe 91 PID 5004 wrote to memory of 2652 5004 update32.exe 91 PID 5004 wrote to memory of 2652 5004 update32.exe 91 PID 5004 wrote to memory of 4400 5004 update32.exe 92 PID 5004 wrote to memory of 4400 5004 update32.exe 92 PID 5004 wrote to memory of 4400 5004 update32.exe 92 PID 2652 wrote to memory of 2664 2652 cmd.exe 97 PID 2652 wrote to memory of 2664 2652 cmd.exe 97 PID 2652 wrote to memory of 2664 2652 cmd.exe 97 PID 2140 wrote to memory of 4336 2140 cmd.exe 98 PID 2140 wrote to memory of 4336 2140 cmd.exe 98 PID 2140 wrote to memory of 4336 2140 cmd.exe 98 PID 4544 wrote to memory of 972 4544 cmd.exe 99 PID 4544 wrote to memory of 972 4544 cmd.exe 99 PID 4544 wrote to memory of 972 4544 cmd.exe 99 PID 4400 wrote to memory of 3564 4400 cmd.exe 100 PID 4400 wrote to memory of 3564 4400 cmd.exe 100 PID 4400 wrote to memory of 3564 4400 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c98b8d149e3dfaa8657b8d5a103ad40.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240622515.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "firefox" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gun\update32.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3748
-
-
-
C:\Users\Admin\AppData\Roaming\Gun\update32.exe"C:\Users\Admin\AppData\Roaming\Gun\update32.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Roaming\Gun\update32.exe"C:\Users\Admin\AppData\Roaming\Gun\update32.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gun\update32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gun\update32.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gun\update32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gun\update32.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3564
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD58ee521ce2531a21132b404d26fa1602f
SHA194db0cd88bf1c7629d0b340842519357dcf2b8ef
SHA256274eb93116d0a8fc3b2e11f841529ff27fb5d336d4da306c84142415a34a0c9e
SHA51242572cac6bc79900a45dfcec5b544e6a7bb38132c4e758214b3b1ed752c02ecc4e090f534fbac670d4967f0b3f4f00d49fe99129b781365f67321949d7d56759
-
Filesize
296KB
MD51c98b8d149e3dfaa8657b8d5a103ad40
SHA1595075199403dc9a4b33415c74dd231cc59f4ef9
SHA25609b0f876f56db4bf8cce72a99089fb34f4c73d91cef525fc9c08a09a044d64fc
SHA512f4ac01eca34c0bf8c91489a7d9d6c9f4e0290987921354881fd5d564aa6b09f59b73da66450e3667d3e28c8826627d70f9294126420553bad7ee02a3b906d6bb