Analysis

  • max time kernel
    148s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 08:07

General

  • Target

    JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe

  • Size

    3.0MB

  • MD5

    1f83d3cbaf7ba5c634130238d7b37074

  • SHA1

    3618538b530ab13f9bcb79ea383137f60551d17a

  • SHA256

    53db0b869efcf18e9774145826e3e3de4030289f4a36a922cf2c9e842d12ec19

  • SHA512

    f7a1b5ada943da2d523521c1dca5ffa04d35781a9d27472559fe11404d2ad09342a5156a9ce7aebf220aa38fb5cc11d7c2a9912c6448fad7c6a057c3c2a6f51e

  • SSDEEP

    24576:CkJnxo1Ihes0zn2PfDJZU4Nx+GNujlL+:CrKIs0OTU4n+0ujlL+

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 14 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      C:\Users\Admin\AppData\Local\Temp\vbc.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2164
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1540
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2704
    • C:\Users\Admin\AppData\Local\Temp\Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Update.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Update.exe

    Filesize

    582KB

    MD5

    e37893792937611395c0da3b235e92bc

    SHA1

    29f62e95966e307a2b92d762b6e33c8f228b192d

    SHA256

    ab74d073dcb604357919b1a8eb432d47e54265ef6207231e5228f01203c9e57b

    SHA512

    8675266c83777c9d85bbbe7e12a032a6bacfacb46f84492006fbf7017e0dc55c0c82045f33b190e06bf3805f73aa21d2fc6ad586a7ea0b7fec0698a5ccda6069

  • \Users\Admin\AppData\Local\Temp\vbc.exe

    Filesize

    31KB

    MD5

    ed797d8dc2c92401985d162e42ffa450

    SHA1

    0f02fc517c7facc4baefde4fe9467fb6488ebabe

    SHA256

    b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

    SHA512

    e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

  • memory/1848-40-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-41-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-10-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-14-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1848-6-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-37-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-38-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-54-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-8-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-42-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-44-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-45-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-46-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-50-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-52-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1848-53-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2340-0-0x0000000073E92000-0x0000000073E94000-memory.dmp

    Filesize

    8KB