Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 08:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe
-
Size
3.0MB
-
MD5
1f83d3cbaf7ba5c634130238d7b37074
-
SHA1
3618538b530ab13f9bcb79ea383137f60551d17a
-
SHA256
53db0b869efcf18e9774145826e3e3de4030289f4a36a922cf2c9e842d12ec19
-
SHA512
f7a1b5ada943da2d523521c1dca5ffa04d35781a9d27472559fe11404d2ad09342a5156a9ce7aebf220aa38fb5cc11d7c2a9912c6448fad7c6a057c3c2a6f51e
-
SSDEEP
24576:CkJnxo1Ihes0zn2PfDJZU4Nx+GNujlL+:CrKIs0OTU4n+0ujlL+
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 14 IoCs
resource yara_rule behavioral1/memory/1848-10-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-14-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-37-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-38-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-40-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-41-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-42-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-44-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-45-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-46-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-50-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-52-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-53-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/1848-54-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JP45NMURB5.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\vbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Executes dropped EXE 2 IoCs
pid Process 1848 vbc.exe 2932 Update.exe -
Loads dropped DLL 7 IoCs
pid Process 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 1848 vbc.exe 1848 vbc.exe 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 2932 Update.exe 2932 Update.exe 2932 Update.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MsMpEng.exe" JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2340 set thread context of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2852 reg.exe 2836 reg.exe 2704 reg.exe 1540 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2932 Update.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe Token: 1 1848 vbc.exe Token: SeCreateTokenPrivilege 1848 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1848 vbc.exe Token: SeLockMemoryPrivilege 1848 vbc.exe Token: SeIncreaseQuotaPrivilege 1848 vbc.exe Token: SeMachineAccountPrivilege 1848 vbc.exe Token: SeTcbPrivilege 1848 vbc.exe Token: SeSecurityPrivilege 1848 vbc.exe Token: SeTakeOwnershipPrivilege 1848 vbc.exe Token: SeLoadDriverPrivilege 1848 vbc.exe Token: SeSystemProfilePrivilege 1848 vbc.exe Token: SeSystemtimePrivilege 1848 vbc.exe Token: SeProfSingleProcessPrivilege 1848 vbc.exe Token: SeIncBasePriorityPrivilege 1848 vbc.exe Token: SeCreatePagefilePrivilege 1848 vbc.exe Token: SeCreatePermanentPrivilege 1848 vbc.exe Token: SeBackupPrivilege 1848 vbc.exe Token: SeRestorePrivilege 1848 vbc.exe Token: SeShutdownPrivilege 1848 vbc.exe Token: SeDebugPrivilege 1848 vbc.exe Token: SeAuditPrivilege 1848 vbc.exe Token: SeSystemEnvironmentPrivilege 1848 vbc.exe Token: SeChangeNotifyPrivilege 1848 vbc.exe Token: SeRemoteShutdownPrivilege 1848 vbc.exe Token: SeUndockPrivilege 1848 vbc.exe Token: SeSyncAgentPrivilege 1848 vbc.exe Token: SeEnableDelegationPrivilege 1848 vbc.exe Token: SeManageVolumePrivilege 1848 vbc.exe Token: SeImpersonatePrivilege 1848 vbc.exe Token: SeCreateGlobalPrivilege 1848 vbc.exe Token: 31 1848 vbc.exe Token: 32 1848 vbc.exe Token: 33 1848 vbc.exe Token: 34 1848 vbc.exe Token: 35 1848 vbc.exe Token: SeDebugPrivilege 2932 Update.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1848 vbc.exe 1848 vbc.exe 1848 vbc.exe 1848 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 2340 wrote to memory of 1848 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 30 PID 1848 wrote to memory of 2164 1848 vbc.exe 31 PID 1848 wrote to memory of 2164 1848 vbc.exe 31 PID 1848 wrote to memory of 2164 1848 vbc.exe 31 PID 1848 wrote to memory of 2164 1848 vbc.exe 31 PID 1848 wrote to memory of 2164 1848 vbc.exe 31 PID 1848 wrote to memory of 2164 1848 vbc.exe 31 PID 1848 wrote to memory of 2164 1848 vbc.exe 31 PID 1848 wrote to memory of 2680 1848 vbc.exe 32 PID 1848 wrote to memory of 2680 1848 vbc.exe 32 PID 1848 wrote to memory of 2680 1848 vbc.exe 32 PID 1848 wrote to memory of 2680 1848 vbc.exe 32 PID 1848 wrote to memory of 2680 1848 vbc.exe 32 PID 1848 wrote to memory of 2680 1848 vbc.exe 32 PID 1848 wrote to memory of 2680 1848 vbc.exe 32 PID 1848 wrote to memory of 1840 1848 vbc.exe 33 PID 1848 wrote to memory of 1840 1848 vbc.exe 33 PID 1848 wrote to memory of 1840 1848 vbc.exe 33 PID 1848 wrote to memory of 1840 1848 vbc.exe 33 PID 1848 wrote to memory of 1840 1848 vbc.exe 33 PID 1848 wrote to memory of 1840 1848 vbc.exe 33 PID 1848 wrote to memory of 1840 1848 vbc.exe 33 PID 1848 wrote to memory of 2148 1848 vbc.exe 35 PID 1848 wrote to memory of 2148 1848 vbc.exe 35 PID 1848 wrote to memory of 2148 1848 vbc.exe 35 PID 1848 wrote to memory of 2148 1848 vbc.exe 35 PID 1848 wrote to memory of 2148 1848 vbc.exe 35 PID 1848 wrote to memory of 2148 1848 vbc.exe 35 PID 1848 wrote to memory of 2148 1848 vbc.exe 35 PID 2340 wrote to memory of 2932 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 39 PID 2340 wrote to memory of 2932 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 39 PID 2340 wrote to memory of 2932 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 39 PID 2340 wrote to memory of 2932 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 39 PID 2340 wrote to memory of 2932 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 39 PID 2340 wrote to memory of 2932 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 39 PID 2340 wrote to memory of 2932 2340 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 39 PID 2680 wrote to memory of 1540 2680 cmd.exe 40 PID 2680 wrote to memory of 1540 2680 cmd.exe 40 PID 2680 wrote to memory of 1540 2680 cmd.exe 40 PID 2680 wrote to memory of 1540 2680 cmd.exe 40 PID 2680 wrote to memory of 1540 2680 cmd.exe 40 PID 2680 wrote to memory of 1540 2680 cmd.exe 40 PID 2680 wrote to memory of 1540 2680 cmd.exe 40 PID 1840 wrote to memory of 2852 1840 cmd.exe 42 PID 1840 wrote to memory of 2852 1840 cmd.exe 42 PID 1840 wrote to memory of 2852 1840 cmd.exe 42 PID 1840 wrote to memory of 2852 1840 cmd.exe 42 PID 1840 wrote to memory of 2852 1840 cmd.exe 42 PID 1840 wrote to memory of 2852 1840 cmd.exe 42 PID 1840 wrote to memory of 2852 1840 cmd.exe 42 PID 2148 wrote to memory of 2704 2148 cmd.exe 41 PID 2148 wrote to memory of 2704 2148 cmd.exe 41 PID 2148 wrote to memory of 2704 2148 cmd.exe 41 PID 2148 wrote to memory of 2704 2148 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
582KB
MD5e37893792937611395c0da3b235e92bc
SHA129f62e95966e307a2b92d762b6e33c8f228b192d
SHA256ab74d073dcb604357919b1a8eb432d47e54265ef6207231e5228f01203c9e57b
SHA5128675266c83777c9d85bbbe7e12a032a6bacfacb46f84492006fbf7017e0dc55c0c82045f33b190e06bf3805f73aa21d2fc6ad586a7ea0b7fec0698a5ccda6069
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2