Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 08:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe
-
Size
3.0MB
-
MD5
1f83d3cbaf7ba5c634130238d7b37074
-
SHA1
3618538b530ab13f9bcb79ea383137f60551d17a
-
SHA256
53db0b869efcf18e9774145826e3e3de4030289f4a36a922cf2c9e842d12ec19
-
SHA512
f7a1b5ada943da2d523521c1dca5ffa04d35781a9d27472559fe11404d2ad09342a5156a9ce7aebf220aa38fb5cc11d7c2a9912c6448fad7c6a057c3c2a6f51e
-
SSDEEP
24576:CkJnxo1Ihes0zn2PfDJZU4Nx+GNujlL+:CrKIs0OTU4n+0ujlL+
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral2/memory/960-6-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-11-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-28-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-30-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-33-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-34-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-36-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-37-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-38-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-41-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/960-42-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JP45NMURB5.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\vbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vbc.exe:*:Enabled:Windows Messanger" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe -
Executes dropped EXE 2 IoCs
pid Process 960 vbc.exe 1260 Update.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MsMpEng.exe" JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1764 set thread context of 960 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3788 reg.exe 4156 reg.exe 1528 reg.exe 5116 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1260 Update.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe Token: 1 960 vbc.exe Token: SeCreateTokenPrivilege 960 vbc.exe Token: SeAssignPrimaryTokenPrivilege 960 vbc.exe Token: SeLockMemoryPrivilege 960 vbc.exe Token: SeIncreaseQuotaPrivilege 960 vbc.exe Token: SeMachineAccountPrivilege 960 vbc.exe Token: SeTcbPrivilege 960 vbc.exe Token: SeSecurityPrivilege 960 vbc.exe Token: SeTakeOwnershipPrivilege 960 vbc.exe Token: SeLoadDriverPrivilege 960 vbc.exe Token: SeSystemProfilePrivilege 960 vbc.exe Token: SeSystemtimePrivilege 960 vbc.exe Token: SeProfSingleProcessPrivilege 960 vbc.exe Token: SeIncBasePriorityPrivilege 960 vbc.exe Token: SeCreatePagefilePrivilege 960 vbc.exe Token: SeCreatePermanentPrivilege 960 vbc.exe Token: SeBackupPrivilege 960 vbc.exe Token: SeRestorePrivilege 960 vbc.exe Token: SeShutdownPrivilege 960 vbc.exe Token: SeDebugPrivilege 960 vbc.exe Token: SeAuditPrivilege 960 vbc.exe Token: SeSystemEnvironmentPrivilege 960 vbc.exe Token: SeChangeNotifyPrivilege 960 vbc.exe Token: SeRemoteShutdownPrivilege 960 vbc.exe Token: SeUndockPrivilege 960 vbc.exe Token: SeSyncAgentPrivilege 960 vbc.exe Token: SeEnableDelegationPrivilege 960 vbc.exe Token: SeManageVolumePrivilege 960 vbc.exe Token: SeImpersonatePrivilege 960 vbc.exe Token: SeCreateGlobalPrivilege 960 vbc.exe Token: 31 960 vbc.exe Token: 32 960 vbc.exe Token: 33 960 vbc.exe Token: 34 960 vbc.exe Token: 35 960 vbc.exe Token: SeDebugPrivilege 1260 Update.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 960 vbc.exe 960 vbc.exe 960 vbc.exe 960 vbc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1764 wrote to memory of 960 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 83 PID 1764 wrote to memory of 960 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 83 PID 1764 wrote to memory of 960 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 83 PID 1764 wrote to memory of 960 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 83 PID 1764 wrote to memory of 960 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 83 PID 1764 wrote to memory of 960 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 83 PID 1764 wrote to memory of 960 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 83 PID 1764 wrote to memory of 960 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 83 PID 960 wrote to memory of 4892 960 vbc.exe 84 PID 960 wrote to memory of 4892 960 vbc.exe 84 PID 960 wrote to memory of 4892 960 vbc.exe 84 PID 960 wrote to memory of 3480 960 vbc.exe 85 PID 960 wrote to memory of 3480 960 vbc.exe 85 PID 960 wrote to memory of 3480 960 vbc.exe 85 PID 960 wrote to memory of 2996 960 vbc.exe 86 PID 960 wrote to memory of 2996 960 vbc.exe 86 PID 960 wrote to memory of 2996 960 vbc.exe 86 PID 960 wrote to memory of 2792 960 vbc.exe 87 PID 960 wrote to memory of 2792 960 vbc.exe 87 PID 960 wrote to memory of 2792 960 vbc.exe 87 PID 1764 wrote to memory of 1260 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 92 PID 1764 wrote to memory of 1260 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 92 PID 1764 wrote to memory of 1260 1764 JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe 92 PID 4892 wrote to memory of 1528 4892 cmd.exe 93 PID 4892 wrote to memory of 1528 4892 cmd.exe 93 PID 4892 wrote to memory of 1528 4892 cmd.exe 93 PID 2792 wrote to memory of 5116 2792 cmd.exe 94 PID 2792 wrote to memory of 5116 2792 cmd.exe 94 PID 2792 wrote to memory of 5116 2792 cmd.exe 94 PID 3480 wrote to memory of 3788 3480 cmd.exe 95 PID 3480 wrote to memory of 3788 3480 cmd.exe 95 PID 3480 wrote to memory of 3788 3480 cmd.exe 95 PID 2996 wrote to memory of 4156 2996 cmd.exe 96 PID 2996 wrote to memory of 4156 2996 cmd.exe 96 PID 2996 wrote to memory of 4156 2996 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f83d3cbaf7ba5c634130238d7b37074.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JP45NMURB5.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5116
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
582KB
MD5e37893792937611395c0da3b235e92bc
SHA129f62e95966e307a2b92d762b6e33c8f228b192d
SHA256ab74d073dcb604357919b1a8eb432d47e54265ef6207231e5228f01203c9e57b
SHA5128675266c83777c9d85bbbe7e12a032a6bacfacb46f84492006fbf7017e0dc55c0c82045f33b190e06bf3805f73aa21d2fc6ad586a7ea0b7fec0698a5ccda6069
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0