Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 08:09

General

  • Target

    JaffaCakes118_1f86da517fb01239ea110c81553dee64.exe

  • Size

    270KB

  • MD5

    1f86da517fb01239ea110c81553dee64

  • SHA1

    951bfcb27d77d0495f9e89bdf980a9fa05477086

  • SHA256

    3eae68342e0fc24f11379bb967b75ceadd97eaa71537b4a9eabe6beeb56d855e

  • SHA512

    27786e8024c803b0628f4677dda6752f2b633566a8213f506619939b97464d07fba765a6637249edb301cfef9aa26ad65b7e4ce910777d914bbb96c8c06c498c

  • SSDEEP

    6144:8FmLAnGaNadtICPMMA9TZOljHbuerPBR0DfA7sSHYUFc7YLC6:8FfFNadtICPMvTYJ7ueV+DfaYUFQs

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 2 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f86da517fb01239ea110c81553dee64.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f86da517fb01239ea110c81553dee64.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2328
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4512
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4100
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2296
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\blackup1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\blackup1.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\blackup1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\blackup1.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4024
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VSCover.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VSCover.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VSCover.exe

    Filesize

    12KB

    MD5

    ca70adf5642d3cb9b44991c2e0acc10f

    SHA1

    fbb0dfaab0568b87ed4dda458bdddd0684435464

    SHA256

    64415eb347beae45c6a74538cf3ea3059ba4275ba160fb055b7f9b50521bc224

    SHA512

    7c4b90e50af34103b6e0fb78c0d71222c7a94318551601aa6b6a4eb328aa5afd54bd55b8db28ee63b539bcc1e0b013b0ffc85fee7543ec1eed7bf37769e204b5

  • memory/3976-7-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

  • memory/3976-9-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

  • memory/3976-11-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

  • memory/3976-10-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

  • memory/5096-0-0x0000000075492000-0x0000000075493000-memory.dmp

    Filesize

    4KB

  • memory/5096-1-0x0000000075490000-0x0000000075A41000-memory.dmp

    Filesize

    5.7MB

  • memory/5096-2-0x0000000075490000-0x0000000075A41000-memory.dmp

    Filesize

    5.7MB

  • memory/5096-27-0x0000000075492000-0x0000000075493000-memory.dmp

    Filesize

    4KB

  • memory/5096-28-0x0000000075490000-0x0000000075A41000-memory.dmp

    Filesize

    5.7MB

  • memory/5096-29-0x0000000075490000-0x0000000075A41000-memory.dmp

    Filesize

    5.7MB