Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 12:07

General

  • Target

    JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe

  • Size

    613KB

  • MD5

    213f7a4c2bb0b574d12ce0b293ab674b

  • SHA1

    78583186555a9c98e8d539039f7c12ce5a95a094

  • SHA256

    22f94a59580530ae05efe646efe59c028dade517045ef7d45571231d729bc507

  • SHA512

    d8944380839fefb8dd34abeac8c9eaf4a4fdc954ca4ea2685f1d523442a1728d4e5689588b0946ced5a9a8b523ae963cc2dafe0446779c05260497d542ab5e5a

  • SSDEEP

    12288:A7lrdHyHBw8ebLwBVD8Wdq1SZivVVyDYf6L:U9hCcfwrD8WdlZG4v

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 10 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_213f7a4c2bb0b574d12ce0b293ab674b.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\259435044.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2408
    • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
          4⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1168
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:1572
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2304
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:1112
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259435044.bat

    Filesize

    146B

    MD5

    7eee65b102f30fd1ead48a8cd3b99827

    SHA1

    2f74a754019f280c6186c11531d460006814952e

    SHA256

    5748c60056db288b67e61148b339778816279e36907977f4fe03b5df04f6b57f

    SHA512

    a06de9e35ada579a95b2ba399e4c65b074d642788d456e10e0ae967896ac729c552f715261d9dc8c17fffca8d6b9144a6155ff11ab8569a82bdbd9d26109bd85

  • \Users\Admin\AppData\Roaming\Microsoft\service.exe

    Filesize

    613KB

    MD5

    d734320ba2792758b504eee119891eff

    SHA1

    57687899ed5bdc79d693f4f033c978349ab4d79e

    SHA256

    c7502395cde64b76118b787d9a8715dee80be10ae8428e52b2bf4eee4d52d3ce

    SHA512

    196625973ef7d003a68053049840690b8b4fec29cd27f92f2c6d067ab7a6b769f9ba3346de4ea79dae020f3e5985246e00c6ea175d35fefcdd3a19573eba4dd0

  • memory/2812-62-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2812-39-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2876-49-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-47-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-57-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-56-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-53-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2876-45-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-59-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-69-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-71-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-73-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-74-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-75-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-78-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-85-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2876-86-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB