blackshades | c3cc7c9240fe7b6fe83285f62300aca475ad11646cfa3c09075552fd3a98b4b0 | Triage

Sharing

General

Target

JaffaCakes118_313a462c32e3f07fbcfdb4d9ded55e49
Size

810KB
Sample

250126-bhx7raykan
MD5

313a462c32e3f07fbcfdb4d9ded55e49
SHA1

0ec4ac272486b949da55d40e0dc84fc763302752
SHA256

c3cc7c9240fe7b6fe83285f62300aca475ad11646cfa3c09075552fd3a98b4b0
SHA512

2d017bb8cac27f9b5728c528e135fe97f7da51c2c4901f44f838eeaa8ae3d8d9c0dbf73d9eb5eb38423aa07227f466e79ab58e83fef139d0d359a394a35c17ea
SSDEEP

12288:uug3g9S3ve2bo9Wo1fxrIbHl+l5e5kjO16owBMuCH2:uug3gMpbk1x0lo5eEOrwquCH2

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Targets

- Target
  
  JaffaCakes118_313a462c32e3f07fbcfdb4d9ded55e49
- Size
  
  810KB
- MD5
  
  313a462c32e3f07fbcfdb4d9ded55e49
- SHA1
  
  0ec4ac272486b949da55d40e0dc84fc763302752
- SHA256
  
  c3cc7c9240fe7b6fe83285f62300aca475ad11646cfa3c09075552fd3a98b4b0
- SHA512
  
  2d017bb8cac27f9b5728c528e135fe97f7da51c2c4901f44f838eeaa8ae3d8d9c0dbf73d9eb5eb38423aa07227f466e79ab58e83fef139d0d359a394a35c17ea
- SSDEEP
  
  12288:uug3g9S3ve2bo9Wo1fxrIbHl+l5e5kjO16owBMuCH2:uug3gMpbk1x0lo5eEOrwquCH2
Score

10^/10

blackshades defense_evasion discovery persistence rat
- Blackshades
  Blackshades is a remote access trojan with various capabilities.
  rat blackshades
- Blackshades family
  blackshades
- Blackshades payload
- Modifies firewall policy service
  defense_evasion
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackshadesdefense_evasiondiscoverypersistencerat

behavioral2

blackshadesdefense_evasiondiscoverypersistencerat