blackshades | 41b17808c9f50d3ea89279b755e64b8c1c2705b057a0078968efd36db542d631

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe
Size

325KB
MD5

34cd0294f8885fca838f747d3231d46b
SHA1

67c15b8e8e08fe4dda0e5b9f33e5d9ddc73c4a76
SHA256

41b17808c9f50d3ea89279b755e64b8c1c2705b057a0078968efd36db542d631
SHA512

f1622fa742a60d2b02b898b40b06007e2385177a9ab7005e25f70927251cb473178d1e836d28b940bf13c22c6080f5668f7fcf027a687de96549e8974eb0ecf0
SSDEEP

6144:0m2wD1vJjg8VfMjnzHyJVLQ2GqbEiHUrQ5nPzSd6T4hHHAoHVnNb:0m2Mr2S7EeUrUDaHAyVN

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 1 IoCs

resource	yara_rule
behavioral1/memory/18440-674666-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Profile\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Profile\\services.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Profile\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Profile\\services.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4420	services.exe
97232	services.exe
18440	services.exe

Loads dropped DLL 5 IoCs

pid	Process
2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe
2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe
2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe
2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe
2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Profile = "C:\\Users\\Admin\\AppData\\Roaming\\Profile\\services.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4420 set thread context of 97232	4420	services.exe	35
PID 4420 set thread context of 18440	4420	services.exe	36

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/18440-674651-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/18440-674666-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
99372	reg.exe
114764	reg.exe
21228	reg.exe
3940	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	97232	services.exe
Token: 1	18440	services.exe
Token: SeCreateTokenPrivilege	18440	services.exe
Token: SeAssignPrimaryTokenPrivilege	18440	services.exe
Token: SeLockMemoryPrivilege	18440	services.exe
Token: SeIncreaseQuotaPrivilege	18440	services.exe
Token: SeMachineAccountPrivilege	18440	services.exe
Token: SeTcbPrivilege	18440	services.exe
Token: SeSecurityPrivilege	18440	services.exe
Token: SeTakeOwnershipPrivilege	18440	services.exe
Token: SeLoadDriverPrivilege	18440	services.exe
Token: SeSystemProfilePrivilege	18440	services.exe
Token: SeSystemtimePrivilege	18440	services.exe
Token: SeProfSingleProcessPrivilege	18440	services.exe
Token: SeIncBasePriorityPrivilege	18440	services.exe
Token: SeCreatePagefilePrivilege	18440	services.exe
Token: SeCreatePermanentPrivilege	18440	services.exe
Token: SeBackupPrivilege	18440	services.exe
Token: SeRestorePrivilege	18440	services.exe
Token: SeShutdownPrivilege	18440	services.exe
Token: SeDebugPrivilege	18440	services.exe
Token: SeAuditPrivilege	18440	services.exe
Token: SeSystemEnvironmentPrivilege	18440	services.exe
Token: SeChangeNotifyPrivilege	18440	services.exe
Token: SeRemoteShutdownPrivilege	18440	services.exe
Token: SeUndockPrivilege	18440	services.exe
Token: SeSyncAgentPrivilege	18440	services.exe
Token: SeEnableDelegationPrivilege	18440	services.exe
Token: SeManageVolumePrivilege	18440	services.exe
Token: SeImpersonatePrivilege	18440	services.exe
Token: SeCreateGlobalPrivilege	18440	services.exe
Token: 31	18440	services.exe
Token: 32	18440	services.exe
Token: 33	18440	services.exe
Token: 34	18440	services.exe
Token: 35	18440	services.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe
4420	services.exe
18440	services.exe
97232	services.exe
18440	services.exe
18440	services.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1272	2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe	30
PID 2124 wrote to memory of 1272	2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe	30
PID 2124 wrote to memory of 1272	2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe	30
PID 2124 wrote to memory of 1272	2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe	30
PID 1272 wrote to memory of 1332	1272	cmd.exe	32
PID 1272 wrote to memory of 1332	1272	cmd.exe	32
PID 1272 wrote to memory of 1332	1272	cmd.exe	32
PID 1272 wrote to memory of 1332	1272	cmd.exe	32
PID 2124 wrote to memory of 4420	2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe	33
PID 2124 wrote to memory of 4420	2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe	33
PID 2124 wrote to memory of 4420	2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe	33
PID 2124 wrote to memory of 4420	2124	JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe	33
PID 4420 wrote to memory of 97232	4420	services.exe	35
PID 4420 wrote to memory of 97232	4420	services.exe	35
PID 4420 wrote to memory of 97232	4420	services.exe	35
PID 4420 wrote to memory of 97232	4420	services.exe	35
PID 4420 wrote to memory of 97232	4420	services.exe	35
PID 4420 wrote to memory of 97232	4420	services.exe	35
PID 4420 wrote to memory of 97232	4420	services.exe	35
PID 4420 wrote to memory of 97232	4420	services.exe	35
PID 4420 wrote to memory of 18440	4420	services.exe	36
PID 4420 wrote to memory of 18440	4420	services.exe	36
PID 4420 wrote to memory of 18440	4420	services.exe	36
PID 4420 wrote to memory of 18440	4420	services.exe	36
PID 4420 wrote to memory of 18440	4420	services.exe	36
PID 4420 wrote to memory of 18440	4420	services.exe	36
PID 4420 wrote to memory of 18440	4420	services.exe	36
PID 4420 wrote to memory of 18440	4420	services.exe	36
PID 18440 wrote to memory of 249764	18440	services.exe	37
PID 18440 wrote to memory of 249764	18440	services.exe	37
PID 18440 wrote to memory of 249764	18440	services.exe	37
PID 18440 wrote to memory of 249764	18440	services.exe	37
PID 18440 wrote to memory of 20152	18440	services.exe	38
PID 18440 wrote to memory of 20152	18440	services.exe	38
PID 18440 wrote to memory of 20152	18440	services.exe	38
PID 18440 wrote to memory of 20152	18440	services.exe	38
PID 18440 wrote to memory of 72372	18440	services.exe	40
PID 18440 wrote to memory of 72372	18440	services.exe	40
PID 18440 wrote to memory of 72372	18440	services.exe	40
PID 18440 wrote to memory of 72372	18440	services.exe	40
PID 18440 wrote to memory of 208212	18440	services.exe	41
PID 18440 wrote to memory of 208212	18440	services.exe	41
PID 18440 wrote to memory of 208212	18440	services.exe	41
PID 18440 wrote to memory of 208212	18440	services.exe	41
PID 20152 wrote to memory of 99372	20152	cmd.exe	45
PID 20152 wrote to memory of 99372	20152	cmd.exe	45
PID 20152 wrote to memory of 99372	20152	cmd.exe	45
PID 20152 wrote to memory of 99372	20152	cmd.exe	45
PID 208212 wrote to memory of 114764	208212	cmd.exe	47
PID 208212 wrote to memory of 114764	208212	cmd.exe	47
PID 208212 wrote to memory of 114764	208212	cmd.exe	47
PID 208212 wrote to memory of 114764	208212	cmd.exe	47
PID 72372 wrote to memory of 21228	72372	cmd.exe	46
PID 72372 wrote to memory of 21228	72372	cmd.exe	46
PID 72372 wrote to memory of 21228	72372	cmd.exe	46
PID 72372 wrote to memory of 21228	72372	cmd.exe	46
PID 249764 wrote to memory of 3940	249764	cmd.exe	48
PID 249764 wrote to memory of 3940	249764	cmd.exe	48
PID 249764 wrote to memory of 3940	249764	cmd.exe	48
PID 249764 wrote to memory of 3940	249764	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_34cd0294f8885fca838f747d3231d46b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259463202.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Profile" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Profile\services.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1332
- C:\Users\Admin\AppData\Roaming\Profile\services.exe
  "C:\Users\Admin\AppData\Roaming\Profile\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Roaming\Profile\services.exe
    "C:\Users\Admin\AppData\Roaming\Profile\services.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:97232
- - C:\Users\Admin\AppData\Roaming\Profile\services.exe
    "C:\Users\Admin\AppData\Roaming\Profile\services.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:18440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:249764
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Profile\services.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Profile\services.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:20152
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Profile\services.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Profile\services.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:99372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:72372
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:21228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Profile\services.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Profile\services.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:208212
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Profile\services.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Profile\services.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:114764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259463202.bat

Filesize
143B

MD5
87f156f03c5f08cd7218031dc5829432

SHA1
08ca7f7e764cb5f5470e20629117b5942ed8d617

SHA256
cf7b214a966c857f561fcd68cda22f4b27e07dd58a06a4b9dcd91b2afaec68e6

SHA512
ff97256c430d2227191542d1e67b770ef9152b02aa3fe31ce927900d3f36a752c374f727b8ce2ddb5a9328867a63eac158707dca08a265bc3843661151f9e92c

Download Submit
\Users\Admin\AppData\Roaming\Profile\services.exe

Filesize
325KB

MD5
4b90fb8e485f048bd938c3fe4ecd4abc

SHA1
39e1aef0e0b083e7eaca93c33ca24453d4a96fec

SHA256
81c1a59a28bdeec91f160693d64c5a65ba5606a30a17409eca7878ae80f6fbbd

SHA512
c0939532029d79cfd9c4d475c26155622b22829c789fccb0e27deea6a5301eb03cc9fc7fc5503298871bc81bfc86c1c22d16251525bae423bfe154ee15d9f8b8

Download Submit
memory/2124-4907-0x0000000003810000-0x0000000003910000-memory.dmp

Filesize
1024KB

Download
memory/2124-4894-0x0000000003810000-0x0000000003910000-memory.dmp

Filesize
1024KB

Download
memory/2124-3667-0x00000000004B8000-0x00000000004B9000-memory.dmp

Filesize
4KB

Download
memory/2124-4909-0x0000000003810000-0x0000000003910000-memory.dmp

Filesize
1024KB

Download
memory/2124-4908-0x0000000003810000-0x0000000003910000-memory.dmp

Filesize
1024KB

Download
memory/2124-4912-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2124-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2124-4087-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/4420-674660-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/18440-674651-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/18440-674666-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/97232-674641-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/97232-674635-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/97232-674633-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/97232-674631-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/97232-674629-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads