Overview

overview

10

Static

static

3

JaffaCakes...96.exe

windows7-x64

10

JaffaCakes...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_368b9153a60f2a2090f5e9ba6c6e2896.exe

  • Size

    404KB

  • MD5

    368b9153a60f2a2090f5e9ba6c6e2896

  • SHA1

    023abcf8a180e68d55b1b74ff643168aac5d0cd1

  • SHA256

    8e4c03b7af470a66a3c34868881075e4dcb2da8d76110ebf4f0068b1cfbde130

  • SHA512

    e80ce774df365fdab251cf1a7f6a2482be4c128fd3b724f00144f7f19d64159d73289f5a4bdc26036d9d3c36e1add9fbaf4586cc13469964a8e5d6f4f57c544f

  • SSDEEP

    12288:6Gl+8djqlV45BhPxgJxhpzs3CVHxzDrd0q+GZb6jYcuI6:6o+4jwqRxgJxhJHFDrwYx

Score
10/10
blackshadesdefense_evasiondiscoveryratupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 11 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_368b9153a60f2a2090f5e9ba6c6e2896.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_368b9153a60f2a2090f5e9ba6c6e2896.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hjviybkm.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD959.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD958.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4404
    • C:\Users\Admin\AppData\Roaming\ctfmon.exe
      C:\Users\Admin\AppData\Roaming\ctfmon.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3504
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ctfmon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ctfmon.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4324
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ctfmon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ctfmon.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4688
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4580
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\XQQWR1XJBZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\XQQWR1XJBZ.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\XQQWR1XJBZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\XQQWR1XJBZ.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD959.tmp
    Filesize

    1KB

    MD5

    9338a7fd70fb38b0736bae86a242f55e

    SHA1

    cc7f784ec01be0210dfd4cbd4d9e553b608375f7

    SHA256

    4eaf3409f2004dffb41e1be73ad50932ccad3875071fe7f22f548d1ab9142cea

    SHA512

    759d60e9e843c8ed0470d83f27bb9dafc8a6c290a2e0dfad20dbe715af23b1c9df9d9bbd65732cc801d014a05abc23ba13f234d6c5cac0957e2405572cb589e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hjviybkm.dll
    Filesize

    5KB

    MD5

    0843633175438a9018f18746562feebb

    SHA1

    5527aaa64fe8e0b4560fe19107fb649f09a0ae70

    SHA256

    718a20fd72e58d18f600e41fd6f78d66b6f1a659ab4fa391c7a975c22b5efb96

    SHA512

    d27b31dd9793b16c38032ff15df45cd62ed76903349f3dfc4e6c3d0dc468a0cfcc68bf7c595072037e2f8343f35eb77ba1afe87baecf8fb04906c74a8c9ae423

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ctfmon.exe
    Filesize

    12KB

    MD5

    161725affce8b47d759f684bbf3605e2

    SHA1

    3ad09227181d86aa4c1f15e36783492f71555af9

    SHA256

    2c0b3dabe82da9063694f96eea8464c7b091a6cc7a1c81ab52b4a896a9b72e6d

    SHA512

    db6b11069bfce0f5fba910a5eb3413ecc58e895301aa6042fe46e16a3c8aa316769326bc5f57fc0a7baee05212a1374d58ed7b07b4870ccd24b306d9998f1935

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCD958.tmp
    Filesize

    652B

    MD5

    b4363396a87044260046e6d61ca21a74

    SHA1

    8dac3d196919a898d189ea1b1891b53600de6e8c

    SHA256

    9ac2c8a1d75a0c4d3b4080c1aa99ec90fd16f05cd83e0c5717d2b8a3d8da3363

    SHA512

    0d81b4ef531ff0840c88ff6aa6d5156ecd4a3c8cdedfba9d7a9933d93b2e7ec37f752570269ca99cec0a57e4720a6567718081f3b10c358d4814c129da1eaa0a

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\hjviybkm.0.cs
    Filesize

    4KB

    MD5

    2216d197bc442e875016eba15c07a937

    SHA1

    37528e21ea3271b85d276c6bd003e6c60c81545d

    SHA256

    2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

    SHA512

    7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\hjviybkm.cmdline
    Filesize

    206B

    MD5

    bbc47623b6ec0050b0209da124c40d3f

    SHA1

    38e06aef5334c099bab9a34b3c6bca6ab5939ec9

    SHA256

    3cdd77d0c17058151c25e53c12fe1374d56e5f410b0fb2fb4f1e6da5823c3501

    SHA512

    6d0c1e18958205aff6b6d09388ad09b3f68e86da7ffa1d750f7487ed4103fdbfc994cd459f0afc2db3b6baa3ae7a3f50a9951f9cac4b6d28cf7ee71b3c24d3ef

    Download Submit

  • memory/1932-33-0x00000000746A2000-0x00000000746A3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-2-0x00000000746A0000-0x0000000074C51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1932-34-0x00000000746A0000-0x0000000074C51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1932-0-0x00000000746A2000-0x00000000746A3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1932-1-0x00000000746A0000-0x0000000074C51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3660-11-0x00000000746A0000-0x0000000074C51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3660-16-0x00000000746A0000-0x0000000074C51000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3836-24-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-26-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-20-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-35-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-37-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-39-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-40-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-43-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-44-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-45-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-48-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-52-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3836-53-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download