Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2025, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe
-
Size
793KB
-
MD5
50327a2c74bd40e5e4d103a3c4111fcf
-
SHA1
a67c36840e993bcf311bd14e410b011bd85010df
-
SHA256
30c5d869f498b0f5829d0fee3c239cd2712fe3a14732026fe6daf8f92555439a
-
SHA512
304307e4ebfbd7789e4531ad411138217755418714151574264b2c542712b36739f66543a4dc05bd3a28709c1ad223b6439eacd3c6ebc32b310fcbe0b902e524
-
SSDEEP
24576:OjgU6ETibMsiiNCNmBs9Yq5SaPf5WZKF:dU6ETibMsiiNCt97oaX5OKF
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral2/memory/4860-11-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-7-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-23-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-24-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-27-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-28-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-30-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-31-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-32-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-36-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-37-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/4860-39-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Steamservice.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Steamservice.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ZKY5N6S1Q.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Executes dropped EXE 1 IoCs
pid Process 4860 Steamservice.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5080 set thread context of 4860 5080 JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe 85 -
Program crash 1 IoCs
pid pid_target Process procid_target 3800 5080 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Steamservice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1664 reg.exe 2380 reg.exe 3788 reg.exe 3120 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 4860 Steamservice.exe Token: SeCreateTokenPrivilege 4860 Steamservice.exe Token: SeAssignPrimaryTokenPrivilege 4860 Steamservice.exe Token: SeLockMemoryPrivilege 4860 Steamservice.exe Token: SeIncreaseQuotaPrivilege 4860 Steamservice.exe Token: SeMachineAccountPrivilege 4860 Steamservice.exe Token: SeTcbPrivilege 4860 Steamservice.exe Token: SeSecurityPrivilege 4860 Steamservice.exe Token: SeTakeOwnershipPrivilege 4860 Steamservice.exe Token: SeLoadDriverPrivilege 4860 Steamservice.exe Token: SeSystemProfilePrivilege 4860 Steamservice.exe Token: SeSystemtimePrivilege 4860 Steamservice.exe Token: SeProfSingleProcessPrivilege 4860 Steamservice.exe Token: SeIncBasePriorityPrivilege 4860 Steamservice.exe Token: SeCreatePagefilePrivilege 4860 Steamservice.exe Token: SeCreatePermanentPrivilege 4860 Steamservice.exe Token: SeBackupPrivilege 4860 Steamservice.exe Token: SeRestorePrivilege 4860 Steamservice.exe Token: SeShutdownPrivilege 4860 Steamservice.exe Token: SeDebugPrivilege 4860 Steamservice.exe Token: SeAuditPrivilege 4860 Steamservice.exe Token: SeSystemEnvironmentPrivilege 4860 Steamservice.exe Token: SeChangeNotifyPrivilege 4860 Steamservice.exe Token: SeRemoteShutdownPrivilege 4860 Steamservice.exe Token: SeUndockPrivilege 4860 Steamservice.exe Token: SeSyncAgentPrivilege 4860 Steamservice.exe Token: SeEnableDelegationPrivilege 4860 Steamservice.exe Token: SeManageVolumePrivilege 4860 Steamservice.exe Token: SeImpersonatePrivilege 4860 Steamservice.exe Token: SeCreateGlobalPrivilege 4860 Steamservice.exe Token: 31 4860 Steamservice.exe Token: 32 4860 Steamservice.exe Token: 33 4860 Steamservice.exe Token: 34 4860 Steamservice.exe Token: 35 4860 Steamservice.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4860 Steamservice.exe 4860 Steamservice.exe 4860 Steamservice.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 5080 wrote to memory of 4860 5080 JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe 85 PID 5080 wrote to memory of 4860 5080 JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe 85 PID 5080 wrote to memory of 4860 5080 JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe 85 PID 5080 wrote to memory of 4860 5080 JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe 85 PID 5080 wrote to memory of 4860 5080 JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe 85 PID 5080 wrote to memory of 4860 5080 JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe 85 PID 5080 wrote to memory of 4860 5080 JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe 85 PID 5080 wrote to memory of 4860 5080 JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe 85 PID 4860 wrote to memory of 4100 4860 Steamservice.exe 86 PID 4860 wrote to memory of 4100 4860 Steamservice.exe 86 PID 4860 wrote to memory of 4100 4860 Steamservice.exe 86 PID 4860 wrote to memory of 2496 4860 Steamservice.exe 87 PID 4860 wrote to memory of 2496 4860 Steamservice.exe 87 PID 4860 wrote to memory of 2496 4860 Steamservice.exe 87 PID 4860 wrote to memory of 3692 4860 Steamservice.exe 88 PID 4860 wrote to memory of 3692 4860 Steamservice.exe 88 PID 4860 wrote to memory of 3692 4860 Steamservice.exe 88 PID 4860 wrote to memory of 3224 4860 Steamservice.exe 89 PID 4860 wrote to memory of 3224 4860 Steamservice.exe 89 PID 4860 wrote to memory of 3224 4860 Steamservice.exe 89 PID 2496 wrote to memory of 3120 2496 cmd.exe 96 PID 2496 wrote to memory of 3120 2496 cmd.exe 96 PID 2496 wrote to memory of 3120 2496 cmd.exe 96 PID 4100 wrote to memory of 1664 4100 cmd.exe 97 PID 4100 wrote to memory of 1664 4100 cmd.exe 97 PID 4100 wrote to memory of 1664 4100 cmd.exe 97 PID 3224 wrote to memory of 3788 3224 cmd.exe 98 PID 3224 wrote to memory of 3788 3224 cmd.exe 98 PID 3224 wrote to memory of 3788 3224 cmd.exe 98 PID 3692 wrote to memory of 2380 3692 cmd.exe 99 PID 3692 wrote to memory of 2380 3692 cmd.exe 99 PID 3692 wrote to memory of 2380 3692 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Roaming\Steamservice.exeC:\Users\Admin\AppData\Roaming\Steamservice.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Steamservice.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Steamservice.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Steamservice.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Steamservice.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3120
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3788
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 11562⤵
- Program crash
PID:3800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 50801⤵PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d8e7637c0c4889b318f1014bce3a3f66
SHA11ddb18c609fca498b7f41cf70dfd295b91f95ab9
SHA256cf67a5b89de19d3e9f91e3ebf43162caea7532a51689225161e97cd7b56a717f
SHA512bb5c82628a754975343cd192f3d656007e40c1e7a2c3d5dad5030f029783c2bdcb34d4b33768c5a4abbd6029692c1bde0bda9038a35e933d3e7669fbafe61791