Overview

overview

10

Static

static

3

JaffaCakes...8c.exe

windows7-x64

10

JaffaCakes...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2025 21:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5b9c5d899486da09d85493c7bda1628c.exe

  • Size

    326KB

  • MD5

    5b9c5d899486da09d85493c7bda1628c

  • SHA1

    1e633f82cfc803fc9e14acc4bac541d536051eff

  • SHA256

    39c9e084bf9cace2f54491fb845c912e3593fd13cf1277140bc95f14e8131e04

  • SHA512

    287475fe961f3b0ae9df6b6d48d3beb760bd1d5d444e8a504b0ea6666080c8c38fabd4becdfebccc3a17b709b6ad28e9285660b3312d1f671d42302a8919b5d7

  • SSDEEP

    6144:R/UgYuMQyepu2IvcanEepkLMo6hBc6tS+XSKGI4taQzwZH1BAxU4FqRr68:WrELIkEBs6EOSKDDMAV6xU4s68

Score
10/10
blackshadesdefense_evasiondiscoverypersistenceratupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 14 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
    defense_evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b9c5d899486da09d85493c7bda1628c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b9c5d899486da09d85493c7bda1628c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Users\Admin\AppData\Local\Temp\fichier.exe
      "C:\Users\Admin\AppData\Local\Temp\fichier.exe"
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1212
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\fichier.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\fichier.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\fichier.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\fichier.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:756
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4312
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:924
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\KU2PJI8VGU.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\KU2PJI8VGU.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3980
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\KU2PJI8VGU.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\KU2PJI8VGU.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fichier.exe
    Filesize

    175KB

    MD5

    5caebbf71ec2605cf3a204c6597cb74d

    SHA1

    2cefedccb01e9a055d715090fdf31c5a7502c13c

    SHA256

    4a0958e98fcdabab2f1f23700e2528d1dba3e565012e36d0075decff0236043d

    SHA512

    cc9d6e0b9394bebe43e3e7db1b5c5cdae6c54ada72ae6cea8411d305d412e6a0b95d9c8ec55bf93ac4b4178e883a8476eff16f862ee058875d6b21b48f68bfd0

    Download Submit

  • memory/1144-14-0x00007FF820150000-0x00007FF820C11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1144-1-0x0000000000590000-0x00000000005BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1144-2-0x0000000000D50000-0x0000000000D56000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1144-3-0x00007FF820150000-0x00007FF820C11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1144-0-0x00007FF820153000-0x00007FF820155000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2176-28-0x0000000076C10000-0x0000000076D00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2176-33-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-22-0x0000000076C10000-0x0000000076D00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2176-23-0x0000000076C10000-0x0000000076D00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2176-24-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-25-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-11-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-29-0x0000000076C10000-0x0000000076D00000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2176-30-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-21-0x0000000076C31000-0x0000000076C32000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-37-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-40-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-43-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-47-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-50-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-54-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-57-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-60-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-67-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2176-70-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download