Overview

overview

10

Static

static

3

JaffaCakes...c8.exe

windows7-x64

10

JaffaCakes...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2025 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_55407673b4b0f8e4b70f84e023e6c5c8.exe

  • Size

    636KB

  • MD5

    55407673b4b0f8e4b70f84e023e6c5c8

  • SHA1

    8d8d3cf881ab164a82607aab62c10500c7a6c94f

  • SHA256

    422bc3be6b70dd7785780738ce03ca2a4483cb85bcfc4543bc056b9dd32b9a34

  • SHA512

    4cc32dd8951832d2d278e20013be15c0859ef41ec1f6318aa7832e8184ba5be37a7f85c5daa330df2ddaf01142c16e21fc828b4a47c89d9ab71de9e34c2b2511

  • SSDEEP

    12288:rqeIFfwruh1+087bqqPimMDltarvgjn7V+9yaEll:2ejrAEB3M3Wv+7M9ql

Score
10/10
blackshadeslatentbotdefense_evasiondiscoveryrattrojan

Malware Config

Extracted

Family

latentbot

C2

rscashmoneyheros.zapto.org

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 17 IoCs
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Latentbot family
    latentbot
  • Modifies firewall policy service 3 TTPs 10 IoCs
    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55407673b4b0f8e4b70f84e023e6c5c8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55407673b4b0f8e4b70f84e023e6c5c8.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:228
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4104
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3612
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\VRDAXNOELY.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VRDAXNOELY.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\VRDAXNOELY.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VRDAXNOELY.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:5112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WindowsCodecs.dll
    Filesize

    15KB

    MD5

    8d0a509b3ff7eb2945424f5f11474a0f

    SHA1

    a781cda1d9225095bbfcf7198d932146df6ab83a

    SHA256

    65c7dd8f275c90f5c65ac207c11735868b15a27ab6d692f2169af38b2672db4e

    SHA512

    d76c4718a890cadbc03fac07d8c31703645cac70be51250198f4ee83189addbe27252a5553100911d2d591440cf5bd54e075264e78609df864bf92bf334d0c3b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    16KB

    MD5

    7cb97dcfc4a7f5094d7f527c2b1c4ff3

    SHA1

    f2ccbfe8f9aec22e8ccf553608b440832286e159

    SHA256

    d62c8c858e99c7c53eef778053bf52f96fec6490eb6efca9a92fbba2757e9521

    SHA512

    614ddd220c30ca122bd7d50adb02e7b6d1e36ef7d5d7f8eed441bbd09d0617fd3548f3fe34c6f0200deb9db6ac825cfe1e985fd6dcffce28493260dc85797c4d

    Download Submit

  • memory/1864-38-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-30-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-41-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-16-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-20-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-26-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-71-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-68-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-44-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-61-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-74-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-64-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-29-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-48-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-51-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-54-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1864-58-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2660-27-0x00000000752D2000-0x00000000752D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2660-1-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2660-28-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2660-2-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2660-0-0x00000000752D2000-0x00000000752D3000-memory.dmp

    Filesize

    4KB

    Download