Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2025, 15:38
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe
-
Size
514KB
-
MD5
6434b4eb336d7aadd6e47882b00d72b8
-
SHA1
b1f2f9a8bd8066cf3e53291f6989df83540d1a13
-
SHA256
4861f6a242deed6d80a71a8de72ba925f105fc988504fc324c2f2db25eee43e5
-
SHA512
4f80af78d96ce18282be359b816bbc1e845cc123ca56385511ee39bdd1714b6f53e81dec6b8ad2b4ee213d36d482ab1d288f8cd597abfce9bfbfb432429db294
-
SSDEEP
12288:USIm9OrcSIm9OrTS+Fz4atfYSPeAwLFcqTFV+fNbgvxyPZHfmPlu9bmg023k6neT:PVnsPGbfy6ne9Lpfv
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 13 IoCs
resource yara_rule behavioral2/memory/2064-9-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-5-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-21-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-24-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-31-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-34-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-37-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-44-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-47-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-51-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-57-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-60-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2064-64-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\keto.exe = "C:\\Users\\Admin\\AppData\\Roaming\\keto.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 .exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4148 set thread context of 2064 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1532 reg.exe 2980 reg.exe 1736 reg.exe 2420 reg.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe Token: 1 2064 .exe Token: SeCreateTokenPrivilege 2064 .exe Token: SeAssignPrimaryTokenPrivilege 2064 .exe Token: SeLockMemoryPrivilege 2064 .exe Token: SeIncreaseQuotaPrivilege 2064 .exe Token: SeMachineAccountPrivilege 2064 .exe Token: SeTcbPrivilege 2064 .exe Token: SeSecurityPrivilege 2064 .exe Token: SeTakeOwnershipPrivilege 2064 .exe Token: SeLoadDriverPrivilege 2064 .exe Token: SeSystemProfilePrivilege 2064 .exe Token: SeSystemtimePrivilege 2064 .exe Token: SeProfSingleProcessPrivilege 2064 .exe Token: SeIncBasePriorityPrivilege 2064 .exe Token: SeCreatePagefilePrivilege 2064 .exe Token: SeCreatePermanentPrivilege 2064 .exe Token: SeBackupPrivilege 2064 .exe Token: SeRestorePrivilege 2064 .exe Token: SeShutdownPrivilege 2064 .exe Token: SeDebugPrivilege 2064 .exe Token: SeAuditPrivilege 2064 .exe Token: SeSystemEnvironmentPrivilege 2064 .exe Token: SeChangeNotifyPrivilege 2064 .exe Token: SeRemoteShutdownPrivilege 2064 .exe Token: SeUndockPrivilege 2064 .exe Token: SeSyncAgentPrivilege 2064 .exe Token: SeEnableDelegationPrivilege 2064 .exe Token: SeManageVolumePrivilege 2064 .exe Token: SeImpersonatePrivilege 2064 .exe Token: SeCreateGlobalPrivilege 2064 .exe Token: 31 2064 .exe Token: 32 2064 .exe Token: 33 2064 .exe Token: 34 2064 .exe Token: 35 2064 .exe Token: SeDebugPrivilege 2064 .exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2064 .exe 2064 .exe 2064 .exe 2064 .exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4148 wrote to memory of 2064 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe 85 PID 4148 wrote to memory of 2064 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe 85 PID 4148 wrote to memory of 2064 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe 85 PID 4148 wrote to memory of 2064 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe 85 PID 4148 wrote to memory of 2064 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe 85 PID 4148 wrote to memory of 2064 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe 85 PID 4148 wrote to memory of 2064 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe 85 PID 4148 wrote to memory of 2064 4148 JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe 85 PID 2064 wrote to memory of 4188 2064 .exe 86 PID 2064 wrote to memory of 4188 2064 .exe 86 PID 2064 wrote to memory of 4188 2064 .exe 86 PID 2064 wrote to memory of 224 2064 .exe 87 PID 2064 wrote to memory of 224 2064 .exe 87 PID 2064 wrote to memory of 224 2064 .exe 87 PID 2064 wrote to memory of 1368 2064 .exe 88 PID 2064 wrote to memory of 1368 2064 .exe 88 PID 2064 wrote to memory of 1368 2064 .exe 88 PID 2064 wrote to memory of 4580 2064 .exe 89 PID 2064 wrote to memory of 4580 2064 .exe 89 PID 2064 wrote to memory of 4580 2064 .exe 89 PID 4188 wrote to memory of 1532 4188 cmd.exe 94 PID 4188 wrote to memory of 1532 4188 cmd.exe 94 PID 4188 wrote to memory of 1532 4188 cmd.exe 94 PID 4580 wrote to memory of 2980 4580 cmd.exe 95 PID 4580 wrote to memory of 2980 4580 cmd.exe 95 PID 4580 wrote to memory of 2980 4580 cmd.exe 95 PID 224 wrote to memory of 2420 224 cmd.exe 96 PID 224 wrote to memory of 2420 224 cmd.exe 96 PID 224 wrote to memory of 2420 224 cmd.exe 96 PID 1368 wrote to memory of 1736 1368 cmd.exe 97 PID 1368 wrote to memory of 1736 1368 cmd.exe 97 PID 1368 wrote to memory of 1736 1368 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6434b4eb336d7aadd6e47882b00d72b8.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\.exeC:\Users\Admin\AppData\Local\Temp\.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\keto.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\keto.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\keto.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\keto.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2980
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0