blackshades | 64bb7bd73e3ef0ba90ce8ccba5a634caddb4ecbfe1a0826218a5c8a9b3193258

Resubmissions

30-01-2025 20:21

250130-y5f83s1rby 3

30-01-2025 20:13

250130-yzqkkatmcq 10

Analysis

max time kernel
147s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_662c1630a308be12b5726d239b316d61.exe
Size

260KB
MD5

662c1630a308be12b5726d239b316d61
SHA1

4c09f8744bed04f9e056eee9b5bd9c265a535641
SHA256

64bb7bd73e3ef0ba90ce8ccba5a634caddb4ecbfe1a0826218a5c8a9b3193258
SHA512

a7622bbf54240c2a2e808b406977023679e5e9b565075b6a4cd1d26d46d094e80642889b0fffd1d775da1e421f73a34b284bf4e0ddbf023ea35293f27de9b69c
SSDEEP

6144:Xqrm2Y0hn1fEuvxyr+WoqgzxADABdhV3NNJ7NX:XqrmL059jvUr+WoqgzxVxB

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral1/memory/2628-22-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral1/memory/2628-27-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral1/memory/2628-29-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral1/memory/2628-30-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral1/memory/2628-31-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral1/memory/2628-34-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral1/memory/2628-35-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral1/memory/2628-39-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral1/memory/2628-42-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrss.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\csrss.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	csrss.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB}	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB}	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	csrss.exe

Executes dropped EXE 1 IoCs

pid	Process
2628	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	csrss.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015d75-11.dat	upx
behavioral1/memory/2628-12-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2628-22-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2628-27-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2628-29-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2628-30-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2628-31-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2628-34-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2628-35-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2628-39-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2628-42-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2920	reg.exe
1864	reg.exe
1972	reg.exe
548	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2628	csrss.exe
Token: SeCreateTokenPrivilege	2628	csrss.exe
Token: SeAssignPrimaryTokenPrivilege	2628	csrss.exe
Token: SeLockMemoryPrivilege	2628	csrss.exe
Token: SeIncreaseQuotaPrivilege	2628	csrss.exe
Token: SeMachineAccountPrivilege	2628	csrss.exe
Token: SeTcbPrivilege	2628	csrss.exe
Token: SeSecurityPrivilege	2628	csrss.exe
Token: SeTakeOwnershipPrivilege	2628	csrss.exe
Token: SeLoadDriverPrivilege	2628	csrss.exe
Token: SeSystemProfilePrivilege	2628	csrss.exe
Token: SeSystemtimePrivilege	2628	csrss.exe
Token: SeProfSingleProcessPrivilege	2628	csrss.exe
Token: SeIncBasePriorityPrivilege	2628	csrss.exe
Token: SeCreatePagefilePrivilege	2628	csrss.exe
Token: SeCreatePermanentPrivilege	2628	csrss.exe
Token: SeBackupPrivilege	2628	csrss.exe
Token: SeRestorePrivilege	2628	csrss.exe
Token: SeShutdownPrivilege	2628	csrss.exe
Token: SeDebugPrivilege	2628	csrss.exe
Token: SeAuditPrivilege	2628	csrss.exe
Token: SeSystemEnvironmentPrivilege	2628	csrss.exe
Token: SeChangeNotifyPrivilege	2628	csrss.exe
Token: SeRemoteShutdownPrivilege	2628	csrss.exe
Token: SeUndockPrivilege	2628	csrss.exe
Token: SeSyncAgentPrivilege	2628	csrss.exe
Token: SeEnableDelegationPrivilege	2628	csrss.exe
Token: SeManageVolumePrivilege	2628	csrss.exe
Token: SeImpersonatePrivilege	2628	csrss.exe
Token: SeCreateGlobalPrivilege	2628	csrss.exe
Token: 31	2628	csrss.exe
Token: 32	2628	csrss.exe
Token: 33	2628	csrss.exe
Token: 34	2628	csrss.exe
Token: 35	2628	csrss.exe
Token: SeDebugPrivilege	2628	csrss.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2628	csrss.exe
2628	csrss.exe
2628	csrss.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2628	2624	JaffaCakes118_662c1630a308be12b5726d239b316d61.exe	31
PID 2624 wrote to memory of 2628	2624	JaffaCakes118_662c1630a308be12b5726d239b316d61.exe	31
PID 2624 wrote to memory of 2628	2624	JaffaCakes118_662c1630a308be12b5726d239b316d61.exe	31
PID 2624 wrote to memory of 2628	2624	JaffaCakes118_662c1630a308be12b5726d239b316d61.exe	31
PID 2628 wrote to memory of 2456	2628	csrss.exe	32
PID 2628 wrote to memory of 2456	2628	csrss.exe	32
PID 2628 wrote to memory of 2456	2628	csrss.exe	32
PID 2628 wrote to memory of 2456	2628	csrss.exe	32
PID 2628 wrote to memory of 1796	2628	csrss.exe	33
PID 2628 wrote to memory of 1796	2628	csrss.exe	33
PID 2628 wrote to memory of 1796	2628	csrss.exe	33
PID 2628 wrote to memory of 1796	2628	csrss.exe	33
PID 2628 wrote to memory of 536	2628	csrss.exe	34
PID 2628 wrote to memory of 536	2628	csrss.exe	34
PID 2628 wrote to memory of 536	2628	csrss.exe	34
PID 2628 wrote to memory of 536	2628	csrss.exe	34
PID 2628 wrote to memory of 484	2628	csrss.exe	35
PID 2628 wrote to memory of 484	2628	csrss.exe	35
PID 2628 wrote to memory of 484	2628	csrss.exe	35
PID 2628 wrote to memory of 484	2628	csrss.exe	35
PID 2456 wrote to memory of 548	2456	cmd.exe	40
PID 2456 wrote to memory of 548	2456	cmd.exe	40
PID 2456 wrote to memory of 548	2456	cmd.exe	40
PID 2456 wrote to memory of 548	2456	cmd.exe	40
PID 536 wrote to memory of 1972	536	cmd.exe	41
PID 536 wrote to memory of 1972	536	cmd.exe	41
PID 536 wrote to memory of 1972	536	cmd.exe	41
PID 536 wrote to memory of 1972	536	cmd.exe	41
PID 484 wrote to memory of 2920	484	cmd.exe	43
PID 484 wrote to memory of 2920	484	cmd.exe	43
PID 484 wrote to memory of 2920	484	cmd.exe	43
PID 484 wrote to memory of 2920	484	cmd.exe	43
PID 1796 wrote to memory of 1864	1796	cmd.exe	42
PID 1796 wrote to memory of 1864	1796	cmd.exe	42
PID 1796 wrote to memory of 1864	1796	cmd.exe	42
PID 1796 wrote to memory of 1864	1796	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrss.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrss.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
162KB

MD5
e634a32d5fd87d3f13544fa3e7fb7f88

SHA1
a4ea07351d69ec977417bb60e02ddf4e9dd81b2b

SHA256
b11fd7676f1b0957819db09147e0a0f233813f408d676f169c29e7d3ec4bb8ca

SHA512
31bee58fd931bb30f00b8d74acecf61df1f9543a529a58c5c64af84078750eccd1063aa659a185de0fa97fcbb28608cd9af8fb4fed2c689ac67b7cf3e5a990b0

Download Submit
memory/2624-0-0x000007FEF553E000-0x000007FEF553F000-memory.dmp

Filesize
4KB

Download
memory/2624-2-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-3-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-4-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/2624-13-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-21-0x0000000074F50000-0x0000000075060000-memory.dmp

Filesize
1.1MB

Download
memory/2628-27-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2628-20-0x0000000074F50000-0x0000000075060000-memory.dmp

Filesize
1.1MB

Download
memory/2628-19-0x0000000074F50000-0x0000000075060000-memory.dmp

Filesize
1.1MB

Download
memory/2628-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2628-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2628-23-0x0000000074F50000-0x0000000075060000-memory.dmp

Filesize
1.1MB

Download
memory/2628-24-0x0000000074F50000-0x0000000075060000-memory.dmp

Filesize
1.1MB

Download
memory/2628-26-0x0000000074F50000-0x0000000075060000-memory.dmp

Filesize
1.1MB

Download
memory/2628-18-0x0000000074F68000-0x0000000074F69000-memory.dmp

Filesize
4KB

Download
memory/2628-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2628-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2628-31-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2628-34-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2628-35-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2628-39-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2628-42-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads