Analysis Overview
SHA256
64bb7bd73e3ef0ba90ce8ccba5a634caddb4ecbfe1a0826218a5c8a9b3193258
Threat Level: Known bad
The file JaffaCakes118_662c1630a308be12b5726d239b316d61 was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Blackshades family
Blackshades
Modifies firewall policy service
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Executes dropped EXE
Adds Run key to start application
UPX packed file
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry key
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-30 20:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-30 20:13
Reported
2025-01-30 20:16
Platform
win7-20240903-en
Max time kernel
147s
Max time network
137s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrss.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\csrss.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB} | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB} | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components\{4E6CDBC6-CFEB-BDBA-B8FD-C63C309ABBEB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe"
C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrss.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrss.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hommy.no-ip.info | udp |
| US | 8.8.8.8:53 | 1hommy.no-ip.info | udp |
| US | 8.8.8.8:53 | 2hommy.no-ip.info | udp |
| US | 8.8.8.8:53 | 3hommy.no-ip.info | udp |
| ID | 212.117.48.248:4443 | 3hommy.no-ip.info | tcp |
| US | 8.8.8.8:53 | 4hommy.no-ip.info | udp |
| US | 8.8.8.8:53 | 5hommy.no-ip.info | udp |
| US | 8.8.8.8:53 | 6hommy.no-ip.info | udp |
| US | 8.8.8.8:53 | 7hommy.no-ip.info | udp |
| US | 8.8.8.8:53 | 8hommy.no-ip.info | udp |
Files
memory/2624-0-0x000007FEF553E000-0x000007FEF553F000-memory.dmp
memory/2624-2-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp
memory/2624-3-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp
memory/2624-4-0x0000000000F30000-0x0000000000F40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | e634a32d5fd87d3f13544fa3e7fb7f88 |
| SHA1 | a4ea07351d69ec977417bb60e02ddf4e9dd81b2b |
| SHA256 | b11fd7676f1b0957819db09147e0a0f233813f408d676f169c29e7d3ec4bb8ca |
| SHA512 | 31bee58fd931bb30f00b8d74acecf61df1f9543a529a58c5c64af84078750eccd1063aa659a185de0fa97fcbb28608cd9af8fb4fed2c689ac67b7cf3e5a990b0 |
memory/2624-13-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp
memory/2628-12-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2628-18-0x0000000074F68000-0x0000000074F69000-memory.dmp
memory/2628-20-0x0000000074F50000-0x0000000075060000-memory.dmp
memory/2628-19-0x0000000074F50000-0x0000000075060000-memory.dmp
memory/2628-21-0x0000000074F50000-0x0000000075060000-memory.dmp
memory/2628-22-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2628-23-0x0000000074F50000-0x0000000075060000-memory.dmp
memory/2628-24-0x0000000074F50000-0x0000000075060000-memory.dmp
memory/2628-26-0x0000000074F50000-0x0000000075060000-memory.dmp
memory/2628-27-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2628-29-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2628-30-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2628-31-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2628-34-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2628-35-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2628-39-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2628-42-0x0000000000400000-0x0000000000473000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-30 20:13
Reported
2025-01-30 20:16
Platform
win10v2004-20250129-en
Max time kernel
93s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 628 wrote to memory of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe |
| PID 628 wrote to memory of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_662c1630a308be12b5726d239b316d61.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1052
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 130.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/628-0-0x00007FF870575000-0x00007FF870576000-memory.dmp
memory/628-1-0x000000001BF10000-0x000000001BFB6000-memory.dmp
memory/628-2-0x00007FF8702C0000-0x00007FF870C61000-memory.dmp
memory/628-4-0x00007FF8702C0000-0x00007FF870C61000-memory.dmp
memory/628-11-0x00007FF8702C0000-0x00007FF870C61000-memory.dmp