Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
31/01/2025, 10:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe
-
Size
308KB
-
MD5
692a1eb53cb4fe0389665388332ff498
-
SHA1
103ccfe275d4a19d961da9a0753100a8b616a456
-
SHA256
e47c04af714ecbbf212fbf5feaae837e2e0fe3a6514e92872398aed23c11e7a9
-
SHA512
e76e584e3a44c4a366ec039954d79dfc676c696f78b9968b15d3285361794537ff21efca49842077765131cd0b51208a56a6722a2ed6df1a4da10a6b108be344
-
SSDEEP
6144:4L9rmfYOS3sLEQBoQBeTYYaH4gYqVRnCTjAxwxh8cTDhJ8r1u9:4L+LfBopTYYaH4gYqfnCTjA0h8aE1
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 15 IoCs
resource yara_rule behavioral1/memory/2880-28-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-24-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-42-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-43-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-45-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-46-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-47-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-49-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-50-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-51-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-53-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-54-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-55-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-57-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2880-58-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1X2LYNGYD9.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\winhost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winhost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Deletes itself 1 IoCs
pid Process 1904 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2308 winini.exe 2880 winhost.exe -
Loads dropped DLL 3 IoCs
pid Process 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 2308 winini.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winini.exe" winini.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2308 set thread context of 2880 2308 winini.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1904 cmd.exe 2796 PING.EXE -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2716 reg.exe 2724 reg.exe 1696 reg.exe 612 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2796 PING.EXE -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2308 winini.exe Token: 1 2880 winhost.exe Token: SeCreateTokenPrivilege 2880 winhost.exe Token: SeAssignPrimaryTokenPrivilege 2880 winhost.exe Token: SeLockMemoryPrivilege 2880 winhost.exe Token: SeIncreaseQuotaPrivilege 2880 winhost.exe Token: SeMachineAccountPrivilege 2880 winhost.exe Token: SeTcbPrivilege 2880 winhost.exe Token: SeSecurityPrivilege 2880 winhost.exe Token: SeTakeOwnershipPrivilege 2880 winhost.exe Token: SeLoadDriverPrivilege 2880 winhost.exe Token: SeSystemProfilePrivilege 2880 winhost.exe Token: SeSystemtimePrivilege 2880 winhost.exe Token: SeProfSingleProcessPrivilege 2880 winhost.exe Token: SeIncBasePriorityPrivilege 2880 winhost.exe Token: SeCreatePagefilePrivilege 2880 winhost.exe Token: SeCreatePermanentPrivilege 2880 winhost.exe Token: SeBackupPrivilege 2880 winhost.exe Token: SeRestorePrivilege 2880 winhost.exe Token: SeShutdownPrivilege 2880 winhost.exe Token: SeDebugPrivilege 2880 winhost.exe Token: SeAuditPrivilege 2880 winhost.exe Token: SeSystemEnvironmentPrivilege 2880 winhost.exe Token: SeChangeNotifyPrivilege 2880 winhost.exe Token: SeRemoteShutdownPrivilege 2880 winhost.exe Token: SeUndockPrivilege 2880 winhost.exe Token: SeSyncAgentPrivilege 2880 winhost.exe Token: SeEnableDelegationPrivilege 2880 winhost.exe Token: SeManageVolumePrivilege 2880 winhost.exe Token: SeImpersonatePrivilege 2880 winhost.exe Token: SeCreateGlobalPrivilege 2880 winhost.exe Token: 31 2880 winhost.exe Token: 32 2880 winhost.exe Token: 33 2880 winhost.exe Token: 34 2880 winhost.exe Token: 35 2880 winhost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2880 winhost.exe 2880 winhost.exe 2880 winhost.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2308 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 30 PID 2112 wrote to memory of 2308 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 30 PID 2112 wrote to memory of 2308 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 30 PID 2112 wrote to memory of 2308 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 30 PID 2112 wrote to memory of 1904 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 31 PID 2112 wrote to memory of 1904 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 31 PID 2112 wrote to memory of 1904 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 31 PID 2112 wrote to memory of 1904 2112 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 31 PID 2308 wrote to memory of 2880 2308 winini.exe 33 PID 2308 wrote to memory of 2880 2308 winini.exe 33 PID 2308 wrote to memory of 2880 2308 winini.exe 33 PID 2308 wrote to memory of 2880 2308 winini.exe 33 PID 2308 wrote to memory of 2880 2308 winini.exe 33 PID 2308 wrote to memory of 2880 2308 winini.exe 33 PID 2308 wrote to memory of 2880 2308 winini.exe 33 PID 2308 wrote to memory of 2880 2308 winini.exe 33 PID 1904 wrote to memory of 2796 1904 cmd.exe 34 PID 1904 wrote to memory of 2796 1904 cmd.exe 34 PID 1904 wrote to memory of 2796 1904 cmd.exe 34 PID 1904 wrote to memory of 2796 1904 cmd.exe 34 PID 2880 wrote to memory of 2768 2880 winhost.exe 35 PID 2880 wrote to memory of 2768 2880 winhost.exe 35 PID 2880 wrote to memory of 2768 2880 winhost.exe 35 PID 2880 wrote to memory of 2768 2880 winhost.exe 35 PID 2880 wrote to memory of 2676 2880 winhost.exe 36 PID 2880 wrote to memory of 2676 2880 winhost.exe 36 PID 2880 wrote to memory of 2676 2880 winhost.exe 36 PID 2880 wrote to memory of 2676 2880 winhost.exe 36 PID 2880 wrote to memory of 2812 2880 winhost.exe 37 PID 2880 wrote to memory of 2812 2880 winhost.exe 37 PID 2880 wrote to memory of 2812 2880 winhost.exe 37 PID 2880 wrote to memory of 2812 2880 winhost.exe 37 PID 2880 wrote to memory of 2560 2880 winhost.exe 39 PID 2880 wrote to memory of 2560 2880 winhost.exe 39 PID 2880 wrote to memory of 2560 2880 winhost.exe 39 PID 2880 wrote to memory of 2560 2880 winhost.exe 39 PID 2676 wrote to memory of 612 2676 cmd.exe 43 PID 2676 wrote to memory of 612 2676 cmd.exe 43 PID 2676 wrote to memory of 612 2676 cmd.exe 43 PID 2676 wrote to memory of 612 2676 cmd.exe 43 PID 2560 wrote to memory of 2716 2560 cmd.exe 45 PID 2560 wrote to memory of 2716 2560 cmd.exe 45 PID 2560 wrote to memory of 2716 2560 cmd.exe 45 PID 2560 wrote to memory of 2716 2560 cmd.exe 45 PID 2768 wrote to memory of 2724 2768 cmd.exe 44 PID 2768 wrote to memory of 2724 2768 cmd.exe 44 PID 2768 wrote to memory of 2724 2768 cmd.exe 44 PID 2768 wrote to memory of 2724 2768 cmd.exe 44 PID 2812 wrote to memory of 1696 2812 cmd.exe 46 PID 2812 wrote to memory of 1696 2812 cmd.exe 46 PID 2812 wrote to memory of 1696 2812 cmd.exe 46 PID 2812 wrote to memory of 1696 2812 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\winini.exe"C:\Users\Admin\AppData\Local\Temp\winini.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\winhost.exeC:\Users\Admin\AppData\Local\Temp\winhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\winhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winhost.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\winhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winhost.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2716
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2796
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
272KB
MD5e24925ba8e3e4a7e262335eace64a1ba
SHA16b1e3869c7318e4e1180e898664d17dd64891a73
SHA256bdf7502906612414854ad915ba60b87690adc00d97af1f7d999f24293d1aa9da
SHA5122e8ad2e84f8aea65f32b2ad35fedc2e33c2e260f1ecdeaf9e9d60470b31226e457456ffdbc1ca8e35de30ec01975bc0dc4d8518004b9f9814672395840a0117e