Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 10:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe
-
Size
308KB
-
MD5
692a1eb53cb4fe0389665388332ff498
-
SHA1
103ccfe275d4a19d961da9a0753100a8b616a456
-
SHA256
e47c04af714ecbbf212fbf5feaae837e2e0fe3a6514e92872398aed23c11e7a9
-
SHA512
e76e584e3a44c4a366ec039954d79dfc676c696f78b9968b15d3285361794537ff21efca49842077765131cd0b51208a56a6722a2ed6df1a4da10a6b108be344
-
SSDEEP
6144:4L9rmfYOS3sLEQBoQBeTYYaH4gYqVRnCTjAxwxh8cTDhJ8r1u9:4L+LfBopTYYaH4gYqfnCTjA0h8aE1
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 14 IoCs
resource yara_rule behavioral2/memory/4100-25-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-20-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-33-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-34-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-36-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-37-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-38-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-40-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-41-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-42-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-44-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-45-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-46-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4100-50-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\winhost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winhost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1X2LYNGYD9.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe -
Executes dropped EXE 2 IoCs
pid Process 5004 winini.exe 4100 winhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winini.exe" winini.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5004 set thread context of 4100 5004 winini.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4832 cmd.exe 3008 PING.EXE -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2824 reg.exe 1312 reg.exe 3504 reg.exe 5024 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3008 PING.EXE -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 5004 winini.exe Token: 1 4100 winhost.exe Token: SeCreateTokenPrivilege 4100 winhost.exe Token: SeAssignPrimaryTokenPrivilege 4100 winhost.exe Token: SeLockMemoryPrivilege 4100 winhost.exe Token: SeIncreaseQuotaPrivilege 4100 winhost.exe Token: SeMachineAccountPrivilege 4100 winhost.exe Token: SeTcbPrivilege 4100 winhost.exe Token: SeSecurityPrivilege 4100 winhost.exe Token: SeTakeOwnershipPrivilege 4100 winhost.exe Token: SeLoadDriverPrivilege 4100 winhost.exe Token: SeSystemProfilePrivilege 4100 winhost.exe Token: SeSystemtimePrivilege 4100 winhost.exe Token: SeProfSingleProcessPrivilege 4100 winhost.exe Token: SeIncBasePriorityPrivilege 4100 winhost.exe Token: SeCreatePagefilePrivilege 4100 winhost.exe Token: SeCreatePermanentPrivilege 4100 winhost.exe Token: SeBackupPrivilege 4100 winhost.exe Token: SeRestorePrivilege 4100 winhost.exe Token: SeShutdownPrivilege 4100 winhost.exe Token: SeDebugPrivilege 4100 winhost.exe Token: SeAuditPrivilege 4100 winhost.exe Token: SeSystemEnvironmentPrivilege 4100 winhost.exe Token: SeChangeNotifyPrivilege 4100 winhost.exe Token: SeRemoteShutdownPrivilege 4100 winhost.exe Token: SeUndockPrivilege 4100 winhost.exe Token: SeSyncAgentPrivilege 4100 winhost.exe Token: SeEnableDelegationPrivilege 4100 winhost.exe Token: SeManageVolumePrivilege 4100 winhost.exe Token: SeImpersonatePrivilege 4100 winhost.exe Token: SeCreateGlobalPrivilege 4100 winhost.exe Token: 31 4100 winhost.exe Token: 32 4100 winhost.exe Token: 33 4100 winhost.exe Token: 34 4100 winhost.exe Token: 35 4100 winhost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4100 winhost.exe 4100 winhost.exe 4100 winhost.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 3620 wrote to memory of 5004 3620 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 86 PID 3620 wrote to memory of 5004 3620 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 86 PID 3620 wrote to memory of 5004 3620 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 86 PID 3620 wrote to memory of 4832 3620 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 87 PID 3620 wrote to memory of 4832 3620 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 87 PID 3620 wrote to memory of 4832 3620 JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe 87 PID 5004 wrote to memory of 4100 5004 winini.exe 89 PID 5004 wrote to memory of 4100 5004 winini.exe 89 PID 5004 wrote to memory of 4100 5004 winini.exe 89 PID 5004 wrote to memory of 4100 5004 winini.exe 89 PID 5004 wrote to memory of 4100 5004 winini.exe 89 PID 5004 wrote to memory of 4100 5004 winini.exe 89 PID 5004 wrote to memory of 4100 5004 winini.exe 89 PID 5004 wrote to memory of 4100 5004 winini.exe 89 PID 4832 wrote to memory of 3008 4832 cmd.exe 90 PID 4832 wrote to memory of 3008 4832 cmd.exe 90 PID 4832 wrote to memory of 3008 4832 cmd.exe 90 PID 4100 wrote to memory of 3748 4100 winhost.exe 91 PID 4100 wrote to memory of 3748 4100 winhost.exe 91 PID 4100 wrote to memory of 3748 4100 winhost.exe 91 PID 4100 wrote to memory of 1992 4100 winhost.exe 92 PID 4100 wrote to memory of 1992 4100 winhost.exe 92 PID 4100 wrote to memory of 1992 4100 winhost.exe 92 PID 4100 wrote to memory of 208 4100 winhost.exe 93 PID 4100 wrote to memory of 208 4100 winhost.exe 93 PID 4100 wrote to memory of 208 4100 winhost.exe 93 PID 4100 wrote to memory of 3728 4100 winhost.exe 94 PID 4100 wrote to memory of 3728 4100 winhost.exe 94 PID 4100 wrote to memory of 3728 4100 winhost.exe 94 PID 3748 wrote to memory of 3504 3748 cmd.exe 99 PID 3748 wrote to memory of 3504 3748 cmd.exe 99 PID 3748 wrote to memory of 3504 3748 cmd.exe 99 PID 3728 wrote to memory of 1312 3728 cmd.exe 100 PID 3728 wrote to memory of 1312 3728 cmd.exe 100 PID 3728 wrote to memory of 1312 3728 cmd.exe 100 PID 1992 wrote to memory of 5024 1992 cmd.exe 101 PID 1992 wrote to memory of 5024 1992 cmd.exe 101 PID 1992 wrote to memory of 5024 1992 cmd.exe 101 PID 208 wrote to memory of 2824 208 cmd.exe 102 PID 208 wrote to memory of 2824 208 cmd.exe 102 PID 208 wrote to memory of 2824 208 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\winini.exe"C:\Users\Admin\AppData\Local\Temp\winini.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\winhost.exeC:\Users\Admin\AppData\Local\Temp\winhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\winhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winhost.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\winhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winhost.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1X2LYNGYD9.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1312
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692a1eb53cb4fe0389665388332ff498.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3008
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
272KB
MD5e24925ba8e3e4a7e262335eace64a1ba
SHA16b1e3869c7318e4e1180e898664d17dd64891a73
SHA256bdf7502906612414854ad915ba60b87690adc00d97af1f7d999f24293d1aa9da
SHA5122e8ad2e84f8aea65f32b2ad35fedc2e33c2e260f1ecdeaf9e9d60470b31226e457456ffdbc1ca8e35de30ec01975bc0dc4d8518004b9f9814672395840a0117e