Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2025, 10:35

General

  • Target

    JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe

  • Size

    644KB

  • MD5

    70c9d1cd6056c6ed265dea8d413cfc97

  • SHA1

    a653507de24c71577d431a5cd4d5bbd10e613299

  • SHA256

    bcec96017b538e00d13e8836cf1f2ff922a24dd1d30a6e50b08144304476ed5a

  • SHA512

    a2eef39593ee4e752cae90d67c589caa6df22df29d70b325f26d6930e26c4d56f8b87a0f4b82b5011b9aef67151d68e8c6164ffc3bb4b29db18f21e0dfcc9aae

  • SSDEEP

    6144:B41m5vbRoTASrqzusXCOf0sTDFiE+t0nrZ7Q4Qo0SiWe6uxIHN:BZx3Srq6sXCqTDFihtIt4SNe6uxS

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 1 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70c9d1cd6056c6ed265dea8d413cfc97.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\259428539.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:153704
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        PID:24676
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\259432299.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:165604
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "kluc name" /t REG_SZ /d "C:\Windows\racun\rracun.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:166540
    • C:\Windows\racun\rracun.exe
      "C:\Windows\racun\rracun.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:183248
      • C:\Windows\racun\rracun.exe
        "C:\Windows\racun\rracun.exe"
        3⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:182324
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:182552
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:182852
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\racun\rracun.exe" /t REG_SZ /d "C:\Windows\racun\rracun.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:182592
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\racun\rracun.exe" /t REG_SZ /d "C:\Windows\racun\rracun.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:182832
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:182596
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:182888
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RacunLast.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RacunLast.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:182656
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RacunLast.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RacunLast.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:182860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259428539.bat

    Filesize

    118B

    MD5

    a7abd9bdc5677f68c18d7524eb9ec1ab

    SHA1

    948db612bae78b17e4df26d1884f9d2129e6ac9f

    SHA256

    79192d9e9ebc7f9a864fdae37e771650afe5d41b8ba7da7a6ffeaff12b32e7b7

    SHA512

    bfcbbb6f9a76457427000e05b241755c13f1a6def8f0b0afc5d491409b812bacceed8545bd3e781779b2e2cd3fe8b1c323c17d3665df868cacc063c2e38c465d

  • C:\Users\Admin\AppData\Local\Temp\259432299.bat

    Filesize

    121B

    MD5

    ee46813d644e2f3527f7332b0e55af02

    SHA1

    0db88b645364c64e942c85f3c5e4a503ba940f21

    SHA256

    9509158dad0060a9fb3cb8fbaef9957103df755a3f79d17c1029d1efc1e2aafe

    SHA512

    7da3f1c6b6ed4ceb4307c2bbd43fb9b5fb969485e4388abfe07d5488b6da76f82a55d186ee5b59f7802f10e85e7f70d2f96fb0dd1f99be6f0aab4334cfce483e

  • \Windows\racun\rracun.exe

    Filesize

    644KB

    MD5

    80e18361819c4f030c5e4d01fded06a3

    SHA1

    756c79f570717f7a7973d6b4b53c1e203fc00289

    SHA256

    db0fc46ff8418892ef63b42c95c88dafe659d2e7439367d9e2deaa320d329009

    SHA512

    68e7e8b8634a612cb633218ba422e59396bbeaa08caf42b8b0cbdbc37dd7439937bfa8088cef784d4766394bce7209de321a407e78d575166f323f34ee155c75

  • memory/2228-99547-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/2228-99543-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/2228-99545-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/2228-81558-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

  • memory/2228-99549-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/2228-99551-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/2228-99553-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/2228-99555-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/2228-99541-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/182324-200625-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/182324-200637-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB