Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2025, 12:00

General

  • Target

    JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe

  • Size

    902KB

  • MD5

    7182e7c37759126da58b5fb29296de8e

  • SHA1

    c6f4fa352e3c1e47a0e146bce1c6fa2574152b77

  • SHA256

    10e3833de2ebf0dc6e16a94dae301b03d1079d2b94295eb941661ec731812ebb

  • SHA512

    040fd58614bcc1c81487a3a0b98d8e6c8bd94f4a07b652bece474fde15316945b5ed12439210c9553f8dfce53d4bc923565372b644dae58d6b2d7af1cc759a2c

  • SSDEEP

    12288:hg3aYMKqek4IxBKB8kWlyWdY3fNzEpGP/zLyQrnpEKlljPiZashMycuyUsKzeW1+:JyCBKB8Blo1zk8LyQ7aZcTKqW5p

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 15 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry key 1 TTPs 4 IoCs
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\lala.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\lala2.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\lala2.bat" "
          4⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          PID:1568
    • C:\Windows\Temp\sidebar.exe
      C:\Windows\Temp\sidebar.exe
      2⤵
      • Executes dropped EXE
      PID:2584
    • C:\Windows\Temp\sidebar.exe
      C:\Windows\Temp\sidebar.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1232
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\sidebar.exe" /t REG_SZ /d "C:\Windows\Temp\sidebar.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\sidebar.exe" /t REG_SZ /d "C:\Windows\Temp\sidebar.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\acer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\acer.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\acer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\acer.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1364
    • C:\Windows\Temp\sidebar.exe
      C:\Windows\Temp\sidebar.exe
      2⤵
      • Executes dropped EXE
      PID:3048
    • C:\Windows\Temp\sidebar.exe
      C:\Windows\Temp\sidebar.exe
      2⤵
      • Executes dropped EXE
      PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\per.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1932
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2208
      • C:\Users\Admin\AppData\Roaming\sidebar .exe
        "C:\Users\Admin\AppData\Roaming\sidebar .exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:1360
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2156
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:2056
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:1616
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1576
      • C:\Users\Admin\AppData\Roaming\sidebar .exe
        "C:\Users\Admin\AppData\Roaming\sidebar .exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:904
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:912
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:2384
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:1584
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2832
      • C:\Users\Admin\AppData\Roaming\sidebar .exe
        "C:\Users\Admin\AppData\Roaming\sidebar .exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:2560
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2576
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:480
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:2992
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1236
      • C:\Users\Admin\AppData\Roaming\sidebar .exe
        "C:\Users\Admin\AppData\Roaming\sidebar .exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:2380
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2420
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:2732
        • C:\Windows\Temp\sidebar.exe
          C:\Windows\Temp\sidebar.exe
          4⤵
          • Executes dropped EXE
          PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\invs.vbs

    Filesize

    78B

    MD5

    c578d9653b22800c3eb6b6a51219bbb8

    SHA1

    a97aa251901bbe179a48dbc7a0c1872e163b1f2d

    SHA256

    20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

    SHA512

    3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

  • C:\Users\Admin\AppData\Roaming\lala.bat

    Filesize

    53B

    MD5

    da2f62b3f68d61e7ff27df1155637ae1

    SHA1

    326f9ab4df92d730d0f22d0ee5e0faf661c7ac59

    SHA256

    547013d5a8e3c6f94e61a6e9d0a052451e4a73e54b11b8dd4d1ff357f96cad41

    SHA512

    f2e24b25add6479f5cc6746392be03f2d6a1ed3afd6b279aefa5614b81279d45c572344e24e3daf849974bc5fae3c0451ddf2c66e338268d22589aeb2b41c34d

  • C:\Users\Admin\AppData\Roaming\lala2.bat

    Filesize

    158B

    MD5

    8cfac7da0aee569085574419450d5bf8

    SHA1

    1847e99f86c011aabf610c2f08561d5ad84c7fbc

    SHA256

    b9318322b53fb957554e9f876b997f04bf24cab45fcd8c3a70d9432485205ff7

    SHA512

    545c4a1e045230b3fe933e951ece02b90388fe4d839705f0a948952ea254e2ee4859afc951581a7af93e2cab1a6bfa0800a99406faa535681c1a1c7d3b614136

  • C:\Users\Admin\AppData\Roaming\per.bat

    Filesize

    107B

    MD5

    4a27d520d3b75c616febcfdb51050e93

    SHA1

    7ca1a6fe3dffd7069847cbc39eeaf414ff2e6320

    SHA256

    b03c8cebc68fc2f77101bebfcf99f97ff399398251abb4ddd257f21eba4edf8d

    SHA512

    6657a3e9dc893e94830b7612da7d6efed4d689de48b72774a9be1df865186b9bffd14d80ca42b100482c8366f6ad395712fe0840aecea72201332745ed2cef6b

  • C:\Users\Admin\AppData\Roaming\sidebar .exe

    Filesize

    902KB

    MD5

    7182e7c37759126da58b5fb29296de8e

    SHA1

    c6f4fa352e3c1e47a0e146bce1c6fa2574152b77

    SHA256

    10e3833de2ebf0dc6e16a94dae301b03d1079d2b94295eb941661ec731812ebb

    SHA512

    040fd58614bcc1c81487a3a0b98d8e6c8bd94f4a07b652bece474fde15316945b5ed12439210c9553f8dfce53d4bc923565372b644dae58d6b2d7af1cc759a2c

  • C:\Windows\Temp\sidebar.exe

    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

  • memory/912-113-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2156-88-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2420-155-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-60-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-95-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-28-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-29-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-137-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-118-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2524-37-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-89-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-90-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-115-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-93-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-94-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2524-26-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2576-132-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2916-2-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB

  • memory/2916-92-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB

  • memory/2916-0-0x0000000074081000-0x0000000074082000-memory.dmp

    Filesize

    4KB

  • memory/2916-59-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB

  • memory/2916-1-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB