Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe
-
Size
886KB
-
MD5
71bfba691bbe2f7f2087ffd1a50a8a41
-
SHA1
5616cf67747c5c575a94ecdfe9e0b4ffcd8a609e
-
SHA256
8fc18090e5fef288ca7929a2b4a2f9c473b8c491bf89c3c91a30ff62ab9b5429
-
SHA512
8de48ff92f4b67687fd9d62d4bece2e536b1aa5d857be5a7ec5db26b120f5efc85c742ea3975b3e948a7bd4242ec1b07653897e952f47e958c08540e1f7eda7e
-
SSDEEP
12288:sb8+PpWBycU4H/US05mjnjncETzK43HHnZzyVm3HVonxCw:48ApWBC4fUn5WcJ4gs316
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 1 IoCs
resource yara_rule behavioral1/files/0x000600000001939c-6.dat family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\861011.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\861011.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 861011.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\defender = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe" 861011.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3EEAEEC-EB3D-EED5-F6CA-E474CAC131E6} 861011.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3EEAEEC-EB3D-EED5-F6CA-E474CAC131E6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe" 861011.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B3EEAEEC-EB3D-EED5-F6CA-E474CAC131E6} 861011.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Active Setup\Installed Components\{B3EEAEEC-EB3D-EED5-F6CA-E474CAC131E6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe" 861011.exe -
Executes dropped EXE 1 IoCs
pid Process 2092 861011.exe -
Loads dropped DLL 2 IoCs
pid Process 2596 JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe 2596 JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\defender = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe" 861011.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\defender = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe" 861011.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 861011.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2828 reg.exe 2900 reg.exe 2964 reg.exe 2156 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2092 861011.exe Token: SeCreateTokenPrivilege 2092 861011.exe Token: SeAssignPrimaryTokenPrivilege 2092 861011.exe Token: SeLockMemoryPrivilege 2092 861011.exe Token: SeIncreaseQuotaPrivilege 2092 861011.exe Token: SeMachineAccountPrivilege 2092 861011.exe Token: SeTcbPrivilege 2092 861011.exe Token: SeSecurityPrivilege 2092 861011.exe Token: SeTakeOwnershipPrivilege 2092 861011.exe Token: SeLoadDriverPrivilege 2092 861011.exe Token: SeSystemProfilePrivilege 2092 861011.exe Token: SeSystemtimePrivilege 2092 861011.exe Token: SeProfSingleProcessPrivilege 2092 861011.exe Token: SeIncBasePriorityPrivilege 2092 861011.exe Token: SeCreatePagefilePrivilege 2092 861011.exe Token: SeCreatePermanentPrivilege 2092 861011.exe Token: SeBackupPrivilege 2092 861011.exe Token: SeRestorePrivilege 2092 861011.exe Token: SeShutdownPrivilege 2092 861011.exe Token: SeDebugPrivilege 2092 861011.exe Token: SeAuditPrivilege 2092 861011.exe Token: SeSystemEnvironmentPrivilege 2092 861011.exe Token: SeChangeNotifyPrivilege 2092 861011.exe Token: SeRemoteShutdownPrivilege 2092 861011.exe Token: SeUndockPrivilege 2092 861011.exe Token: SeSyncAgentPrivilege 2092 861011.exe Token: SeEnableDelegationPrivilege 2092 861011.exe Token: SeManageVolumePrivilege 2092 861011.exe Token: SeImpersonatePrivilege 2092 861011.exe Token: SeCreateGlobalPrivilege 2092 861011.exe Token: 31 2092 861011.exe Token: 32 2092 861011.exe Token: 33 2092 861011.exe Token: 34 2092 861011.exe Token: 35 2092 861011.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2092 861011.exe 2092 861011.exe 2092 861011.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2092 2596 JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe 31 PID 2596 wrote to memory of 2092 2596 JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe 31 PID 2596 wrote to memory of 2092 2596 JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe 31 PID 2596 wrote to memory of 2092 2596 JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe 31 PID 2092 wrote to memory of 2412 2092 861011.exe 32 PID 2092 wrote to memory of 2412 2092 861011.exe 32 PID 2092 wrote to memory of 2412 2092 861011.exe 32 PID 2092 wrote to memory of 2412 2092 861011.exe 32 PID 2092 wrote to memory of 2064 2092 861011.exe 33 PID 2092 wrote to memory of 2064 2092 861011.exe 33 PID 2092 wrote to memory of 2064 2092 861011.exe 33 PID 2092 wrote to memory of 2064 2092 861011.exe 33 PID 2092 wrote to memory of 2524 2092 861011.exe 35 PID 2092 wrote to memory of 2524 2092 861011.exe 35 PID 2092 wrote to memory of 2524 2092 861011.exe 35 PID 2092 wrote to memory of 2524 2092 861011.exe 35 PID 2092 wrote to memory of 2444 2092 861011.exe 37 PID 2092 wrote to memory of 2444 2092 861011.exe 37 PID 2092 wrote to memory of 2444 2092 861011.exe 37 PID 2092 wrote to memory of 2444 2092 861011.exe 37 PID 2412 wrote to memory of 2900 2412 cmd.exe 40 PID 2412 wrote to memory of 2900 2412 cmd.exe 40 PID 2412 wrote to memory of 2900 2412 cmd.exe 40 PID 2412 wrote to memory of 2900 2412 cmd.exe 40 PID 2524 wrote to memory of 2156 2524 cmd.exe 42 PID 2524 wrote to memory of 2156 2524 cmd.exe 42 PID 2524 wrote to memory of 2156 2524 cmd.exe 42 PID 2524 wrote to memory of 2156 2524 cmd.exe 42 PID 2064 wrote to memory of 2964 2064 cmd.exe 41 PID 2064 wrote to memory of 2964 2064 cmd.exe 41 PID 2064 wrote to memory of 2964 2064 cmd.exe 41 PID 2064 wrote to memory of 2964 2064 cmd.exe 41 PID 2444 wrote to memory of 2828 2444 cmd.exe 43 PID 2444 wrote to memory of 2828 2444 cmd.exe 43 PID 2444 wrote to memory of 2828 2444 cmd.exe 43 PID 2444 wrote to memory of 2828 2444 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71bfba691bbe2f7f2087ffd1a50a8a41.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\861011.exeC:\Users\Admin\AppData\Local\Temp\861011.exe2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\861011.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\861011.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\861011.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\861011.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2828
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336KB
MD5675c263474aca1efcbfeefb58e9aaa2c
SHA15defefb7ada086426902aac8849c21ce813b378e
SHA25630596b095c722383fe110854ef28ecf11d59a77ca40e6045232256ae9faf02fc
SHA5121aa58afcc59c997875883fe2ea00e2286cc2a34c278ff51d8bcc376eebe534123045313a57c6c6dcaf7509762a00dcf1d45b7074157f635157ea384e6a6177a5