Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe
-
Size
292KB
-
MD5
7272eaa4942abe2950d745d86c076fdb
-
SHA1
bae63683f122daafd47781203f0a2df040f17d82
-
SHA256
74a0fdfeae207ad0802ef942adc88f622e0a4ab940b6ed51ae48376d4e15d2fe
-
SHA512
3c088566d68159fd22ce597c3542593e2864aa6b786592c3a8961914b51f0d886fb8ef78f25aa16fa945c4503e117b234f655dcfb79693b392d363724f956723
-
SSDEEP
3072:B0TzOJLMoUlJUFcv3dSp+pLF9wm8icepsXFQoQLkd884RdUUAHX0+FhW2MyyyA8a:ZsUFcFSsP5QAo+0UA30+FQ2OMfKNA
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 14 IoCs
resource yara_rule behavioral2/memory/828-63-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-59-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-67-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-74-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-79-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-83-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-87-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-92-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-96-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-100-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-105-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-109-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-113-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/828-122-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\MSN\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\MSN\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe -
Executes dropped EXE 3 IoCs
pid Process 112 svchost.exe 4260 svchost.exe 828 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\MSN\\svchost.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 112 set thread context of 4260 112 svchost.exe 95 PID 112 set thread context of 828 112 svchost.exe 96 -
resource yara_rule behavioral2/memory/828-47-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-63-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-61-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-59-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-55-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-67-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-74-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-79-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-83-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-87-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-92-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-96-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-100-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-105-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-109-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-113-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/828-122-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4116 reg.exe 1760 reg.exe 460 reg.exe 1592 reg.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 4260 svchost.exe Token: 1 828 svchost.exe Token: SeCreateTokenPrivilege 828 svchost.exe Token: SeAssignPrimaryTokenPrivilege 828 svchost.exe Token: SeLockMemoryPrivilege 828 svchost.exe Token: SeIncreaseQuotaPrivilege 828 svchost.exe Token: SeMachineAccountPrivilege 828 svchost.exe Token: SeTcbPrivilege 828 svchost.exe Token: SeSecurityPrivilege 828 svchost.exe Token: SeTakeOwnershipPrivilege 828 svchost.exe Token: SeLoadDriverPrivilege 828 svchost.exe Token: SeSystemProfilePrivilege 828 svchost.exe Token: SeSystemtimePrivilege 828 svchost.exe Token: SeProfSingleProcessPrivilege 828 svchost.exe Token: SeIncBasePriorityPrivilege 828 svchost.exe Token: SeCreatePagefilePrivilege 828 svchost.exe Token: SeCreatePermanentPrivilege 828 svchost.exe Token: SeBackupPrivilege 828 svchost.exe Token: SeRestorePrivilege 828 svchost.exe Token: SeShutdownPrivilege 828 svchost.exe Token: SeDebugPrivilege 828 svchost.exe Token: SeAuditPrivilege 828 svchost.exe Token: SeSystemEnvironmentPrivilege 828 svchost.exe Token: SeChangeNotifyPrivilege 828 svchost.exe Token: SeRemoteShutdownPrivilege 828 svchost.exe Token: SeUndockPrivilege 828 svchost.exe Token: SeSyncAgentPrivilege 828 svchost.exe Token: SeEnableDelegationPrivilege 828 svchost.exe Token: SeManageVolumePrivilege 828 svchost.exe Token: SeImpersonatePrivilege 828 svchost.exe Token: SeCreateGlobalPrivilege 828 svchost.exe Token: 31 828 svchost.exe Token: 32 828 svchost.exe Token: 33 828 svchost.exe Token: 34 828 svchost.exe Token: 35 828 svchost.exe Token: SeDebugPrivilege 828 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1584 JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe 112 svchost.exe 4260 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1584 wrote to memory of 4132 1584 JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe 90 PID 1584 wrote to memory of 4132 1584 JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe 90 PID 1584 wrote to memory of 4132 1584 JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe 90 PID 4132 wrote to memory of 3920 4132 cmd.exe 93 PID 4132 wrote to memory of 3920 4132 cmd.exe 93 PID 4132 wrote to memory of 3920 4132 cmd.exe 93 PID 1584 wrote to memory of 112 1584 JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe 94 PID 1584 wrote to memory of 112 1584 JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe 94 PID 1584 wrote to memory of 112 1584 JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe 94 PID 112 wrote to memory of 4260 112 svchost.exe 95 PID 112 wrote to memory of 4260 112 svchost.exe 95 PID 112 wrote to memory of 4260 112 svchost.exe 95 PID 112 wrote to memory of 4260 112 svchost.exe 95 PID 112 wrote to memory of 4260 112 svchost.exe 95 PID 112 wrote to memory of 4260 112 svchost.exe 95 PID 112 wrote to memory of 4260 112 svchost.exe 95 PID 112 wrote to memory of 828 112 svchost.exe 96 PID 112 wrote to memory of 828 112 svchost.exe 96 PID 112 wrote to memory of 828 112 svchost.exe 96 PID 112 wrote to memory of 828 112 svchost.exe 96 PID 112 wrote to memory of 828 112 svchost.exe 96 PID 112 wrote to memory of 828 112 svchost.exe 96 PID 112 wrote to memory of 828 112 svchost.exe 96 PID 112 wrote to memory of 828 112 svchost.exe 96 PID 828 wrote to memory of 2728 828 svchost.exe 97 PID 828 wrote to memory of 2728 828 svchost.exe 97 PID 828 wrote to memory of 2728 828 svchost.exe 97 PID 828 wrote to memory of 5008 828 svchost.exe 98 PID 828 wrote to memory of 5008 828 svchost.exe 98 PID 828 wrote to memory of 5008 828 svchost.exe 98 PID 828 wrote to memory of 3188 828 svchost.exe 99 PID 828 wrote to memory of 3188 828 svchost.exe 99 PID 828 wrote to memory of 3188 828 svchost.exe 99 PID 828 wrote to memory of 2628 828 svchost.exe 101 PID 828 wrote to memory of 2628 828 svchost.exe 101 PID 828 wrote to memory of 2628 828 svchost.exe 101 PID 5008 wrote to memory of 4116 5008 cmd.exe 105 PID 5008 wrote to memory of 4116 5008 cmd.exe 105 PID 5008 wrote to memory of 4116 5008 cmd.exe 105 PID 2728 wrote to memory of 1760 2728 cmd.exe 106 PID 2728 wrote to memory of 1760 2728 cmd.exe 106 PID 2728 wrote to memory of 1760 2728 cmd.exe 106 PID 3188 wrote to memory of 460 3188 cmd.exe 107 PID 3188 wrote to memory of 460 3188 cmd.exe 107 PID 3188 wrote to memory of 460 3188 cmd.exe 107 PID 2628 wrote to memory of 1592 2628 cmd.exe 108 PID 2628 wrote to memory of 1592 2628 cmd.exe 108 PID 2628 wrote to memory of 1592 2628 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7272eaa4942abe2950d745d86c076fdb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240656593.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSN\svchost.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3920
-
-
-
C:\Users\Admin\AppData\Roaming\MSN\svchost.exe"C:\Users\Admin\AppData\Roaming\MSN\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Roaming\MSN\svchost.exe"C:\Users\Admin\AppData\Roaming\MSN\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4260
-
-
C:\Users\Admin\AppData\Roaming\MSN\svchost.exe"C:\Users\Admin\AppData\Roaming\MSN\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSN\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSN\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4116
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:460
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1592
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD592be0e9ab25ff1c1afd49e0b4cab9224
SHA1dfefb50f694f344ab3581e9bf530f9e94041c4b8
SHA256ccd0ff6d33ca5531a43b469a89f18733810a532f962c5b567ff67b9ae2491c95
SHA512b765a500b0f303284545ddfe8cd49684241e2b2a93adc9c1df92a7fca69eafb7daedf10fdf149d448d9349581f805b0a2001769cf51de3458e2fabeaf3757174
-
Filesize
292KB
MD57272eaa4942abe2950d745d86c076fdb
SHA1bae63683f122daafd47781203f0a2df040f17d82
SHA25674a0fdfeae207ad0802ef942adc88f622e0a4ab940b6ed51ae48376d4e15d2fe
SHA5123c088566d68159fd22ce597c3542593e2864aa6b786592c3a8961914b51f0d886fb8ef78f25aa16fa945c4503e117b234f655dcfb79693b392d363724f956723
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2089655958-977706906-1981639424-1000\699c4b9cdebca7aaea5193cae8a50098_bfc54fb9-d779-4763-84c8-34d8d411096a
Filesize50B
MD55b63d4dd8c04c88c0e30e494ec6a609a
SHA1884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA2564d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA51215ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb