Overview

overview

10

Static

static

3

JaffaCakes...3c.exe

windows7-x64

10

JaffaCakes...3c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_7dde2cadb794e170aadfa6453a767d3c

  • Size

    940KB

  • Sample

    250202-r57mpswlgt

  • MD5

    7dde2cadb794e170aadfa6453a767d3c

  • SHA1

    dc5e8c1cb38f132d8506690348cabb84c104e15b

  • SHA256

    94bfdd9963e0a7fe4ee4488edbeebbd5b0d69fc8f5325f4006f159d4e2067236

  • SHA512

    5c2a2c99b3a97301ff89a4376d244faa536aaba4428467ce2fbe103b4f4411e0bbf400590941f39c91012eceaec27f5f3d151572ee899445f8bd975b61ccfd1a

  • SSDEEP

    24576:ImRKvOCv3utr5OUR0cl6zvozvaHMwINz3eptIC7U:ImovOC/uXgclWoj7wiiptIoU

Score
10/10
blackshadesdefense_evasiondiscoverypersistenceratupx

Malware Config

Targets

    • Target

      JaffaCakes118_7dde2cadb794e170aadfa6453a767d3c

    • Size

      940KB

    • MD5

      7dde2cadb794e170aadfa6453a767d3c

    • SHA1

      dc5e8c1cb38f132d8506690348cabb84c104e15b

    • SHA256

      94bfdd9963e0a7fe4ee4488edbeebbd5b0d69fc8f5325f4006f159d4e2067236

    • SHA512

      5c2a2c99b3a97301ff89a4376d244faa536aaba4428467ce2fbe103b4f4411e0bbf400590941f39c91012eceaec27f5f3d151572ee899445f8bd975b61ccfd1a

    • SSDEEP

      24576:ImRKvOCv3utr5OUR0cl6zvozvaHMwINz3eptIC7U:ImovOC/uXgclWoj7wiiptIoU

    Score
    10/10
    blackshadesdefense_evasiondiscoverypersistenceratupx

    • Blackshades

      Blackshades is a remote access trojan with various capabilities.

      ratblackshades

    • Blackshades family

      blackshades

    • Blackshades payload

    • Modifies firewall policy service

      defense_evasion

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Disables Task Manager via registry modification

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks