Overview

overview

10

Static

static

3

JaffaCakes...a8.exe

windows7-x64

7

JaffaCakes...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2025 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe

  • Size

    340KB

  • MD5

    7e124e2e3ad0737f9c1a470ba75070a8

  • SHA1

    58cf38ee90aab5122064ff5c8ffc55fbd186911f

  • SHA256

    84f6062e0171ef972c70f230e4b9afc137b5da5ef10b2d0e4ff2eef4aba56776

  • SHA512

    4e39c3e771f01301283be5bf8b37bdd84e9729e111a91d903fbe191a3fcd0e9082e4bd8421eb54badfa462b5bd0353dcd752e614e5391562e6499a7f3a245c3f

  • SSDEEP

    6144:ftYsB1IA5RYRH9GCq4W/c9XY7RQRGnVfN/SubH:xMG/H4Y7RAGV1/1b

Score
10/10
blackshadesdefense_evasiondiscoverypersistenceratupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 11 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240642859.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:792
    • C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe
      "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe
        "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4008
      • C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe
        "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3936
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3564
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5092
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2592
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4604
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MicrosoftManagement\dllhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftManagement\dllhost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1332
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MicrosoftManagement\dllhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftManagement\dllhost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240642859.bat
    Filesize

    155B

    MD5

    bcaf583ea4e708fd72c67efd18415bd8

    SHA1

    a229e0a0e98a9c3b653533d8ae05798cac4bb797

    SHA256

    912b1e8cf3ec86dc187d6fd2d14b46288704839159f98b78d5d89a4cd3034f06

    SHA512

    01a0878b83998f152c41437e3a885af6241852459e71567b26321849fffa242aadd1dc23f44d50c262cd3782c644b510d95c7467d4109e2b26e505e3fb989395

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe
    Filesize

    340KB

    MD5

    326846b03ed76443129e3c9f21ff71d6

    SHA1

    8b3e743a6e7d427d72f8c581e8c3ff8a49e3c957

    SHA256

    8a46fe2d565638dc2c9ba0d70e4b71418f3aa8f432ad17b7e2c4feb728c235dd

    SHA512

    7c3df9ad2abeaaa7464eb7a20e9b0e8cc0027c64d1bf658467a6a72beced2a7594b3f6eed3b464c53ddc8145b1aa94d68bae1f2c1e88faa8e236670fc93dbe85

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4003209913-3868522715-854928974-1000\699c4b9cdebca7aaea5193cae8a50098_3420909f-3934-4e08-9bca-35998dc0babf
    Filesize

    50B

    MD5

    5b63d4dd8c04c88c0e30e494ec6a609a

    SHA1

    884d5a8bdc25fe794dc22ef9518009dcf0069d09

    SHA256

    4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

    SHA512

    15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

    Download Submit

  • memory/1756-46-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-47-0x00000000030F0000-0x00000000030F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-45-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-44-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-43-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-42-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-41-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-37-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-39-0x0000000002D90000-0x0000000002D91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-59-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1756-38-0x0000000002D80000-0x0000000002D81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-68-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1756-34-0x0000000002D80000-0x0000000002D81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-35-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-36-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3640-61-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-64-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-91-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-89-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-87-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-85-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-83-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-81-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-79-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-77-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-75-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-72-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3640-67-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/4008-48-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4008-58-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4008-51-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4008-52-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4008-60-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4008-56-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4436-2-0x00000000021E0000-0x00000000021E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-3-0x0000000002240000-0x0000000002241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-4-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-19-0x0000000002360000-0x0000000002361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-5-0x0000000002270000-0x0000000002271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-6-0x0000000002280000-0x0000000002281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-7-0x00000000021E0000-0x00000000021E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-8-0x0000000002220000-0x0000000002221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-9-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-11-0x0000000002240000-0x0000000002241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-12-0x0000000002250000-0x0000000002251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-13-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-14-0x0000000002270000-0x0000000002271000-memory.dmp

    Filesize

    4KB

    Download