Overview

overview

10

Static

static

3

JaffaCakes...00.exe

windows7-x64

10

JaffaCakes...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2025 18:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_7f803a72f192d1d71a1849a0bb461400.exe

  • Size

    409KB

  • MD5

    7f803a72f192d1d71a1849a0bb461400

  • SHA1

    a8282b98076011f01ac5af1f489d1079c3e594d4

  • SHA256

    16ebe046be752ea7b46b7268cce2371dcf3ba9657623d5212f99693031be41ce

  • SHA512

    746c8705e2c46bc4098c0a5f7c6ede711e198d3422f1b956dcdd755d1a519d4c0f23e6c0d2e58b0f163e385315f6bfff1ee27c97cddd1b8310794af71d25ad2c

  • SSDEEP

    6144:DFsn4ucahZSUTw+ich9G33ES/E2q92k2/R5fCX0BQkw0WIJ3qvlLBrme2q:hs4wT5fG33ES4Yk24Pkw0jwvey

Score
10/10
blackshadeslatentbotdefense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

latentbot

C2

runeescapejagex.zapto.org

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 14 IoCs
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Latentbot family
    latentbot
  • Modifies firewall policy service 3 TTPs 10 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f803a72f192d1d71a1849a0bb461400.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f803a72f192d1d71a1849a0bb461400.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\Users\Admin\AppData\Local\Temp\winini.exe
      "C:\Users\Admin\AppData\Local\Temp\winini.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:456
      • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        C:\Users\Admin\AppData\Local\Temp\\cvtres.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4024
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2924
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\cvtres.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:232
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\cvtres.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1052
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\0TU389UECQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\0TU389UECQ.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\0TU389UECQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\0TU389UECQ.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winini.exe
    Filesize

    336KB

    MD5

    b83be1b30bdc83af4328171acab0443c

    SHA1

    ac9a9d0df312aa0d7035d6f080e6b37f6e4e8f97

    SHA256

    88ed7f0c1697da25744dc1cc9960de8f646ea6c02aef11b6ed66c5a230863b4b

    SHA512

    d89c98d43933fea346eabba30e8fc0baf611f17c58eb4fcfec7a6f70f9a4185d974f2ae338646fb5a1ad3ba38d2ee477e0a6661d16fedf7adaa618a5b5a1d44a

    Download Submit

  • memory/456-22-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/456-34-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/456-17-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/456-18-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2868-35-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-44-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-23-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-51-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-27-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-50-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-48-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-36-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-38-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-39-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-40-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-42-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-43-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2868-47-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/4752-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4752-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4752-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4752-20-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

    Download