Overview

overview

10

Static

static

3

JaffaCakes...1f.exe

windows7-x64

10

JaffaCakes...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2025 03:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe

  • Size

    4.0MB

  • MD5

    843418d201e93a3f3f41cc94f0b6841f

  • SHA1

    690a37191f5f122e8b6ab5064d942cc18ec759f1

  • SHA256

    001f9f11da02e10099ad21eff3fca1ec7b155b4efbc205ee9f100fe7c8a35622

  • SHA512

    a57f0570a7dc57d814c99ca10e3768040ab32d8181aa85213a219457f0dc018992e16c1b47cea28b74b603f521f4ca23a89e3f5b5f067d770e105a9c14afd225

  • SSDEEP

    98304:rOQ530RjmmafJZRNJlXpCK502oknqcYsy5G+MZr0MdOgcKJnT:rOQ53zmgvRNJl5CK/oSqcYsTTLcK5T

Score
10/10
blackshadesdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 12 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
    defense_evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q6emb6qp.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE448.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE447.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2740
    • C:\Users\Admin\AppData\Local\Temp\b6FC6.exe
      "C:\Users\Admin\AppData\Local\Temp\b6FC6.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2780
    • C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
      C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1728
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2012
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\noinstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\noinstall.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\noinstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\noinstall.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:304
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mikpcowm.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3056
    • C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe
      "C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESE448.tmp
    Filesize

    1KB

    MD5

    35ee8434ef10519653b306a4ee61ceda

    SHA1

    b4f746b3894ef7c2425e639fc96e018e7aab799d

    SHA256

    e6a3d0f413d07fd7afe3ccf0fef85b9268dfa84b3ca71c9633be7a07ceaf4aac

    SHA512

    c4f41e1132c2371576bf232cea729b01dc9fad06d966569a675077716368bbbcabb43bc6f068d9075ee6ef68a1819057a148444ce9e39a9825f0a005a7bd65a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\b6FC6.exe
    Filesize

    4KB

    MD5

    1478cd1f5aa49aadee00cfb26e1b8a82

    SHA1

    ed001e9d060cd2c52d747884ee98eea753d834ba

    SHA256

    a8407edd4b7e24737b538942159f144b33aba6942b6217f02732e364e059c07b

    SHA512

    00020f0dab2c6f0eac6bd507bc378d73e53688edde8a561f6004d5d64edbc42b6cef691358abcd6a7ee80386a99d038886db4ac14a10ac472970379a71bbf3f3

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCE447.tmp
    Filesize

    636B

    MD5

    a1134e17cc7135288e52a56a0feda4ba

    SHA1

    6ecc9ef1d36c35134818fa8e830cc2d25c7b291f

    SHA256

    89ea30c4a1a47331dc335e884566201f716ca97a1af66963cb4f9647aeedea11

    SHA512

    3d9c1a20246c9ba286a953f9a16bb361c4220b12b7c4734c413c4008bcaaa91023253011e319d8f276aafe9fc99d5f0384af324ee9d98ad40f97a6a3a390904e

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\mikpcowm.0.cs
    Filesize

    4KB

    MD5

    f77a12a68d89658a3ff87380c7a02fa6

    SHA1

    382e0bb272bf557a2cc60c5d6a604cc9190c700d

    SHA256

    31f0e9b8cf8950d4e5aa95af5a6ac6af3a8641b5a56d2aedee69ce55faa5ab0a

    SHA512

    6ec430f817c5ba410440dddffbda1145af3d8b6d0d945bb09361840fd4048a701b76d25076e6c8be1fd492e52931123e381e45af615bc931664ad4e80588e58e

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\mikpcowm.cmdline
    Filesize

    319B

    MD5

    45f4acb9cdf4f7d1ca1319bdd7989783

    SHA1

    965664ed09a52260b62a7ab1bbe124b632fd5bdc

    SHA256

    a3552a0b735aa045aafcd67076a334df0cc63f1caef153ef6dd83117405f6146

    SHA512

    35983f7e10896227d61d695427b867d06cf6446c737441a0ae33c2906c51e9a017ca23631a7a963ab3732d4f5dd849907dd6281c06cbfbce4de161fd5652e7f8

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\q6emb6qp.0.cs
    Filesize

    1KB

    MD5

    a7afd4e117b8a9f37f12abe4c0a31fe1

    SHA1

    216cbd4090269590d1086e0560c2d901c8b89dfa

    SHA256

    0c3690324a85c67a4410624475c3c8ed0ef30e3866c238230f5011a03f527fd8

    SHA512

    0c329906ee8bc4864f68956852d2495cd1487f67a444d5b2e6b682501ed2472764a37f4956846e033685ece264c37afb20a783728088ddeab0c5f24d4975d751

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\q6emb6qp.cmdline
    Filesize

    258B

    MD5

    82f7ec70eb40e65dc3543a8131ecf980

    SHA1

    b3e1bc8644e190d2a20aa1eabb80345ea25e6436

    SHA256

    1e26bc9914576a064ba1cae8d427b2f609d5c69130f5e15edd9cefda3f58ab3b

    SHA512

    7be2cbbdf693c7c9a3b9e5535a196e6268fec4521627e1be7e12472e7300b04610f6dbee851571648f3c3945a83435101aaad76176255befb14694ae4f4e2f29

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe
    Filesize

    1.5MB

    MD5

    e987de1586ef2e544822b89957fbb842

    SHA1

    80e562c8f00806163ef93f91331882d430fba762

    SHA256

    9d1c3d99596ae3b66b31d17a1d586a8379deb9a76208a8fc6f1359a2653dbd19

    SHA512

    b506e638e2b72382e5367f4b60a6eac703de157a3fb02f31b8fd8b0288bbed90b7c0dab1f55706d1dfdbe6ee6adf3a5842a8e20083146e301dffeea403673782

    Download Submit

  • \Users\Admin\AppData\Local\Temp\CMsk1.exe
    Filesize

    31KB

    MD5

    ed797d8dc2c92401985d162e42ffa450

    SHA1

    0f02fc517c7facc4baefde4fe9467fb6488ebabe

    SHA256

    b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

    SHA512

    e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

    Download Submit

  • memory/1660-61-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1660-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1660-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1660-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1660-22-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1660-58-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2236-15-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2236-8-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2688-64-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-65-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-31-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-38-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-59-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-35-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2688-33-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-62-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-66-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-68-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-69-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-70-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-74-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-76-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download