Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
03/02/2025, 03:55
General
-
Target
JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe
-
Size
4.0MB
-
MD5
843418d201e93a3f3f41cc94f0b6841f
-
SHA1
690a37191f5f122e8b6ab5064d942cc18ec759f1
-
SHA256
001f9f11da02e10099ad21eff3fca1ec7b155b4efbc205ee9f100fe7c8a35622
-
SHA512
a57f0570a7dc57d814c99ca10e3768040ab32d8181aa85213a219457f0dc018992e16c1b47cea28b74b603f521f4ca23a89e3f5b5f067d770e105a9c14afd225
-
SSDEEP
98304:rOQ530RjmmafJZRNJlXpCK502oknqcYsy5G+MZr0MdOgcKJnT:rOQ53zmgvRNJl5CK/oSqcYsTTLcK5T
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 9 IoCs
-
Modifies firewall policy service 3 TTPs 10 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h4hg5wbj.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AE9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9AE8.tmp"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\b6FC6.exe"C:\Users\Admin\AppData\Local\Temp\b6FC6.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eniuzdgq.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA00A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA009.tmp"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\CMsk1.exeC:\Users\Admin\AppData\Local\Temp\CMsk1.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\noinstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\noinstall.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\noinstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\noinstall.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe"C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe"C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5e987de1586ef2e544822b89957fbb842
SHA180e562c8f00806163ef93f91331882d430fba762
SHA2569d1c3d99596ae3b66b31d17a1d586a8379deb9a76208a8fc6f1359a2653dbd19
SHA512b506e638e2b72382e5367f4b60a6eac703de157a3fb02f31b8fd8b0288bbed90b7c0dab1f55706d1dfdbe6ee6adf3a5842a8e20083146e301dffeea403673782
-
Filesize
20KB
MD5dc711cd45f201e4a34978d92ebb5804e
SHA19c5c13c20e88e2292c90618800fe5353e1426fe8
SHA2560e845ca27a25de729939d794f84a321b862c2b35072c9fe58199efac34f88d10
SHA512e9e298c06031bfc13ff5fa69edbc85738c660ce7f63ae22684f1c10f23be46c54547e469c989b91703d9c3f936926f05131800bf38930fa8f22af0a07917c768
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
1KB
MD54a4b3957b29ed201fe3196dadf142cfe
SHA1bab76367974fbb351a10fcadf042ba27eb096833
SHA2560cc1e1f91f0965aa7559d4914ead7afc4a03455785aa1bde8378bbc851aa8593
SHA512f024977dd510c595b13b15d6ecf55a88cb3ffb90e5f0aaa2758391bf7ec4a92176b6bf948b1755da7c62cc1a016d3c0a218f2616d81e68e1551556c2b542c94a
-
Filesize
1KB
MD5628fbd672d7c8cd833d5cca006ba1615
SHA112dd838a8d66313221e4d22bfce15912fe570f48
SHA256b8d092b6da6a93d0a9e296f8b0a618f634053a0907eacf0c7c39e17a67c79d4c
SHA512d58dda65a1d0cfd388615af0e6d9c1c8ec48e7dcde00bfebd01987ce3e1eea0f95f4a57e452971c3b556dabaf554237c386769e87c9ccd323433460c907a2b79
-
Filesize
4KB
MD5c9f8df07644d5af32589f3b24a742a80
SHA1d91de36e9bd83ec222b5b4593a46f3ca83f70d66
SHA25653583989ec762133823a67431337da8065a4f6652ec928a45861cf39aea696ef
SHA512aac27fd9db6a8f4482e47f50ecac9d335f20df99a7621d432f99cabbb917c1ffe947a07744260c4b4e2458be6fe6e60c5b463fc37951d726b73b790ed19832d0
-
Filesize
636B
MD5a1134e17cc7135288e52a56a0feda4ba
SHA16ecc9ef1d36c35134818fa8e830cc2d25c7b291f
SHA25689ea30c4a1a47331dc335e884566201f716ca97a1af66963cb4f9647aeedea11
SHA5123d9c1a20246c9ba286a953f9a16bb361c4220b12b7c4734c413c4008bcaaa91023253011e319d8f276aafe9fc99d5f0384af324ee9d98ad40f97a6a3a390904e
-
Filesize
644B
MD5d9181a8d5ad15cea9bd83d124adfafe6
SHA15117311ee4365edc718331c4672974d112b7c30a
SHA256d771893d41089369afd786e4eaf2187d5787ed24aef9ebdd597ea0dda34c8528
SHA51277a94bf90e036ad1ae06b673fe82d0fe8218bc9731dcd3152e48b9910bc91f9ca048e4f0b35b2f3d8d73c43371baa5f8dcdfb1a1f8315e5f2842bf17ba5670ba
-
Filesize
4KB
MD563e5aee854b95119845f32cfd50daeec
SHA1411c321a68cfa2e79f2a3d541038f3f3441cf7c0
SHA2562a4506735bf9c47a0b1ae39c467d3e839646aa2e698a7a6050c59dc034375580
SHA5121216bb919425692e99c7a916cfe399f2c877523f03bd62f6ff23d79509ea42e5a41c62696a0abbb53cb0d1c31000e7d9432205ffeb38e9a19fbee3b99504f790
-
Filesize
319B
MD5a8e5d1cf4f3cbaea49ddc7ed2b7e5378
SHA1d3ccbba7b9b0a2cd3454f41835e4de7d3840bbfa
SHA2564d6454a0ec3974a13a9eb2d933c0fcbb7e87485d88839bf8a25a192535f73694
SHA512fd4ae10b18345f15e2da8fa63c9a0b1b17b23a605cef0335187b4ba3376aabd1c201c2ac4e0a11b9b7247148b759f10a7e8ecb976510ca17656b184a7c342780
-
Filesize
1KB
MD5a7afd4e117b8a9f37f12abe4c0a31fe1
SHA1216cbd4090269590d1086e0560c2d901c8b89dfa
SHA2560c3690324a85c67a4410624475c3c8ed0ef30e3866c238230f5011a03f527fd8
SHA5120c329906ee8bc4864f68956852d2495cd1487f67a444d5b2e6b682501ed2472764a37f4956846e033685ece264c37afb20a783728088ddeab0c5f24d4975d751
-
Filesize
258B
MD5d6bd853d2ca945fbb389edb2d5517aa3
SHA1b44e3278515d73269bdda2c329965fd313d8d530
SHA256f891fae53dfeb692ee807f3e44280262991ddb576bf9ff43290276f914c5d8e9
SHA512593323d3404b5d7ac3ec4c3fe2cc67c714e3b4d16db413061d0d47fcc3136fdbffbcb173c1f9837ca24ad6efd9c9bda37ab61f22a9f3409d31f2e4e004919860
-
Filesize
15KB
MD5201b2dbfc9f9906cf9c4b9117acbe283
SHA144f14fab1e5fae13a8c5026a0730c17b8c54c958
SHA2563109e96501a07a3d837298681fbaacf5962b56810021293bd1cc1c2e7895064f
SHA512db9a1cba1ff3fae70824f91ae12dc9a88a5b98d4d5bec5ad09edb3672408470bc9b18e51deec206c423edae4b166678d3b773cb3058d02e3d5ae7d2060466f85
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
5.7MB
-
Filesize
5.7MB