Malware Analysis Report

2025-04-03 10:19

Sample ID 250204-fh1ebsxpgj
Target JaffaCakes118_900b4c2d3c03f64bc27c2cf81d332387
SHA256 450e33ca193193790497c688b193d730ed2172b08534c1a27cca2553299cb1cd
Tags
blackshades discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

450e33ca193193790497c688b193d730ed2172b08534c1a27cca2553299cb1cd

Threat Level: Known bad

The file JaffaCakes118_900b4c2d3c03f64bc27c2cf81d332387 was found to be: Known bad.

Malicious Activity Summary

blackshades discovery rat

Blackshades family

Blackshades payload

Blackshades

Uses the VBS compiler for execution

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-04 04:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-04 04:53

Reported

2025-02-04 04:55

Platform

win10v2004-20250129-en

Max time kernel

93s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_900b4c2d3c03f64bc27c2cf81d332387.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_900b4c2d3c03f64bc27c2cf81d332387.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_900b4c2d3c03f64bc27c2cf81d332387.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3.31.126.40.in-addr.arpa udp
NL 95.101.136.223:443 www.bing.com tcp
US 8.8.8.8:53 159.96.196.23.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 223.136.101.95.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp

Files

memory/4576-0-0x00007FF837DD0000-0x00007FF838099000-memory.dmp

memory/4576-1-0x000000001BF60000-0x000000001C42E000-memory.dmp

memory/4576-2-0x000000001C4E0000-0x000000001C586000-memory.dmp

memory/4576-3-0x000000001BA30000-0x000000001BA80000-memory.dmp

memory/4576-4-0x000000001C6F0000-0x000000001C768000-memory.dmp

memory/4576-6-0x00007FF837DD0000-0x00007FF838099000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-04 04:53

Reported

2025-02-04 04:55

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_900b4c2d3c03f64bc27c2cf81d332387.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_900b4c2d3c03f64bc27c2cf81d332387.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_900b4c2d3c03f64bc27c2cf81d332387.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Network

N/A

Files

memory/2412-0-0x000007FEF630E000-0x000007FEF630F000-memory.dmp

memory/2412-1-0x00000000004C0000-0x0000000000510000-memory.dmp

memory/2412-2-0x00000000008F0000-0x0000000000968000-memory.dmp

memory/2412-3-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp