Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/02/2025, 15:58
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe
-
Size
540KB
-
MD5
acf8f113d228a1cdc43753c496c63039
-
SHA1
e5f999ed784e863f53e13505a13a8230d6d58ce6
-
SHA256
00475495f454149d719e1561f912a6265c1f18447718243b5bc242caa136cee7
-
SHA512
eb90b4a29739f1f9dcfeec9d28625f9399270ea13e814dcef6ac7f93db6a502d28139d3e02ad959a20a3ce723461c1764dbba80ca950638d9e4bff10c0596d15
-
SSDEEP
12288:JHOoK1Ay95TKQx9Xrk+m5c2TqSO15KyfhHB7OgNpIRR3a8YX:FK15TTLrk+mq2O1oczOmORR
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral1/memory/2808-27-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-23-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-39-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-40-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-42-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-43-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-44-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-46-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-47-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-50-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-52-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2808-53-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\msnupdt = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Executes dropped EXE 1 IoCs
pid Process 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Loads dropped DLL 5 IoCs
pid Process 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnupdt = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnupdt = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2896 set thread context of 2808 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1504 reg.exe 572 reg.exe 1512 reg.exe 1088 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeCreateTokenPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeAssignPrimaryTokenPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeLockMemoryPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeIncreaseQuotaPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeMachineAccountPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeTcbPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSecurityPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeTakeOwnershipPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeLoadDriverPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSystemProfilePrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSystemtimePrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeProfSingleProcessPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeIncBasePriorityPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeCreatePagefilePrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeCreatePermanentPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeBackupPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeRestorePrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeShutdownPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeDebugPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeAuditPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSystemEnvironmentPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeChangeNotifyPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeRemoteShutdownPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeUndockPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSyncAgentPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeEnableDelegationPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeManageVolumePrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeImpersonatePrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeCreateGlobalPrivilege 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 31 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 32 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 33 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 34 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 35 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2808 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 30 PID 2896 wrote to memory of 2808 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 30 PID 2896 wrote to memory of 2808 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 30 PID 2896 wrote to memory of 2808 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 30 PID 2896 wrote to memory of 2808 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 30 PID 2896 wrote to memory of 2808 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 30 PID 2896 wrote to memory of 2808 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 30 PID 2896 wrote to memory of 2808 2896 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 30 PID 2808 wrote to memory of 2196 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 31 PID 2808 wrote to memory of 2196 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 31 PID 2808 wrote to memory of 2196 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 31 PID 2808 wrote to memory of 2196 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 31 PID 2808 wrote to memory of 2344 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 32 PID 2808 wrote to memory of 2344 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 32 PID 2808 wrote to memory of 2344 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 32 PID 2808 wrote to memory of 2344 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 32 PID 2808 wrote to memory of 2188 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 34 PID 2808 wrote to memory of 2188 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 34 PID 2808 wrote to memory of 2188 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 34 PID 2808 wrote to memory of 2188 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 34 PID 2808 wrote to memory of 2480 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 35 PID 2808 wrote to memory of 2480 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 35 PID 2808 wrote to memory of 2480 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 35 PID 2808 wrote to memory of 2480 2808 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 35 PID 2480 wrote to memory of 572 2480 cmd.exe 39 PID 2480 wrote to memory of 572 2480 cmd.exe 39 PID 2480 wrote to memory of 572 2480 cmd.exe 39 PID 2480 wrote to memory of 572 2480 cmd.exe 39 PID 2196 wrote to memory of 1504 2196 cmd.exe 40 PID 2196 wrote to memory of 1504 2196 cmd.exe 40 PID 2196 wrote to memory of 1504 2196 cmd.exe 40 PID 2196 wrote to memory of 1504 2196 cmd.exe 40 PID 2344 wrote to memory of 1512 2344 cmd.exe 41 PID 2344 wrote to memory of 1512 2344 cmd.exe 41 PID 2344 wrote to memory of 1512 2344 cmd.exe 41 PID 2344 wrote to memory of 1512 2344 cmd.exe 41 PID 2188 wrote to memory of 1088 2188 cmd.exe 42 PID 2188 wrote to memory of 1088 2188 cmd.exe 42 PID 2188 wrote to memory of 1088 2188 cmd.exe 42 PID 2188 wrote to memory of 1088 2188 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exeC:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:572
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD50d06014a9e60cbafd52ae439e137dece
SHA1b0da133e09fac1a3746a0fb534184fc512328083
SHA25606a745c9509ae294f69dcc412ff1d2b95c5e660c09702dc9d36d3308a845f200
SHA512312c8eb2cfb8c06fed0404e1cfcd905349ab653b872c6f2b0dfa8d3d97f218192702e8290fce973a94934f21f3617009fa34359a3394dc70c14a7e304c00e225
-
Filesize
13KB
MD5d0c1a1acb3c657b797fce8cffc9b5f63
SHA1005f864733bb63d5088353b19caa32dd866ecd14
SHA25656be4e8a1c29a65357c5605086846d509c8334e98e222e9bd2c67c8f9b366a77
SHA512dcdd37665d67e5df572c769c6ff5b9b398ba09edbb72d6760fdd9a1ad20602f458bb087cc8ebb34c1ebe197c9c0108ee9bc3f2a46de6848f163e8d414b12632a