Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2025, 15:58
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe
-
Size
540KB
-
MD5
acf8f113d228a1cdc43753c496c63039
-
SHA1
e5f999ed784e863f53e13505a13a8230d6d58ce6
-
SHA256
00475495f454149d719e1561f912a6265c1f18447718243b5bc242caa136cee7
-
SHA512
eb90b4a29739f1f9dcfeec9d28625f9399270ea13e814dcef6ac7f93db6a502d28139d3e02ad959a20a3ce723461c1764dbba80ca950638d9e4bff10c0596d15
-
SSDEEP
12288:JHOoK1Ay95TKQx9Xrk+m5c2TqSO15KyfhHB7OgNpIRR3a8YX:FK15TTLrk+mq2O1oczOmORR
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 13 IoCs
resource yara_rule behavioral2/memory/4496-16-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-20-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-29-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-30-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-32-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-33-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-34-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-35-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-38-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-39-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-40-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-42-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral2/memory/4496-43-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\msnupdt = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Executes dropped EXE 1 IoCs
pid Process 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Loads dropped DLL 4 IoCs
pid Process 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnupdt = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Set value (str) \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnupdt = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4892 set thread context of 4496 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2692 reg.exe 2548 reg.exe 896 reg.exe 2064 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeCreateTokenPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeAssignPrimaryTokenPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeLockMemoryPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeIncreaseQuotaPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeMachineAccountPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeTcbPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSecurityPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeTakeOwnershipPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeLoadDriverPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSystemProfilePrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSystemtimePrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeProfSingleProcessPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeIncBasePriorityPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeCreatePagefilePrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeCreatePermanentPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeBackupPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeRestorePrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeShutdownPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeDebugPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeAuditPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSystemEnvironmentPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeChangeNotifyPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeRemoteShutdownPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeUndockPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeSyncAgentPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeEnableDelegationPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeManageVolumePrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeImpersonatePrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: SeCreateGlobalPrivilege 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 31 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 32 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 33 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 34 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe Token: 35 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4892 wrote to memory of 4496 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 86 PID 4892 wrote to memory of 4496 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 86 PID 4892 wrote to memory of 4496 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 86 PID 4892 wrote to memory of 4496 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 86 PID 4892 wrote to memory of 4496 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 86 PID 4892 wrote to memory of 4496 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 86 PID 4892 wrote to memory of 4496 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 86 PID 4892 wrote to memory of 4496 4892 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 86 PID 4496 wrote to memory of 4692 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 88 PID 4496 wrote to memory of 4692 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 88 PID 4496 wrote to memory of 4692 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 88 PID 4496 wrote to memory of 4936 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 89 PID 4496 wrote to memory of 4936 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 89 PID 4496 wrote to memory of 4936 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 89 PID 4496 wrote to memory of 1464 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 90 PID 4496 wrote to memory of 1464 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 90 PID 4496 wrote to memory of 1464 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 90 PID 4496 wrote to memory of 4952 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 91 PID 4496 wrote to memory of 4952 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 91 PID 4496 wrote to memory of 4952 4496 JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe 91 PID 4936 wrote to memory of 896 4936 cmd.exe 96 PID 4936 wrote to memory of 896 4936 cmd.exe 96 PID 4936 wrote to memory of 896 4936 cmd.exe 96 PID 4952 wrote to memory of 2064 4952 cmd.exe 97 PID 4952 wrote to memory of 2064 4952 cmd.exe 97 PID 4952 wrote to memory of 2064 4952 cmd.exe 97 PID 4692 wrote to memory of 2548 4692 cmd.exe 98 PID 4692 wrote to memory of 2548 4692 cmd.exe 98 PID 4692 wrote to memory of 2548 4692 cmd.exe 98 PID 1464 wrote to memory of 2692 1464 cmd.exe 99 PID 1464 wrote to memory of 2692 1464 cmd.exe 99 PID 1464 wrote to memory of 2692 1464 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exeC:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JaffaCakes118_acf8f113d228a1cdc43753c496c63039.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2064
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5d0c1a1acb3c657b797fce8cffc9b5f63
SHA1005f864733bb63d5088353b19caa32dd866ecd14
SHA25656be4e8a1c29a65357c5605086846d509c8334e98e222e9bd2c67c8f9b366a77
SHA512dcdd37665d67e5df572c769c6ff5b9b398ba09edbb72d6760fdd9a1ad20602f458bb087cc8ebb34c1ebe197c9c0108ee9bc3f2a46de6848f163e8d414b12632a
-
Filesize
16KB
MD50d06014a9e60cbafd52ae439e137dece
SHA1b0da133e09fac1a3746a0fb534184fc512328083
SHA25606a745c9509ae294f69dcc412ff1d2b95c5e660c09702dc9d36d3308a845f200
SHA512312c8eb2cfb8c06fed0404e1cfcd905349ab653b872c6f2b0dfa8d3d97f218192702e8290fce973a94934f21f3617009fa34359a3394dc70c14a7e304c00e225