Overview

overview

10

Static

static

3

JaffaCakes...d4.exe

windows7-x64

10

JaffaCakes...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/02/2025, 17:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe

  • Size

    464KB

  • MD5

    adc844e3b174221e16e0ac1160c008d4

  • SHA1

    6af2dc19c752b97f562be0cdfda9947092dc04f6

  • SHA256

    879e371f52ab0699918e72672d4bd86db3f2154893f8ca63502a4356b052e8e1

  • SHA512

    cf8b23d543ec87c268c7f7c0d2d0b72395fe5e47ccdfdc1139562dc34dc14d27cbf95dd683c7c84aa5134fc69c6fb56c1ba969b0c5836534807be9a0f0f3765a

  • SSDEEP

    12288:5W94GN7fiIEAeLHJx0fL0R5c7pIkH1rUwI/udPdA3hiWKhhaaGwWTYx89xcpG:094GN7fiIEAeLHJx0D4EpIKTVdAxinQp

Score
10/10
blackshadesbootkitdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 16 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
    defense_evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe"
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2916

Network

  • flag-us
    DNS
    laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    Remote address:
    8.8.8.8:53
    Request
    laxguy.no-ip.biz
    IN A
    Response
    laxguy.no-ip.biz
    IN A
    78.159.135.230
  • flag-us
    DNS
    1laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    Remote address:
    8.8.8.8:53
    Request
    1laxguy.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    2laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    Remote address:
    8.8.8.8:53
    Request
    2laxguy.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    3laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    Remote address:
    8.8.8.8:53
    Request
    3laxguy.no-ip.biz
    IN A
    Response
    3laxguy.no-ip.biz
    IN A
    78.159.135.230
  • flag-us
    DNS
    4laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    Remote address:
    8.8.8.8:53
    Request
    4laxguy.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    5laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    Remote address:
    8.8.8.8:53
    Request
    5laxguy.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    6laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    Remote address:
    8.8.8.8:53
    Request
    6laxguy.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    7laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    Remote address:
    8.8.8.8:53
    Request
    7laxguy.no-ip.biz
    IN A
    Response
  • 78.159.135.230:83
    laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    152 B
     3
  • 78.159.135.230:83
    laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    152 B
     3
  • 78.159.135.230:83
    3laxguy.no-ip.biz
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    152 B
     3
  • 8.8.8.8:53
    laxguy.no-ip.biz
    dns
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    62 B
     78 B
     1
    1

    DNS Request

    laxguy.no-ip.biz

    DNS Response

    78.159.135.230

  • 8.8.8.8:53
    1laxguy.no-ip.biz
    dns
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    63 B
     123 B
     1
    1

    DNS Request

    1laxguy.no-ip.biz

  • 8.8.8.8:53
    2laxguy.no-ip.biz
    dns
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    63 B
     123 B
     1
    1

    DNS Request

    2laxguy.no-ip.biz

  • 8.8.8.8:53
    3laxguy.no-ip.biz
    dns
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    63 B
     79 B
     1
    1

    DNS Request

    3laxguy.no-ip.biz

    DNS Response

    78.159.135.230

  • 8.8.8.8:53
    4laxguy.no-ip.biz
    dns
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    63 B
     123 B
     1
    1

    DNS Request

    4laxguy.no-ip.biz

  • 8.8.8.8:53
    5laxguy.no-ip.biz
    dns
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    63 B
     123 B
     1
    1

    DNS Request

    5laxguy.no-ip.biz

  • 8.8.8.8:53
    6laxguy.no-ip.biz
    dns
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    63 B
     123 B
     1
    1

    DNS Request

    6laxguy.no-ip.biz

  • 8.8.8.8:53
    7laxguy.no-ip.biz
    dns
    JaffaCakes118_adc844e3b174221e16e0ac1160c008d4.exe
    63 B
     123 B
     1
    1

    DNS Request

    7laxguy.no-ip.biz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\update.exe
    Filesize

    464KB

    MD5

    adc844e3b174221e16e0ac1160c008d4

    SHA1

    6af2dc19c752b97f562be0cdfda9947092dc04f6

    SHA256

    879e371f52ab0699918e72672d4bd86db3f2154893f8ca63502a4356b052e8e1

    SHA512

    cf8b23d543ec87c268c7f7c0d2d0b72395fe5e47ccdfdc1139562dc34dc14d27cbf95dd683c7c84aa5134fc69c6fb56c1ba969b0c5836534807be9a0f0f3765a

    Download Submit

  • memory/1284-26-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-27-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-6-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-4-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-10-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-22-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-21-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-23-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1284-25-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-3-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-29-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-30-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-31-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-33-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-34-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-35-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-37-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1284-38-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.