Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
-
submitted
07-02-2025 23:40
General
-
Target
JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe
-
Size
672KB
-
MD5
bcafc79e3bff707f85b81c371243e101
-
SHA1
e6458c00ce9c743cfa3ecd7aa65fd133da27d136
-
SHA256
01e3fb379387c569f03bb90fe3369ef98261a3fa9185edf9af73f26d72ba80bb
-
SHA512
108ce9bd8049931fa71c93524b7514233718cb7cfb728c1e9820a5070fdc761536af9645bce23b8ee4f3b05cd1774ed40c7180b3536b8593eb919935abd67f99
-
SSDEEP
12288:7I7TyVli2X4DeSMhjp2kRn3fNvmqPIj81P9gbJraFH/g5rxiQt7k:WTei2oaPhHZ5mqS81P9ghay5dn
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
-
Modifies firewall policy service 3 TTPs 10 IoCs
-
Downloads MZ/PE file 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry key 1 TTPs 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ww_oaga.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB101.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB100.tmp"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\B0ey5D.exe"C:\Users\Admin\AppData\Local\Temp\B0ey5D.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n7n9cqnk.cmdline"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exeC:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\I56XO8J9R6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\I56XO8J9R6.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\I56XO8J9R6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\I56XO8J9R6.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDE1REU2RDctOUI1NC00NUIwLUJDRTEtMzdBQzVENTVCQzA4fSIgdXNlcmlkPSJ7Nzk1NERDOEQtMEVDMi00MDI3LTg1RjEtNzdGNzYwOEM4QjE4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjFFQUNFNTAtMTFDRi00NjNELTk4MzYtNTU1RUIxNzI1RkRGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTg2NzIxMTY4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD52cbc47d1af449024632d29cb065cac2a
SHA1daf453c2d35704d8d299a2233d44e570d6e1effa
SHA256547dfd1897371aa271201c088ac816fb8e6729156dd0e29989f573d111ee8758
SHA5120b6499e064634a4bcd2364c107a29bb929711030f8084f5c69b9d5e8b360b9629284bab38541790b528691aee6e2ae5dffd68a7f1720d8143d17a2ac29b202aa
-
Filesize
1KB
MD5c0143a5df87f2da943c686b7d88b5e36
SHA1c06fcfce7e0f12680ebd74f42ea164c5d25b6af7
SHA2568b11b7cec3f376034e1fe01aefeb32003664c9fdd7405c937ff0e9233aeeaf37
SHA51234c04c1ee9ab091a67e2c1cb79d332668394ca71447bcc5b7be12f831b5802aa6d0e630264c8d92087e4ead08afaf205b63e8f6eebee0c2b0d41ab6188270ba8
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
1KB
MD50d8bfefc47cbaa18cb21568fb4c67dda
SHA12d579fc297c776c0a93b206b68a2a404cfc70864
SHA25624eba0abffc6f8f47f713c1fd77a0a0e88fcd9443e9afd87efb4a4d685300d7c
SHA51233469a80cdb9d8607fc87ed96f8db61a42a836f80193994ceea8f751748f54979e35112b51065330597c44121a673430886beb9ae2e45389cd664944ec2415fe
-
Filesize
259B
MD500befb6fd8b2f26c746084b7f5650ace
SHA1535ae7684e50ee2249a10477d5a1f97a92ae67a6
SHA256ec1c06fcca13c9263ba7076809d2e9d21bffeadf10a25f2939a392ce0ed07002
SHA512c44b76b65f71000bce4210876fa0adb9afe93714450b2d2f9116f953cdb70a30c45781f91a8d86ed031a0f13b2083bc16354238bb4e45754fbc2748e3721e1d3
-
Filesize
644B
MD56a839250f168a7421004a2b77ee5c3d2
SHA181ba3f3b5bc6864b95d187f2751307fc1e7842ec
SHA2569cf0ca48aedb822be6530fdc7f6c2c9ac78c16605c72e3e6937c7d9f23eb4be5
SHA512228d3a34513060b9e81e3211ba74b7685446d6a4c315ce28bac94ce22eb89533c2f48e9277e8637401874c8ad9e0a0ecc3a0d2495764cf3b03a928372768914c
-
Filesize
4KB
MD50afd1bbd9af7844607f71d543d4de02f
SHA15137e9ca4ec9bb312312d388fb01dd246dd08178
SHA256e404b75539ea4a5ea3b2b0a8daf3d62c5eb2253fb9e50a75feb0fd771c8ed629
SHA512d09f6f37bc8d972f5856ddfc8ce53f2bc54d26fbfe3bd8414b0136a2708dc3bc07cbf5242c79648dabab3d655462edc86cbad29751863f0296a135ac71cfd4c1
-
Filesize
321B
MD5b2477c30cf42bb1fa8d4281f7c9d277e
SHA16c6df6dc37797b61f8aeb8267774e490bbbc8867
SHA2568ed4326332cff3a696456dc2214873b68a303dbe60c9de5445aae5c4e8252d79
SHA512f9f2457ad52f2a39b20aad01565acef9fa14de6427554abfc6c21a0f50ad6cf345dd8d3cbc6edc357aa89df8f3d7fe69c0ff3cea3c9f36b749e5539e42e7f490
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB