Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 05:42
Behavioral task
behavioral1
Sample
JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe
-
Size
5.5MB
-
MD5
b39c74780c2d2bbf7974fc1f138ba2c5
-
SHA1
ade02c6dcd09289a9e9ffb4425f74bd687ea2aef
-
SHA256
6a5b4981a7cd40b05bb466188315201082910b32134ccdf23012747264bb6603
-
SHA512
6db667ab5c2e6c5edfb2e3460667ccf37341f956f514f4d43eee414b893623d1147a6fb1f56a22055af8398d3b36c91d4e456621d46c8421dae9e087717a8f44
-
SSDEEP
49152:edq+YWfznMv72HP7moIKmfa1tYRGvM7gO70C:WPYWfe2HDiKmfaXYRB7j7F
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 14 IoCs
resource yara_rule behavioral2/memory/4504-27-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-44-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-48-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-51-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-53-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-55-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-58-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-60-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-65-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-67-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-69-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-72-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-74-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades behavioral2/memory/4504-76-0x0000000000400000-0x0000000000475000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\shit2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\shit2.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\system32\xxx.exe = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\xxx.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe -
Executes dropped EXE 3 IoCs
pid Process 2852 xxx.exe 4504 xxx.exe 2232 xxx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxx.exe = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\xxx.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2852 set thread context of 4504 2852 xxx.exe 87 PID 2852 set thread context of 2232 2852 xxx.exe 88 -
resource yara_rule behavioral2/memory/448-0-0x0000000000400000-0x000000000098A000-memory.dmp upx behavioral2/files/0x000a000000023b98-11.dat upx behavioral2/memory/448-20-0x0000000000400000-0x000000000098A000-memory.dmp upx behavioral2/memory/4504-27-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/2852-26-0x0000000000400000-0x000000000098A000-memory.dmp upx behavioral2/memory/4504-24-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/2852-41-0x0000000000400000-0x000000000098A000-memory.dmp upx behavioral2/memory/4504-21-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-44-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-48-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-51-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-53-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-55-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-58-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-60-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-65-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-67-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-69-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-72-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-74-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/4504-76-0x0000000000400000-0x0000000000475000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxx.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4844 reg.exe 1324 reg.exe 452 reg.exe 760 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 4504 xxx.exe Token: SeCreateTokenPrivilege 4504 xxx.exe Token: SeAssignPrimaryTokenPrivilege 4504 xxx.exe Token: SeLockMemoryPrivilege 4504 xxx.exe Token: SeIncreaseQuotaPrivilege 4504 xxx.exe Token: SeMachineAccountPrivilege 4504 xxx.exe Token: SeTcbPrivilege 4504 xxx.exe Token: SeSecurityPrivilege 4504 xxx.exe Token: SeTakeOwnershipPrivilege 4504 xxx.exe Token: SeLoadDriverPrivilege 4504 xxx.exe Token: SeSystemProfilePrivilege 4504 xxx.exe Token: SeSystemtimePrivilege 4504 xxx.exe Token: SeProfSingleProcessPrivilege 4504 xxx.exe Token: SeIncBasePriorityPrivilege 4504 xxx.exe Token: SeCreatePagefilePrivilege 4504 xxx.exe Token: SeCreatePermanentPrivilege 4504 xxx.exe Token: SeBackupPrivilege 4504 xxx.exe Token: SeRestorePrivilege 4504 xxx.exe Token: SeShutdownPrivilege 4504 xxx.exe Token: SeDebugPrivilege 4504 xxx.exe Token: SeAuditPrivilege 4504 xxx.exe Token: SeSystemEnvironmentPrivilege 4504 xxx.exe Token: SeChangeNotifyPrivilege 4504 xxx.exe Token: SeRemoteShutdownPrivilege 4504 xxx.exe Token: SeUndockPrivilege 4504 xxx.exe Token: SeSyncAgentPrivilege 4504 xxx.exe Token: SeEnableDelegationPrivilege 4504 xxx.exe Token: SeManageVolumePrivilege 4504 xxx.exe Token: SeImpersonatePrivilege 4504 xxx.exe Token: SeCreateGlobalPrivilege 4504 xxx.exe Token: 31 4504 xxx.exe Token: 32 4504 xxx.exe Token: 33 4504 xxx.exe Token: 34 4504 xxx.exe Token: 35 4504 xxx.exe Token: SeDebugPrivilege 2232 xxx.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 448 JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe 2852 xxx.exe 4504 xxx.exe 4504 xxx.exe 4504 xxx.exe 2232 xxx.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 448 wrote to memory of 5092 448 JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe 82 PID 448 wrote to memory of 5092 448 JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe 82 PID 448 wrote to memory of 5092 448 JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe 82 PID 5092 wrote to memory of 924 5092 cmd.exe 85 PID 5092 wrote to memory of 924 5092 cmd.exe 85 PID 5092 wrote to memory of 924 5092 cmd.exe 85 PID 448 wrote to memory of 2852 448 JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe 86 PID 448 wrote to memory of 2852 448 JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe 86 PID 448 wrote to memory of 2852 448 JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe 86 PID 2852 wrote to memory of 4504 2852 xxx.exe 87 PID 2852 wrote to memory of 4504 2852 xxx.exe 87 PID 2852 wrote to memory of 4504 2852 xxx.exe 87 PID 2852 wrote to memory of 4504 2852 xxx.exe 87 PID 2852 wrote to memory of 4504 2852 xxx.exe 87 PID 2852 wrote to memory of 4504 2852 xxx.exe 87 PID 2852 wrote to memory of 4504 2852 xxx.exe 87 PID 2852 wrote to memory of 4504 2852 xxx.exe 87 PID 2852 wrote to memory of 2232 2852 xxx.exe 88 PID 2852 wrote to memory of 2232 2852 xxx.exe 88 PID 2852 wrote to memory of 2232 2852 xxx.exe 88 PID 2852 wrote to memory of 2232 2852 xxx.exe 88 PID 2852 wrote to memory of 2232 2852 xxx.exe 88 PID 2852 wrote to memory of 2232 2852 xxx.exe 88 PID 2852 wrote to memory of 2232 2852 xxx.exe 88 PID 4504 wrote to memory of 3300 4504 xxx.exe 89 PID 4504 wrote to memory of 3300 4504 xxx.exe 89 PID 4504 wrote to memory of 3300 4504 xxx.exe 89 PID 4504 wrote to memory of 3832 4504 xxx.exe 90 PID 4504 wrote to memory of 3832 4504 xxx.exe 90 PID 4504 wrote to memory of 3832 4504 xxx.exe 90 PID 4504 wrote to memory of 5112 4504 xxx.exe 91 PID 4504 wrote to memory of 5112 4504 xxx.exe 91 PID 4504 wrote to memory of 5112 4504 xxx.exe 91 PID 4504 wrote to memory of 3864 4504 xxx.exe 92 PID 4504 wrote to memory of 3864 4504 xxx.exe 92 PID 4504 wrote to memory of 3864 4504 xxx.exe 92 PID 3300 wrote to memory of 4844 3300 cmd.exe 97 PID 3300 wrote to memory of 4844 3300 cmd.exe 97 PID 3300 wrote to memory of 4844 3300 cmd.exe 97 PID 3864 wrote to memory of 452 3864 cmd.exe 98 PID 3864 wrote to memory of 452 3864 cmd.exe 98 PID 3864 wrote to memory of 452 3864 cmd.exe 98 PID 3832 wrote to memory of 1324 3832 cmd.exe 99 PID 3832 wrote to memory of 1324 3832 cmd.exe 99 PID 3832 wrote to memory of 1324 3832 cmd.exe 99 PID 5112 wrote to memory of 760 5112 cmd.exe 100 PID 5112 wrote to memory of 760 5112 cmd.exe 100 PID 5112 wrote to memory of 760 5112 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b39c74780c2d2bbf7974fc1f138ba2c5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqJgT.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xxx.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system32\xxx.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:924
-
-
-
C:\Users\Admin\AppData\Roaming\system32\xxx.exe"C:\Users\Admin\AppData\Roaming\system32\xxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Roaming\system32\xxx.exeC:\Users\Admin\AppData\Roaming\system32\xxx.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\system32\xxx.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system32\xxx.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\system32\xxx.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system32\xxx.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\shit2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\shit2.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\shit2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\shit2.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:452
-
-
-
-
C:\Users\Admin\AppData\Roaming\system32\xxx.exeC:\Users\Admin\AppData\Roaming\system32\xxx.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2232
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD5650665586f07db42c925008801b3275c
SHA1e79fe2127a3a837bd1eb832fcc157e81048f0954
SHA2561463ba97685fb5bc10bed12a727110c2803bd0c592aa3ccd7070cffbccbad8ef
SHA512d483edd5805f0ffd7c19ee6b26153d77ab9ff273841bbd9bcb9ff1cb467d7e0f283d80601097ec412277d85e23e794e92ab503059212706e0f79377ad8186fb2
-
Filesize
5.5MB
MD5b39c74780c2d2bbf7974fc1f138ba2c5
SHA1ade02c6dcd09289a9e9ffb4425f74bd687ea2aef
SHA2566a5b4981a7cd40b05bb466188315201082910b32134ccdf23012747264bb6603
SHA5126db667ab5c2e6c5edfb2e3460667ccf37341f956f514f4d43eee414b893623d1147a6fb1f56a22055af8398d3b36c91d4e456621d46c8421dae9e087717a8f44