Analysis
-
max time kernel
148s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13/02/2025, 18:12
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe
Resource
win10v2004-20250211-en
General
-
Target
JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe
-
Size
467KB
-
MD5
f1f28a278a68a4a19ae7e09f2e771abe
-
SHA1
1f32c06b225663518baeb33cf387e10ebbfc418d
-
SHA256
4f50891ab33767224f13c86255e488528ac4a0f9f1367699c813e50cc9438a26
-
SHA512
cc12c95f59e0751ff3dc1820e6ac2673e2eb686a3370312eb58ae94a9831e2776ff8b357cef8eef7f39ec1bee1b3a691742b0d1b7b2500a263196f9f2b072f37
-
SSDEEP
6144:jUgmpVvfaHNWDsWpQ9QrhuKmZAogdeWbfSvkUmh3kQkUAo0W/heo2pzUwyuBvFY3:j/cVvmsqWW8phZCo0aeo+9Y3
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral1/memory/2064-4-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-13-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-14-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-16-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-17-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-18-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-20-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-21-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-22-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-25-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2064-28-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\1PG49LDY4S.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1PG49LDY4S.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\avgxv = "C:\\Users\\Admin\\AppData\\Roaming\\bscratfud2.exe" JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2896 set thread context of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2908 reg.exe 2640 reg.exe 2692 reg.exe 2788 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2064 vbc.exe Token: SeCreateTokenPrivilege 2064 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2064 vbc.exe Token: SeLockMemoryPrivilege 2064 vbc.exe Token: SeIncreaseQuotaPrivilege 2064 vbc.exe Token: SeMachineAccountPrivilege 2064 vbc.exe Token: SeTcbPrivilege 2064 vbc.exe Token: SeSecurityPrivilege 2064 vbc.exe Token: SeTakeOwnershipPrivilege 2064 vbc.exe Token: SeLoadDriverPrivilege 2064 vbc.exe Token: SeSystemProfilePrivilege 2064 vbc.exe Token: SeSystemtimePrivilege 2064 vbc.exe Token: SeProfSingleProcessPrivilege 2064 vbc.exe Token: SeIncBasePriorityPrivilege 2064 vbc.exe Token: SeCreatePagefilePrivilege 2064 vbc.exe Token: SeCreatePermanentPrivilege 2064 vbc.exe Token: SeBackupPrivilege 2064 vbc.exe Token: SeRestorePrivilege 2064 vbc.exe Token: SeShutdownPrivilege 2064 vbc.exe Token: SeDebugPrivilege 2064 vbc.exe Token: SeAuditPrivilege 2064 vbc.exe Token: SeSystemEnvironmentPrivilege 2064 vbc.exe Token: SeChangeNotifyPrivilege 2064 vbc.exe Token: SeRemoteShutdownPrivilege 2064 vbc.exe Token: SeUndockPrivilege 2064 vbc.exe Token: SeSyncAgentPrivilege 2064 vbc.exe Token: SeEnableDelegationPrivilege 2064 vbc.exe Token: SeManageVolumePrivilege 2064 vbc.exe Token: SeImpersonatePrivilege 2064 vbc.exe Token: SeCreateGlobalPrivilege 2064 vbc.exe Token: 31 2064 vbc.exe Token: 32 2064 vbc.exe Token: 33 2064 vbc.exe Token: 34 2064 vbc.exe Token: 35 2064 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2064 vbc.exe 2064 vbc.exe 2064 vbc.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 PID 2896 wrote to memory of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 PID 2896 wrote to memory of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 PID 2896 wrote to memory of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 PID 2896 wrote to memory of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 PID 2896 wrote to memory of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 PID 2896 wrote to memory of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 PID 2896 wrote to memory of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 PID 2896 wrote to memory of 2064 2896 JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe 30 PID 2064 wrote to memory of 2824 2064 vbc.exe 31 PID 2064 wrote to memory of 2824 2064 vbc.exe 31 PID 2064 wrote to memory of 2824 2064 vbc.exe 31 PID 2064 wrote to memory of 2824 2064 vbc.exe 31 PID 2064 wrote to memory of 2840 2064 vbc.exe 32 PID 2064 wrote to memory of 2840 2064 vbc.exe 32 PID 2064 wrote to memory of 2840 2064 vbc.exe 32 PID 2064 wrote to memory of 2840 2064 vbc.exe 32 PID 2064 wrote to memory of 2876 2064 vbc.exe 34 PID 2064 wrote to memory of 2876 2064 vbc.exe 34 PID 2064 wrote to memory of 2876 2064 vbc.exe 34 PID 2064 wrote to memory of 2876 2064 vbc.exe 34 PID 2064 wrote to memory of 2828 2064 vbc.exe 35 PID 2064 wrote to memory of 2828 2064 vbc.exe 35 PID 2064 wrote to memory of 2828 2064 vbc.exe 35 PID 2064 wrote to memory of 2828 2064 vbc.exe 35 PID 2824 wrote to memory of 2788 2824 cmd.exe 39 PID 2824 wrote to memory of 2788 2824 cmd.exe 39 PID 2824 wrote to memory of 2788 2824 cmd.exe 39 PID 2824 wrote to memory of 2788 2824 cmd.exe 39 PID 2828 wrote to memory of 2908 2828 cmd.exe 40 PID 2828 wrote to memory of 2908 2828 cmd.exe 40 PID 2828 wrote to memory of 2908 2828 cmd.exe 40 PID 2828 wrote to memory of 2908 2828 cmd.exe 40 PID 2840 wrote to memory of 2640 2840 cmd.exe 41 PID 2840 wrote to memory of 2640 2840 cmd.exe 41 PID 2840 wrote to memory of 2640 2840 cmd.exe 41 PID 2840 wrote to memory of 2640 2840 cmd.exe 41 PID 2876 wrote to memory of 2692 2876 cmd.exe 42 PID 2876 wrote to memory of 2692 2876 cmd.exe 42 PID 2876 wrote to memory of 2692 2876 cmd.exe 42 PID 2876 wrote to memory of 2692 2876 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f1f28a278a68a4a19ae7e09f2e771abe.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\1PG49LDY4S.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1PG49LDY4S.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\1PG49LDY4S.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1PG49LDY4S.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2908
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1