Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
14/02/2025, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe
Resource
win10v2004-20250211-en
General
-
Target
JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe
-
Size
187KB
-
MD5
f42d9e79c561edda951939244e1ce786
-
SHA1
5f7114f3f0034744f1d4f048cc862ad79cf46e7b
-
SHA256
4a714ae2213fc9a1ee42ccfd37f1e9cbf71b669fbc52c9158c863a748ac067c9
-
SHA512
67ca29180443350db29d187bcb5302127f898955d72940d3611a8ccc9879f0b6636fd9f3fb1fa609a190efe92767e92e158dd26172b85807a7d55801bc37140e
-
SSDEEP
3072:5YxqJnV83DvTr+cxKRA6a0ybBfB8OFnj74LN0IgNtBYRR7f642OGBzYCfWn0S:5EqJV8zbr5x56a0yNfKajEgR27fU2
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral1/memory/2488-20-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-16-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-31-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-32-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-33-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-35-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-37-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-38-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-39-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-45-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-49-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades behavioral1/memory/2488-50-0x0000000000400000-0x0000000000474000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Minecraft Account Cracker.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Minecraft Account Cracker.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Minecraft Account Cracker.exe" svchost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406DE37E-CA8E-CD5D-0EF4-2B7BB3E7EDAD}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Minecraft Account Cracker.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{406DE37E-CA8E-CD5D-0EF4-2B7BB3E7EDAD} svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components\{406DE37E-CA8E-CD5D-0EF4-2B7BB3E7EDAD}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Minecraft Account Cracker.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406DE37E-CA8E-CD5D-0EF4-2B7BB3E7EDAD} svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2488 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MsMpEng.exe" JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Minecraft Account Cracker.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Minecraft Account Cracker.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2128 set thread context of 2488 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe 30 -
resource yara_rule behavioral1/memory/2488-20-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-16-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-15-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-12-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-9-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-8-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-31-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-32-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-33-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-35-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-37-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-38-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-39-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-45-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-49-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2488-50-0x0000000000400000-0x0000000000474000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2440 reg.exe 2464 reg.exe 2940 reg.exe 2928 reg.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe Token: 1 2488 svchost.exe Token: SeCreateTokenPrivilege 2488 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2488 svchost.exe Token: SeLockMemoryPrivilege 2488 svchost.exe Token: SeIncreaseQuotaPrivilege 2488 svchost.exe Token: SeMachineAccountPrivilege 2488 svchost.exe Token: SeTcbPrivilege 2488 svchost.exe Token: SeSecurityPrivilege 2488 svchost.exe Token: SeTakeOwnershipPrivilege 2488 svchost.exe Token: SeLoadDriverPrivilege 2488 svchost.exe Token: SeSystemProfilePrivilege 2488 svchost.exe Token: SeSystemtimePrivilege 2488 svchost.exe Token: SeProfSingleProcessPrivilege 2488 svchost.exe Token: SeIncBasePriorityPrivilege 2488 svchost.exe Token: SeCreatePagefilePrivilege 2488 svchost.exe Token: SeCreatePermanentPrivilege 2488 svchost.exe Token: SeBackupPrivilege 2488 svchost.exe Token: SeRestorePrivilege 2488 svchost.exe Token: SeShutdownPrivilege 2488 svchost.exe Token: SeDebugPrivilege 2488 svchost.exe Token: SeAuditPrivilege 2488 svchost.exe Token: SeSystemEnvironmentPrivilege 2488 svchost.exe Token: SeChangeNotifyPrivilege 2488 svchost.exe Token: SeRemoteShutdownPrivilege 2488 svchost.exe Token: SeUndockPrivilege 2488 svchost.exe Token: SeSyncAgentPrivilege 2488 svchost.exe Token: SeEnableDelegationPrivilege 2488 svchost.exe Token: SeManageVolumePrivilege 2488 svchost.exe Token: SeImpersonatePrivilege 2488 svchost.exe Token: SeCreateGlobalPrivilege 2488 svchost.exe Token: 31 2488 svchost.exe Token: 32 2488 svchost.exe Token: 33 2488 svchost.exe Token: 34 2488 svchost.exe Token: 35 2488 svchost.exe Token: SeDebugPrivilege 2488 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2488 svchost.exe 2488 svchost.exe 2488 svchost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2488 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe 30 PID 2128 wrote to memory of 2488 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe 30 PID 2128 wrote to memory of 2488 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe 30 PID 2128 wrote to memory of 2488 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe 30 PID 2128 wrote to memory of 2488 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe 30 PID 2128 wrote to memory of 2488 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe 30 PID 2128 wrote to memory of 2488 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe 30 PID 2128 wrote to memory of 2488 2128 JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe 30 PID 2488 wrote to memory of 2748 2488 svchost.exe 31 PID 2488 wrote to memory of 2748 2488 svchost.exe 31 PID 2488 wrote to memory of 2748 2488 svchost.exe 31 PID 2488 wrote to memory of 2748 2488 svchost.exe 31 PID 2488 wrote to memory of 2476 2488 svchost.exe 32 PID 2488 wrote to memory of 2476 2488 svchost.exe 32 PID 2488 wrote to memory of 2476 2488 svchost.exe 32 PID 2488 wrote to memory of 2476 2488 svchost.exe 32 PID 2488 wrote to memory of 2760 2488 svchost.exe 34 PID 2488 wrote to memory of 2760 2488 svchost.exe 34 PID 2488 wrote to memory of 2760 2488 svchost.exe 34 PID 2488 wrote to memory of 2760 2488 svchost.exe 34 PID 2488 wrote to memory of 2776 2488 svchost.exe 36 PID 2488 wrote to memory of 2776 2488 svchost.exe 36 PID 2488 wrote to memory of 2776 2488 svchost.exe 36 PID 2488 wrote to memory of 2776 2488 svchost.exe 36 PID 2748 wrote to memory of 2928 2748 cmd.exe 39 PID 2748 wrote to memory of 2928 2748 cmd.exe 39 PID 2748 wrote to memory of 2928 2748 cmd.exe 39 PID 2748 wrote to memory of 2928 2748 cmd.exe 39 PID 2760 wrote to memory of 2940 2760 cmd.exe 40 PID 2760 wrote to memory of 2940 2760 cmd.exe 40 PID 2760 wrote to memory of 2940 2760 cmd.exe 40 PID 2760 wrote to memory of 2940 2760 cmd.exe 40 PID 2476 wrote to memory of 2440 2476 cmd.exe 41 PID 2476 wrote to memory of 2440 2476 cmd.exe 41 PID 2476 wrote to memory of 2440 2476 cmd.exe 41 PID 2476 wrote to memory of 2440 2476 cmd.exe 41 PID 2776 wrote to memory of 2464 2776 cmd.exe 42 PID 2776 wrote to memory of 2464 2776 cmd.exe 42 PID 2776 wrote to memory of 2464 2776 cmd.exe 42 PID 2776 wrote to memory of 2464 2776 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f42d9e79c561edda951939244e1ce786.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Minecraft Account Cracker.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Minecraft Account Cracker.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Minecraft Account Cracker.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Minecraft Account Cracker.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2464
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2