Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14/02/2025, 07:54

General

  • Target

    JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe

  • Size

    784KB

  • MD5

    f556539439da85b1bfb46dc17444349c

  • SHA1

    c805585d22c592adca4b35ec0ddcce0b1156836b

  • SHA256

    44a8a3928c9f10f6b19bed527d7ce020db4f3a8efa635e5ef77ffca47ebfdfaa

  • SHA512

    bfeebc9f6fcfd1e830eba4a74587ecde805abcef8d41865e603151ee6f81bce7b2dd1af28036bdec548f49ea2039dde1bd1988a88bf6564a26afc9db6c9fd832

  • SSDEEP

    24576:iFmcH5C0jCDwUvNprLyIj6bjgICOj5mWeHoFS:iFmOODvfr5j4jQOFmfHoFS

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 19 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry key 1 TTPs 4 IoCs
  • Runs ping.exe 1 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
          4⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          PID:2888
    • C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1104
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2500
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:796
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:428
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2304
    • C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      2⤵
      • Executes dropped EXE
      PID:2616
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1600
      • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
        "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:876
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2368
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          PID:2164
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1384
      • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
        "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1328
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1116
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          PID:1088
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:748
      • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
        "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1932
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:556
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          PID:2184
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2744
      • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
        "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2644
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          PID:2636
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2888
      • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
        "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:428
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          PID:1252
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:564
      • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
        "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1160
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2696
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          PID:1956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\caca.bat

    Filesize

    47B

    MD5

    58ccb87aa1da4939df403810f1e68b6b

    SHA1

    dc8551f41682e5cb1dd25af3f11a789b1d37b295

    SHA256

    eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

    SHA512

    17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

  • C:\Users\Admin\AppData\Local\Temp\caca2.bat

    Filesize

    151B

    MD5

    ed28c618f7d8306e3736432b58bb5d27

    SHA1

    441e6dab70e31d9c599fcd9e2d32009038781b42

    SHA256

    d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3

    SHA512

    4257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880

  • C:\Users\Admin\AppData\Local\Temp\invs.vbs

    Filesize

    78B

    MD5

    c578d9653b22800c3eb6b6a51219bbb8

    SHA1

    a97aa251901bbe179a48dbc7a0c1872e163b1f2d

    SHA256

    20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

    SHA512

    3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

  • C:\Users\Admin\AppData\Local\Temp\per.bat

    Filesize

    111B

    MD5

    851c0e754a2e3663cbfdc09777323516

    SHA1

    e9f67ac8c5d22c5c47b71d2a51b6aa5076b9287a

    SHA256

    b97c58636ccaa18444a0e317e5a8b8112147e5c5a53777085f035779648c7eeb

    SHA512

    2efde32aad3b7278f6ea2bd8a688fe30ce75b2914b59dba87b2999dc199ae4a63c0dc08f476096807e2ecd96d4f860ebf988b420c68536accc038b22a7e738d0

  • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe

    Filesize

    784KB

    MD5

    f556539439da85b1bfb46dc17444349c

    SHA1

    c805585d22c592adca4b35ec0ddcce0b1156836b

    SHA256

    44a8a3928c9f10f6b19bed527d7ce020db4f3a8efa635e5ef77ffca47ebfdfaa

    SHA512

    bfeebc9f6fcfd1e830eba4a74587ecde805abcef8d41865e603151ee6f81bce7b2dd1af28036bdec548f49ea2039dde1bd1988a88bf6564a26afc9db6c9fd832

  • \Windows\Temp\svchost.exe

    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

  • memory/428-156-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/556-119-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1116-100-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2092-63-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2092-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

    Filesize

    4KB

  • memory/2092-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2092-51-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2092-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2368-80-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2644-136-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-84-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-120-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-24-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-82-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-27-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-26-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-101-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-102-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-52-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-64-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-121-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-31-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-138-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-140-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-144-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2960-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2960-158-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB