Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2025, 13:09

General

  • Target

    JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe

  • Size

    308KB

  • MD5

    f82ac35bf52d1f5ad8f6b5f29acb3f28

  • SHA1

    4a9ac9912e1f0ca668f2da7913b4533104fb531d

  • SHA256

    a7f883e29e6f9210ef7546e715bd25aac14679d251ddf8b1a22d15b47c7e790a

  • SHA512

    1d82ee03ae41690e74b3aa0360dc671cc15b0d8e930992ce05429748b5f7f4d21587e0fadb9b4189360609e5719403a08a543facc05e8c81d1cfb24c7084e330

  • SSDEEP

    6144:8IlNxDlbni74D1CXWFyZEyaz3ZG7UVfuc96FeG39B85VDyqbr00:DbxDJxCcaRq3B56k5VDyu40

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 15 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      C:\Users\Admin\AppData\Local\Temp\vbc.exe
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3180
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f82ac35bf52d1f5ad8f6b5f29acb3f28.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4928
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\CCC..exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\CCC..exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\CCC..exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\CCC..exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:5092
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3232
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEQzRTk0MzItODM2Mi00RjM0LUIzNjItMjU0QTMyNzU2MkE3fSIgdXNlcmlkPSJ7ODM5MTc3ODEtODFFNy00N0IwLUI0REMtNzE2M0I4MkYxNDI0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTQ2QTU2QUMtRTJBOC00MjUzLTlBNkQtRDFGOUZGNjZGQkRCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTc5NTYxMjQyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

    Filesize

    407KB

    MD5

    e2048d49d02a279d8387492340605d8d

    SHA1

    20450d32666afa16660e6b86131fd4a63330f345

    SHA256

    40991d396c0eab6a26909e924090a48c33901c6853406c8dccbf79016cf06c66

    SHA512

    5acd2132e89eda342c1a036754f6fe0df38ed169b3c375e1835cc9aa56bdd2f9ab4af51871f9eab16484a4eaed63be6bc50cc78f785d52e582b9be8a02dcfc98

  • C:\Users\Admin\AppData\Local\Temp\vbc.exe

    Filesize

    1.1MB

    MD5

    d881de17aa8f2e2c08cbb7b265f928f9

    SHA1

    08936aebc87decf0af6e8eada191062b5e65ac2a

    SHA256

    b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

    SHA512

    5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

  • C:\Users\Admin\AppData\Roaming\CCC..exe

    Filesize

    308KB

    MD5

    f82ac35bf52d1f5ad8f6b5f29acb3f28

    SHA1

    4a9ac9912e1f0ca668f2da7913b4533104fb531d

    SHA256

    a7f883e29e6f9210ef7546e715bd25aac14679d251ddf8b1a22d15b47c7e790a

    SHA512

    1d82ee03ae41690e74b3aa0360dc671cc15b0d8e930992ce05429748b5f7f4d21587e0fadb9b4189360609e5719403a08a543facc05e8c81d1cfb24c7084e330

  • memory/2428-27-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-51-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-9-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-12-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-71-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-20-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-64-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-26-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-25-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-61-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-28-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-36-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-55-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-40-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-45-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-48-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2428-6-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2892-1-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

  • memory/2892-0-0x00000000747E2000-0x00000000747E3000-memory.dmp

    Filesize

    4KB

  • memory/2892-2-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

  • memory/2892-17-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB