Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
14/02/2025, 17:02
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe
Resource
win10v2004-20250211-en
General
-
Target
JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe
-
Size
431KB
-
MD5
fa0875613ba59041df0416e786cd91c7
-
SHA1
5d95a99ebe5e1fa3f8f4634561f42e73080e0428
-
SHA256
c02a39afdc5f43b1bc9a10b7b2a87051d77f6e938e830b94b8b8c25e61795672
-
SHA512
ebc54959db28d8a6a429322ad122e7e45a6d50441a78d7ab339941440236f0c35b569a262eef4b638f895bcf6ef8c35ff811b4a146698aa1aaf4bcf0c75a7d03
-
SSDEEP
6144:DRemMrliCiP73FDrSsXe8BoLa3Zyr0Xi2VYWFuOWXYZIMElkw4+0D:8HliCG71CsXnd3qCJFu5XYZSPJ4
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral1/memory/2920-34-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-46-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-47-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-49-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-50-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-51-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-53-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-54-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-58-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-59-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/2920-61-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bswm.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bswm.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Executes dropped EXE 3 IoCs
pid Process 3056 bsdone.exe 2280 pirate.exe 2920 explorer.exe -
Loads dropped DLL 15 IoCs
pid Process 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 2280 pirate.exe 2280 pirate.exe 2280 pirate.exe 3056 bsdone.exe 3056 bsdone.exe 3056 bsdone.exe 3056 bsdone.exe 3056 bsdone.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalware = "C:\\Users\\Admin\\AppData\\Roaming\\bsdone.exe" bsdone.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3056 set thread context of 2920 3056 bsdone.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsdone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pirate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2540 reg.exe 2168 reg.exe 1252 reg.exe 2744 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2920 explorer.exe Token: SeCreateTokenPrivilege 2920 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2920 explorer.exe Token: SeLockMemoryPrivilege 2920 explorer.exe Token: SeIncreaseQuotaPrivilege 2920 explorer.exe Token: SeMachineAccountPrivilege 2920 explorer.exe Token: SeTcbPrivilege 2920 explorer.exe Token: SeSecurityPrivilege 2920 explorer.exe Token: SeTakeOwnershipPrivilege 2920 explorer.exe Token: SeLoadDriverPrivilege 2920 explorer.exe Token: SeSystemProfilePrivilege 2920 explorer.exe Token: SeSystemtimePrivilege 2920 explorer.exe Token: SeProfSingleProcessPrivilege 2920 explorer.exe Token: SeIncBasePriorityPrivilege 2920 explorer.exe Token: SeCreatePagefilePrivilege 2920 explorer.exe Token: SeCreatePermanentPrivilege 2920 explorer.exe Token: SeBackupPrivilege 2920 explorer.exe Token: SeRestorePrivilege 2920 explorer.exe Token: SeShutdownPrivilege 2920 explorer.exe Token: SeDebugPrivilege 2920 explorer.exe Token: SeAuditPrivilege 2920 explorer.exe Token: SeSystemEnvironmentPrivilege 2920 explorer.exe Token: SeChangeNotifyPrivilege 2920 explorer.exe Token: SeRemoteShutdownPrivilege 2920 explorer.exe Token: SeUndockPrivilege 2920 explorer.exe Token: SeSyncAgentPrivilege 2920 explorer.exe Token: SeEnableDelegationPrivilege 2920 explorer.exe Token: SeManageVolumePrivilege 2920 explorer.exe Token: SeImpersonatePrivilege 2920 explorer.exe Token: SeCreateGlobalPrivilege 2920 explorer.exe Token: 31 2920 explorer.exe Token: 32 2920 explorer.exe Token: 33 2920 explorer.exe Token: 34 2920 explorer.exe Token: 35 2920 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1460 wrote to memory of 3056 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 30 PID 1460 wrote to memory of 3056 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 30 PID 1460 wrote to memory of 3056 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 30 PID 1460 wrote to memory of 3056 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 30 PID 1460 wrote to memory of 3056 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 30 PID 1460 wrote to memory of 3056 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 30 PID 1460 wrote to memory of 3056 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 30 PID 1460 wrote to memory of 2280 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 31 PID 1460 wrote to memory of 2280 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 31 PID 1460 wrote to memory of 2280 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 31 PID 1460 wrote to memory of 2280 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 31 PID 1460 wrote to memory of 2280 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 31 PID 1460 wrote to memory of 2280 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 31 PID 1460 wrote to memory of 2280 1460 JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe 31 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 3056 wrote to memory of 2920 3056 bsdone.exe 32 PID 2920 wrote to memory of 3024 2920 explorer.exe 33 PID 2920 wrote to memory of 3024 2920 explorer.exe 33 PID 2920 wrote to memory of 3024 2920 explorer.exe 33 PID 2920 wrote to memory of 3024 2920 explorer.exe 33 PID 2920 wrote to memory of 3024 2920 explorer.exe 33 PID 2920 wrote to memory of 3024 2920 explorer.exe 33 PID 2920 wrote to memory of 3024 2920 explorer.exe 33 PID 2920 wrote to memory of 2716 2920 explorer.exe 34 PID 2920 wrote to memory of 2716 2920 explorer.exe 34 PID 2920 wrote to memory of 2716 2920 explorer.exe 34 PID 2920 wrote to memory of 2716 2920 explorer.exe 34 PID 2920 wrote to memory of 2716 2920 explorer.exe 34 PID 2920 wrote to memory of 2716 2920 explorer.exe 34 PID 2920 wrote to memory of 2716 2920 explorer.exe 34 PID 2920 wrote to memory of 1044 2920 explorer.exe 35 PID 2920 wrote to memory of 1044 2920 explorer.exe 35 PID 2920 wrote to memory of 1044 2920 explorer.exe 35 PID 2920 wrote to memory of 1044 2920 explorer.exe 35 PID 2920 wrote to memory of 1044 2920 explorer.exe 35 PID 2920 wrote to memory of 1044 2920 explorer.exe 35 PID 2920 wrote to memory of 1044 2920 explorer.exe 35 PID 2920 wrote to memory of 2872 2920 explorer.exe 37 PID 2920 wrote to memory of 2872 2920 explorer.exe 37 PID 2920 wrote to memory of 2872 2920 explorer.exe 37 PID 2920 wrote to memory of 2872 2920 explorer.exe 37 PID 2920 wrote to memory of 2872 2920 explorer.exe 37 PID 2920 wrote to memory of 2872 2920 explorer.exe 37 PID 2920 wrote to memory of 2872 2920 explorer.exe 37 PID 2716 wrote to memory of 2540 2716 cmd.exe 42 PID 2716 wrote to memory of 2540 2716 cmd.exe 42 PID 2716 wrote to memory of 2540 2716 cmd.exe 42 PID 2716 wrote to memory of 2540 2716 cmd.exe 42 PID 2716 wrote to memory of 2540 2716 cmd.exe 42 PID 2716 wrote to memory of 2540 2716 cmd.exe 42 PID 2716 wrote to memory of 2540 2716 cmd.exe 42 PID 1044 wrote to memory of 1252 1044 cmd.exe 43 PID 1044 wrote to memory of 1252 1044 cmd.exe 43 PID 1044 wrote to memory of 1252 1044 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\bsdone.exe"C:\Users\Admin\AppData\Local\Temp\bsdone.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1252
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bswm.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bswm.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bswm.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bswm.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2168
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pirate.exe"C:\Users\Admin\AppData\Local\Temp\pirate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2280
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
466KB
MD58383f44534f16f7951b0a485006ed7c0
SHA1e15b9dd6432ebc8a005622697e295aa6551811b9
SHA2565dc18afaa4d54d02f53e2f26cecb7c25133a34567882884bdc4ef9ed5156a21a
SHA51256752380a0fad49f916de3ad59ae0a8f0395592ce745742f67d4c33904538c9beaad0bba0e69852776c45c7fea00ad0f80d60a9d4d782bfcc22d3330f5c259dd
-
Filesize
215KB
MD55fa762608ab11c579fb0c373ea6f3f5c
SHA19324cd2813b01d19051e18fcbdb5aad17d152ece
SHA2566b14a44674acd8e1062736dff4199e3cd8647dd5f45f108f8c5a07a43eeb3129
SHA512f5edb631b49fdb366a34b9e6cf590571464db39eaa91c9bb151c2275ab8a4f05732d39ec1171e66d8adc4df6a4e8a00fb8497d78a037b17e5f44516f04e1f6bf
-
Filesize
1KB
MD5bd1829843641d264c9ef57ee175a68ae
SHA1298cdbc7f30583f964a6533bf62fb7aff501aa52
SHA25687cff8f9ae3660c6ff6fc7d6262c61b7c19b2271ae9a95abe7b9d744d386259c
SHA5126165d8d47c2e32407c0888b28989ae293f592c4e4771e43d8d09d303e3ad73f895f1c852a176677b3fbd78449536579570cac67a17b2e9135774236b159b2827