Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    14/02/2025, 17:02

General

  • Target

    JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe

  • Size

    431KB

  • MD5

    fa0875613ba59041df0416e786cd91c7

  • SHA1

    5d95a99ebe5e1fa3f8f4634561f42e73080e0428

  • SHA256

    c02a39afdc5f43b1bc9a10b7b2a87051d77f6e938e830b94b8b8c25e61795672

  • SHA512

    ebc54959db28d8a6a429322ad122e7e45a6d50441a78d7ab339941440236f0c35b569a262eef4b638f895bcf6ef8c35ff811b4a146698aa1aaf4bcf0c75a7d03

  • SSDEEP

    6144:DRemMrliCiP73FDrSsXe8BoLa3Zyr0Xi2VYWFuOWXYZIMElkw4+0D:8HliCG71CsXnd3qCJFu5XYZSPJ4

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 11 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 15 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0875613ba59041df0416e786cd91c7.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Users\Admin\AppData\Local\Temp\bsdone.exe
      "C:\Users\Admin\AppData\Local\Temp\bsdone.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Users\Admin\AppData\Roaming\explorer.exe
        C:\Users\Admin\AppData\Roaming\explorer.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3024
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2744
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2540
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1252
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bswm.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bswm.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2872
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bswm.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bswm.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2168
    • C:\Users\Admin\AppData\Local\Temp\pirate.exe
      "C:\Users\Admin\AppData\Local\Temp\pirate.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\bsdone.exe

    Filesize

    466KB

    MD5

    8383f44534f16f7951b0a485006ed7c0

    SHA1

    e15b9dd6432ebc8a005622697e295aa6551811b9

    SHA256

    5dc18afaa4d54d02f53e2f26cecb7c25133a34567882884bdc4ef9ed5156a21a

    SHA512

    56752380a0fad49f916de3ad59ae0a8f0395592ce745742f67d4c33904538c9beaad0bba0e69852776c45c7fea00ad0f80d60a9d4d782bfcc22d3330f5c259dd

  • \Users\Admin\AppData\Local\Temp\pirate.exe

    Filesize

    215KB

    MD5

    5fa762608ab11c579fb0c373ea6f3f5c

    SHA1

    9324cd2813b01d19051e18fcbdb5aad17d152ece

    SHA256

    6b14a44674acd8e1062736dff4199e3cd8647dd5f45f108f8c5a07a43eeb3129

    SHA512

    f5edb631b49fdb366a34b9e6cf590571464db39eaa91c9bb151c2275ab8a4f05732d39ec1171e66d8adc4df6a4e8a00fb8497d78a037b17e5f44516f04e1f6bf

  • \Users\Admin\AppData\Roaming\explorer.exe

    Filesize

    1KB

    MD5

    bd1829843641d264c9ef57ee175a68ae

    SHA1

    298cdbc7f30583f964a6533bf62fb7aff501aa52

    SHA256

    87cff8f9ae3660c6ff6fc7d6262c61b7c19b2271ae9a95abe7b9d744d386259c

    SHA512

    6165d8d47c2e32407c0888b28989ae293f592c4e4771e43d8d09d303e3ad73f895f1c852a176677b3fbd78449536579570cac67a17b2e9135774236b159b2827

  • memory/2920-34-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-46-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-47-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-49-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-50-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-51-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-53-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-54-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-58-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-59-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2920-61-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB