Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14/02/2025, 18:08

General

  • Target

    JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe

  • Size

    3.2MB

  • MD5

    fa7e7d5edba288e9a95e4900206fbf70

  • SHA1

    f6102046c18472bc0b693704f21f17e705dbc439

  • SHA256

    0d517d250b9e225215ad9b645b58684833571f2ef66509ad7c18a7a47fec7f64

  • SHA512

    04b110915bced26833878d7e8ad5a3d9db8f34c6de3a44038cbf496c49197482ebc0717c0ae1539f89a18043d401e3ff0afcff41326ee2c8b9d52119fca3cd8e

  • SSDEEP

    49152:4NjcJogDk4FTI5d81YkJ0CoiLNyOEe9hl3qJaMScJ0:

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 11 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Users\Admin\AppData\Local\Temp\update2.exe
      "C:\Users\Admin\AppData\Local\Temp\update2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2696
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2952
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2700
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1624
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1676
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2116
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2536
    • C:\Users\Admin\AppData\Local\Temp\is63.exe
      "C:\Users\Admin\AppData\Local\Temp\is63.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is63.exe

    Filesize

    612KB

    MD5

    5151fc17f564a6957f7638fac81b4189

    SHA1

    cbae925ff16608cfd4bd1a9b65bd6db3f0acefc6

    SHA256

    5c94615a6a6fe91013284e519a5168cb9d331a02d2232e0c16b31bc1647e3c72

    SHA512

    f379dcd542ec3a59b5b91e38c2c1d3d2d99cf118f49e00d6195c3c4bee601ad2b46f30eeacf02db73bb0fcdb65128b1bc569a073e0f7aea874545c9faa01b5ca

  • \Users\Admin\AppData\Local\Temp\update2.exe

    Filesize

    592KB

    MD5

    773b23201407b8009404952159e8dc27

    SHA1

    52a48f92fd40530da17066b291bef66b6fae8f8a

    SHA256

    5aa6487ff9ed17b6eca8e973bc829ff436bfd6cfb9b037a46bc7d3ab75001b9d

    SHA512

    279171274dad941f91325e5c704eb556cf9ef180dda77754d50fe884ccea4b952d3f1ff5bc3e9b900fa48fc0098cad284630529fe202713d76e3f3f26be7d06e

  • memory/596-22-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/596-40-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/596-20-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/596-21-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/2100-45-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2100-61-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-74-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-62-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-73-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-69-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-64-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-48-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-60-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-65-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-43-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-41-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2100-68-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2344-0-0x0000000074DA1000-0x0000000074DA2000-memory.dmp

    Filesize

    4KB

  • memory/2344-23-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/2344-1-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/2344-2-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/2848-35-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2848-54-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2848-27-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2848-29-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2848-31-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2848-33-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2848-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2848-39-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2848-38-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB