Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2025, 18:42
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe
Resource
win10v2004-20250207-en
General
-
Target
JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe
-
Size
449KB
-
MD5
fb6cfdcf4a130897469bd6039cdeab32
-
SHA1
316dec0070c78a4138a1ba35d39e00f9d3207932
-
SHA256
4bb16ac62d7a9379ffc7ef011a55c6e03f4fb569c486c623dfb191678878d1cb
-
SHA512
b62d50de27906b8cc9f8e5a600fb12614f2b1467aac2d3d016bc19d4dd95220d6e44e4332ac60b5b56678261c2e9bb3f0bacea7f09f9d59ba81faefed3679227
-
SSDEEP
6144:iZuDoCDS1xcIU5A8176KBUKChJwUKVhS9G93tHnbYx7hS6lHJbfvKtToF/Zpr:6uMYSJu7bUK4wUKV793tHkRCtST
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023e24-12.dat family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Crypted.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Crypted.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run Crypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VSV = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" Crypted.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 37 1136 Process not Found 77 2680 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe -
Executes dropped EXE 1 IoCs
pid Process 1460 Crypted.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VSV = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSV = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe" Crypted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3724 MicrosoftEdgeUpdate.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4812 reg.exe 3692 reg.exe 216 reg.exe 2728 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 1460 Crypted.exe Token: SeCreateTokenPrivilege 1460 Crypted.exe Token: SeAssignPrimaryTokenPrivilege 1460 Crypted.exe Token: SeLockMemoryPrivilege 1460 Crypted.exe Token: SeIncreaseQuotaPrivilege 1460 Crypted.exe Token: SeMachineAccountPrivilege 1460 Crypted.exe Token: SeTcbPrivilege 1460 Crypted.exe Token: SeSecurityPrivilege 1460 Crypted.exe Token: SeTakeOwnershipPrivilege 1460 Crypted.exe Token: SeLoadDriverPrivilege 1460 Crypted.exe Token: SeSystemProfilePrivilege 1460 Crypted.exe Token: SeSystemtimePrivilege 1460 Crypted.exe Token: SeProfSingleProcessPrivilege 1460 Crypted.exe Token: SeIncBasePriorityPrivilege 1460 Crypted.exe Token: SeCreatePagefilePrivilege 1460 Crypted.exe Token: SeCreatePermanentPrivilege 1460 Crypted.exe Token: SeBackupPrivilege 1460 Crypted.exe Token: SeRestorePrivilege 1460 Crypted.exe Token: SeShutdownPrivilege 1460 Crypted.exe Token: SeDebugPrivilege 1460 Crypted.exe Token: SeAuditPrivilege 1460 Crypted.exe Token: SeSystemEnvironmentPrivilege 1460 Crypted.exe Token: SeChangeNotifyPrivilege 1460 Crypted.exe Token: SeRemoteShutdownPrivilege 1460 Crypted.exe Token: SeUndockPrivilege 1460 Crypted.exe Token: SeSyncAgentPrivilege 1460 Crypted.exe Token: SeEnableDelegationPrivilege 1460 Crypted.exe Token: SeManageVolumePrivilege 1460 Crypted.exe Token: SeImpersonatePrivilege 1460 Crypted.exe Token: SeCreateGlobalPrivilege 1460 Crypted.exe Token: 31 1460 Crypted.exe Token: 32 1460 Crypted.exe Token: 33 1460 Crypted.exe Token: 34 1460 Crypted.exe Token: 35 1460 Crypted.exe Token: SeDebugPrivilege 1460 Crypted.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1460 Crypted.exe 1460 Crypted.exe 1460 Crypted.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3544 wrote to memory of 1460 3544 JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe 90 PID 3544 wrote to memory of 1460 3544 JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe 90 PID 3544 wrote to memory of 1460 3544 JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe 90 PID 1460 wrote to memory of 2904 1460 Crypted.exe 91 PID 1460 wrote to memory of 2904 1460 Crypted.exe 91 PID 1460 wrote to memory of 2904 1460 Crypted.exe 91 PID 1460 wrote to memory of 1080 1460 Crypted.exe 92 PID 1460 wrote to memory of 1080 1460 Crypted.exe 92 PID 1460 wrote to memory of 1080 1460 Crypted.exe 92 PID 1460 wrote to memory of 2940 1460 Crypted.exe 93 PID 1460 wrote to memory of 2940 1460 Crypted.exe 93 PID 1460 wrote to memory of 2940 1460 Crypted.exe 93 PID 1460 wrote to memory of 3628 1460 Crypted.exe 94 PID 1460 wrote to memory of 3628 1460 Crypted.exe 94 PID 1460 wrote to memory of 3628 1460 Crypted.exe 94 PID 1080 wrote to memory of 3692 1080 cmd.exe 99 PID 1080 wrote to memory of 3692 1080 cmd.exe 99 PID 1080 wrote to memory of 3692 1080 cmd.exe 99 PID 2904 wrote to memory of 2728 2904 cmd.exe 100 PID 2904 wrote to memory of 2728 2904 cmd.exe 100 PID 2904 wrote to memory of 2728 2904 cmd.exe 100 PID 2940 wrote to memory of 216 2940 cmd.exe 101 PID 2940 wrote to memory of 216 2940 cmd.exe 101 PID 2940 wrote to memory of 216 2940 cmd.exe 101 PID 3628 wrote to memory of 4812 3628 cmd.exe 102 PID 3628 wrote to memory of 4812 3628 cmd.exe 102 PID 3628 wrote to memory of 4812 3628 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb6cfdcf4a130897469bd6039cdeab32.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Crypted.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Crypted.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:216
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4812
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDI5NzNENjgtRDgwRS00QTQ5LUE3QTMtOTk5RkVFMDM2Qjc3fSIgdXNlcmlkPSJ7RDc0OTM1NkYtRDc4QS00RTVBLUJGRUItNzIwQzFFNDA1NTI0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDhBQTJEODMtMTZBNy00OTJCLTkzRjItMENEQjVGOUZFQ0Y5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODkxMTc0MjgyIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3724
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336KB
MD543624c2e4a43b856a1fbb3d92e372e0c
SHA14cf42e79291274c7b91f0881513f72a810c89cb4
SHA2562096c9730815df3061ce5747fa40194e6ae51dea34982796a5d32203e3e9a88e
SHA51204d075310c9ae40092032c4564b2e9b40ea9a1e3e572b8517ab6c4d584a9ad1a693cc9ce7b6698150f90d2abaecec0af2bb765ce9e8f8561170c643ee1dc1797