Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2025, 18:07

General

  • Target

    JaffaCakes118_21975899b65652222255a5c663a34b9e.exe

  • Size

    596KB

  • MD5

    21975899b65652222255a5c663a34b9e

  • SHA1

    7669700d05191542e4086ad6e0edcb20ca5794c8

  • SHA256

    6907c8a0c3e6fb03fde042da76510e8a002eea4ec3b67a1e32eb35202299aae2

  • SHA512

    9ac91e48455f9f04df39c344b9ae9a6263d4cfecca3597b2b64e24ca3ef722606c314d53f6a65e6299e83815b27f819b4915cebed6fde04a5293be6b82be7ea7

  • SSDEEP

    12288:RV9YMRAECWNUNc2+L0TOeJJ3zxOeZ4yrfYMe1nig:RV2cUx+L0ZLjOWxIn

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 13 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmxi_d58.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7DE7.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2484
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1168
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2872
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmxi_d58.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80C5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC80C4.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES7DF7.tmp

    Filesize

    1KB

    MD5

    826742820580d9911d4d99a8566efaee

    SHA1

    2f897e4c9fca96a4e59a3dc4f09f780bad5e0b6e

    SHA256

    3c13f9d25c35f863dada15a2a384f240d3c385a6f27445e9d3169d6fc091d3ef

    SHA512

    8a7db43e0e0b9cb75119fae7d997cc2574561e4b89dafef1b7ac318bbeb24446df9ab033087369fb55c477bb6a754a00087f971b516248a05e4a64a6f30b67f3

  • C:\Users\Admin\AppData\Local\Temp\RES80C5.tmp

    Filesize

    1KB

    MD5

    c5ac7d7cf19969a1be994b5950febb81

    SHA1

    a7ec93087ce90fdcfc05e9deff0c432fdd8db142

    SHA256

    0db2a29c32c724112e680eff5a96cee0a612f1528a84130df4f7fc34d8ec58d4

    SHA512

    60e5d93aa7b243ca53e9710bacd925cf418cf0eee8f71f76960ac78aecc1a6294b0a8200bd1cb3b9447176e382666b8059be5d19917e675fd85014dc1882e34b

  • C:\Users\Admin\AppData\Local\Temp\xmxi_d58.dll

    Filesize

    3KB

    MD5

    4609d79db0b99e787143cbd9d97fcf64

    SHA1

    049bee435e1c93d6ee6f39fb039228822b607c7a

    SHA256

    d8badcc25983b7a7eb8f9b8e3ac1c1874ff32531b25adc77ffd2aa65788aa9ed

    SHA512

    f1df4e2de09d245b27966e1a7417d289e2ef43bb9b75dd5d47b783f47ea2de4ec436ca1649c90e3a5402601ffb60ad5f4dec9a6b84329d81f99dcc26abaa53b4

  • C:\Users\Admin\AppData\Local\Temp\xmxi_d58.dll

    Filesize

    10KB

    MD5

    96dbb19afa4c97165e741d958d6db2d3

    SHA1

    dbbf3c7a4b4515e70ea65e840c0585041861e4cf

    SHA256

    931b7ced00baac0831e3330acf98fb40634aa19a1e3b252c32838d11d780657a

    SHA512

    8043e4aea00835c9cc911355b0bf9857efacf63f3684d43c00d604a881c503988459eb9bbbe49a59b57f2adfe725542d4278285402490be27382fbe277551dbd

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC7DE7.tmp

    Filesize

    652B

    MD5

    d9755b2e4731075e0b0fc5693217c3bb

    SHA1

    149c99e1567a0a187a8db36a59c49f82f7b65442

    SHA256

    00ea8e6f1ac378b388a83951c00e391d403e6b37f59599b82c9a849d889321dd

    SHA512

    cb576015f0211e5f5e0288fc10677c9d4adcec8998ddf797ded46a6883f3f8d134246694b496951c442ee5eed78944ff3949d696030999e7b7c1f9513e32c930

  • \??\c:\Users\Admin\AppData\Local\Temp\xmxi_d58.0.cs

    Filesize

    8KB

    MD5

    164dc3f006aea54e9f83a8d96e366164

    SHA1

    a32fb4dd0b29075a0f94000b61ee441be21c879e

    SHA256

    38ce0b573e1aa8eac080f26b57829a5bbc49104f98305932cc8bc1e3cc226d14

    SHA512

    b6391ccf6e150039056e98c82e47a45f328c699a130412863c633d1506af50c9babe2a299383ce1c32a8abdb7fe61a9b3724a5afda61605e2844114ca0e47ee7

  • \??\c:\Users\Admin\AppData\Local\Temp\xmxi_d58.0.cs

    Filesize

    571B

    MD5

    ffbf968e7e7ddb392daa00f9ff61f4eb

    SHA1

    569a6f2b38fb6971c766b39d21f74aee2e3d2765

    SHA256

    e6085f3cf5b1b4b91c4cb1efd863a115920283a566d9484e9288829b40119d69

    SHA512

    9438c30d52a01b4923daee6733547db95bc933338358959c40658abf5a5dcd394e890eb2ad5ff07d1c5f4d33596c6d5bf1e0b6f76a274c50cd5a5bdf920b2340

  • \??\c:\Users\Admin\AppData\Local\Temp\xmxi_d58.cmdline

    Filesize

    187B

    MD5

    c8709d8ebbd49b391d2f8443275f155d

    SHA1

    fae81a9d67900362411ef9aa6f15395dfcae48d2

    SHA256

    b8808f00a8813152a32a6cc20876bf3dab169ae3d16b82c03a3a86379b95a0e0

    SHA512

    a548060671bfbaf43bbce14cbb0e97d65af8442058ec528cf5354a041e1b4da18ffd8ab04687a767d564c4b62616c8eade43fdef787d1632ae88039937b17078

  • \??\c:\Users\Admin\AppData\Local\Temp\xmxi_d58.cmdline

    Filesize

    203B

    MD5

    28eb06d4549a9cf388217a9e9aa418aa

    SHA1

    90714c4922ab665bdb3a89300c1128abd5f93ba4

    SHA256

    d08936b1024a8b3efdada90f64889db833381b4830b6702a50f400ba78f4dc01

    SHA512

    c89b9ede2a501ced80963a520ac9f6bc90bfae4ecd96e901b594a394932b11e5fdde7e0a35aeec31e5ae1d06877abd5f8753cb130e18c0fd4118c70b651da6d3

  • \Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    1KB

    MD5

    caf7ad8a6755ca9190121f60fc7d1886

    SHA1

    434e415c5db0560ac70a22546ce138a9190d0fbd

    SHA256

    7bfaa18112edd91b95795d1a080c3b768b585d1ed559e60d0d7368cfd9513d89

    SHA512

    d9b924cb49c2ebcaf58cfd0ecaa7c026076c22ddc75008b40bc0f62a9d76d464e20cae93028974f73ee1232e6ad6f9927882a20f42a728ec6d821d030002f1ae

  • memory/2144-15-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2144-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2600-55-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2600-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

    Filesize

    4KB

  • memory/2600-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2600-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2788-27-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-57-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2788-25-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-34-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-26-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-59-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-43-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-56-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-60-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-61-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-64-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-65-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-67-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-70-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2788-72-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB