Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 18:07

General

  • Target

    JaffaCakes118_21975899b65652222255a5c663a34b9e.exe

  • Size

    596KB

  • MD5

    21975899b65652222255a5c663a34b9e

  • SHA1

    7669700d05191542e4086ad6e0edcb20ca5794c8

  • SHA256

    6907c8a0c3e6fb03fde042da76510e8a002eea4ec3b67a1e32eb35202299aae2

  • SHA512

    9ac91e48455f9f04df39c344b9ae9a6263d4cfecca3597b2b64e24ca3ef722606c314d53f6a65e6299e83815b27f819b4915cebed6fde04a5293be6b82be7ea7

  • SSDEEP

    12288:RV9YMRAECWNUNc2+L0TOeJJ3zxOeZ4yrfYMe1nig:RV2cUx+L0ZLjOWxIn

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 12 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD0FC.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1372
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3240
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2464
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4792
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:840
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD40A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD409.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD0FD.tmp

    Filesize

    1KB

    MD5

    c027b134c82f4b2c2aca822ac01fd97a

    SHA1

    094cccc04af87bf4bb6577c1cf9454da1ad1a2ff

    SHA256

    4a11a1bfba0e8a0cfb7236c0b8cf75c53ba975dd880d5238921fe1a4c2069aa3

    SHA512

    5c2d15d3150198872f479a49447d92c8ba8c096622c14b957122c6c108f116a3430ce9eff72f90457019909684f7be53ac2fb2f65383bd287139fbab67fe6b1c

  • C:\Users\Admin\AppData\Local\Temp\RESD40A.tmp

    Filesize

    1KB

    MD5

    ddceb3e125aadcb7eb3379c21b7cbfe7

    SHA1

    9b2a73a5889665552493bc7db47ee10243bd5c31

    SHA256

    665ad0a339eb3babc9fa9dbb9630b84cda59df1f019edc064d9c4f384043e990

    SHA512

    01502d1e3942275ef8a76826cb26382e6949aeaed24533d7ab5d54b70f653b4399a118a506629675797a6a34ecbae8b7cae0fbb1b0e13b0f1e40a18b488e4089

  • C:\Users\Admin\AppData\Local\Temp\xrij8ax5.dll

    Filesize

    10KB

    MD5

    7873d235dfd29c5c9dabb34839980c7a

    SHA1

    fe0f31c78cdd8528974754e24bdd9ca4659594d9

    SHA256

    de27931715bb12052801a6598b5b737048166ceb873aa4e33d47a2af835e566f

    SHA512

    e4496ed2bc1bfc14455671f0e5cac59ac5d25c546ff8e61e4ea8f9b2dbf4dd27c97ac60534e758d887b2831368de1eedbfb1b34455c7e6bf2a49d588fe1d1a34

  • C:\Users\Admin\AppData\Local\Temp\xrij8ax5.dll

    Filesize

    3KB

    MD5

    7bcc5c8e9d4df5cf1e705db5d2e87d41

    SHA1

    7fb1c339b7b1b2a19dcf2b5185756bab849012ad

    SHA256

    c66f4ed614cc01dbcc84d6b2c2161c0c5188346b101936a710543bdb2aedca35

    SHA512

    e6bf00c19f31e7706a3e12dfc3893366a5d038b703802c801bb4090ee0cb24d91241d17602abc303d96d1461d710b57c7039fdccea475faa98b09b6a8b6aeb51

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    1KB

    MD5

    caf7ad8a6755ca9190121f60fc7d1886

    SHA1

    434e415c5db0560ac70a22546ce138a9190d0fbd

    SHA256

    7bfaa18112edd91b95795d1a080c3b768b585d1ed559e60d0d7368cfd9513d89

    SHA512

    d9b924cb49c2ebcaf58cfd0ecaa7c026076c22ddc75008b40bc0f62a9d76d464e20cae93028974f73ee1232e6ad6f9927882a20f42a728ec6d821d030002f1ae

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCD0FC.tmp

    Filesize

    652B

    MD5

    e608a1545e05698b7f44314b7436cc73

    SHA1

    5c1c5111311dc5de3ad172d7de5a89d85573fc29

    SHA256

    f79d7d9c87b18b35cdaebd73211b53a8c3d89906f9e84c9d3c1ed863507479c2

    SHA512

    9f88d7e62eeaf0da6faf711bfc764bfad06380d9569e52626484eb4b9f27960b6ce5fa0f77d65621b12e9eb2afc9c0cc4cbdfb5abc2b2e4148991ad2e50bba16

  • \??\c:\Users\Admin\AppData\Local\Temp\xrij8ax5.0.cs

    Filesize

    8KB

    MD5

    164dc3f006aea54e9f83a8d96e366164

    SHA1

    a32fb4dd0b29075a0f94000b61ee441be21c879e

    SHA256

    38ce0b573e1aa8eac080f26b57829a5bbc49104f98305932cc8bc1e3cc226d14

    SHA512

    b6391ccf6e150039056e98c82e47a45f328c699a130412863c633d1506af50c9babe2a299383ce1c32a8abdb7fe61a9b3724a5afda61605e2844114ca0e47ee7

  • \??\c:\Users\Admin\AppData\Local\Temp\xrij8ax5.0.cs

    Filesize

    571B

    MD5

    ffbf968e7e7ddb392daa00f9ff61f4eb

    SHA1

    569a6f2b38fb6971c766b39d21f74aee2e3d2765

    SHA256

    e6085f3cf5b1b4b91c4cb1efd863a115920283a566d9484e9288829b40119d69

    SHA512

    9438c30d52a01b4923daee6733547db95bc933338358959c40658abf5a5dcd394e890eb2ad5ff07d1c5f4d33596c6d5bf1e0b6f76a274c50cd5a5bdf920b2340

  • \??\c:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline

    Filesize

    187B

    MD5

    ae040102f7f1b0f54f999afde9452abf

    SHA1

    caeef0a429887f6a10669767655ea26fae90ec37

    SHA256

    f4284c5cd990f7bd09f5752516ddd680fa8beb3b0e9dfbd777a172f514654593

    SHA512

    715856860ea50c6f77054141e0fd948ce5dc35930827c879e061e34d3d55065adf44b0c357edff09abcf405b8da0909943a83f2aff368f6e369b6e2f56eeb69d

  • \??\c:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline

    Filesize

    203B

    MD5

    685b406b25bb74f2edea8e2c352381f4

    SHA1

    4607038c233c137a3b01ff92fe979f3ba6090407

    SHA256

    a05eac72245ef2df4f437adbdd30e58daede9173061778401f264f8390334296

    SHA512

    f2b9c3b4fad090c84a68033c573ef83c862081ad0e56f1213d356929af48faed82aa5cda44f6acd7a4b7a92decc0160e33fda935f9b546c48f9b1004044b2845

  • memory/220-1-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

  • memory/220-47-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

  • memory/220-0-0x0000000075382000-0x0000000075383000-memory.dmp

    Filesize

    4KB

  • memory/220-46-0x0000000075382000-0x0000000075383000-memory.dmp

    Filesize

    4KB

  • memory/220-2-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

  • memory/2784-15-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

  • memory/2784-11-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

  • memory/3320-48-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-53-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-65-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-27-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-20-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-50-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-52-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-62-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-54-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-57-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-58-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3320-61-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3600-42-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

  • memory/3600-35-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB