Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/02/2025, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe
-
Size
504KB
-
MD5
231da1a91c3eeb463969b67687d9c51e
-
SHA1
1e78e16060f46268d9d60ac1bec887dba9c4421a
-
SHA256
78942fe7a1a3156c768560b6332dc11dc76624bb38e084ffe01a74abe7a131ba
-
SHA512
f676f5a2a19afe76f8cc7662c6670fbe7404fa599b4b9bae34d4a4c43b9a6f8b838b6610f3b797328221f70e5e6210010b1faefe68be7c30f713de13472c8a89
-
SSDEEP
12288:Pen6RH710Kp+Iiia2GPt1lSMP/X016w9gAnXH1QcEj2/tpDz0hWCr:PvZBXsTl1RX6nX1bEqXoW
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 8 IoCs
resource yara_rule behavioral1/memory/2880-10-0x0000000000400000-0x0000000000452000-memory.dmp family_blackshades behavioral1/memory/2880-7-0x0000000000400000-0x0000000000452000-memory.dmp family_blackshades behavioral1/memory/2880-21-0x0000000000400000-0x0000000000452000-memory.dmp family_blackshades behavioral1/memory/2880-22-0x0000000000400000-0x0000000000452000-memory.dmp family_blackshades behavioral1/memory/2880-24-0x0000000000400000-0x0000000000452000-memory.dmp family_blackshades behavioral1/memory/2880-25-0x0000000000400000-0x0000000000452000-memory.dmp family_blackshades behavioral1/memory/2880-34-0x0000000000400000-0x0000000000452000-memory.dmp family_blackshades behavioral1/memory/2880-35-0x0000000000400000-0x0000000000452000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WinDefenderz.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefenderz.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Config = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msconfig.exe" JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2068 set thread context of 2880 2068 JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe 30 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2668 reg.exe 2712 reg.exe 2608 reg.exe 2648 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2880 vbc.exe Token: SeCreateTokenPrivilege 2880 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2880 vbc.exe Token: SeLockMemoryPrivilege 2880 vbc.exe Token: SeIncreaseQuotaPrivilege 2880 vbc.exe Token: SeMachineAccountPrivilege 2880 vbc.exe Token: SeTcbPrivilege 2880 vbc.exe Token: SeSecurityPrivilege 2880 vbc.exe Token: SeTakeOwnershipPrivilege 2880 vbc.exe Token: SeLoadDriverPrivilege 2880 vbc.exe Token: SeSystemProfilePrivilege 2880 vbc.exe Token: SeSystemtimePrivilege 2880 vbc.exe Token: SeProfSingleProcessPrivilege 2880 vbc.exe Token: SeIncBasePriorityPrivilege 2880 vbc.exe Token: SeCreatePagefilePrivilege 2880 vbc.exe Token: SeCreatePermanentPrivilege 2880 vbc.exe Token: SeBackupPrivilege 2880 vbc.exe Token: SeRestorePrivilege 2880 vbc.exe Token: SeShutdownPrivilege 2880 vbc.exe Token: SeDebugPrivilege 2880 vbc.exe Token: SeAuditPrivilege 2880 vbc.exe Token: SeSystemEnvironmentPrivilege 2880 vbc.exe Token: SeChangeNotifyPrivilege 2880 vbc.exe Token: SeRemoteShutdownPrivilege 2880 vbc.exe Token: SeUndockPrivilege 2880 vbc.exe Token: SeSyncAgentPrivilege 2880 vbc.exe Token: SeEnableDelegationPrivilege 2880 vbc.exe Token: SeManageVolumePrivilege 2880 vbc.exe Token: SeImpersonatePrivilege 2880 vbc.exe Token: SeCreateGlobalPrivilege 2880 vbc.exe Token: 31 2880 vbc.exe Token: 32 2880 vbc.exe Token: 33 2880 vbc.exe Token: 34 2880 vbc.exe Token: 35 2880 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2880 vbc.exe 2880 vbc.exe 2880 vbc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2880 2068 JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe 30 PID 2068 wrote to memory of 2880 2068 JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe 30 PID 2068 wrote to memory of 2880 2068 JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe 30 PID 2068 wrote to memory of 2880 2068 JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe 30 PID 2068 wrote to memory of 2880 2068 JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe 30 PID 2068 wrote to memory of 2880 2068 JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe 30 PID 2068 wrote to memory of 2880 2068 JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe 30 PID 2068 wrote to memory of 2880 2068 JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe 30 PID 2880 wrote to memory of 2900 2880 vbc.exe 31 PID 2880 wrote to memory of 2900 2880 vbc.exe 31 PID 2880 wrote to memory of 2900 2880 vbc.exe 31 PID 2880 wrote to memory of 2900 2880 vbc.exe 31 PID 2880 wrote to memory of 2708 2880 vbc.exe 32 PID 2880 wrote to memory of 2708 2880 vbc.exe 32 PID 2880 wrote to memory of 2708 2880 vbc.exe 32 PID 2880 wrote to memory of 2708 2880 vbc.exe 32 PID 2880 wrote to memory of 2288 2880 vbc.exe 33 PID 2880 wrote to memory of 2288 2880 vbc.exe 33 PID 2880 wrote to memory of 2288 2880 vbc.exe 33 PID 2880 wrote to memory of 2288 2880 vbc.exe 33 PID 2880 wrote to memory of 2832 2880 vbc.exe 36 PID 2880 wrote to memory of 2832 2880 vbc.exe 36 PID 2880 wrote to memory of 2832 2880 vbc.exe 36 PID 2880 wrote to memory of 2832 2880 vbc.exe 36 PID 2708 wrote to memory of 2608 2708 cmd.exe 39 PID 2708 wrote to memory of 2608 2708 cmd.exe 39 PID 2708 wrote to memory of 2608 2708 cmd.exe 39 PID 2708 wrote to memory of 2608 2708 cmd.exe 39 PID 2900 wrote to memory of 2648 2900 cmd.exe 40 PID 2900 wrote to memory of 2648 2900 cmd.exe 40 PID 2900 wrote to memory of 2648 2900 cmd.exe 40 PID 2900 wrote to memory of 2648 2900 cmd.exe 40 PID 2832 wrote to memory of 2668 2832 cmd.exe 41 PID 2832 wrote to memory of 2668 2832 cmd.exe 41 PID 2832 wrote to memory of 2668 2832 cmd.exe 41 PID 2832 wrote to memory of 2668 2832 cmd.exe 41 PID 2288 wrote to memory of 2712 2288 cmd.exe 42 PID 2288 wrote to memory of 2712 2288 cmd.exe 42 PID 2288 wrote to memory of 2712 2288 cmd.exe 42 PID 2288 wrote to memory of 2712 2288 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231da1a91c3eeb463969b67687d9c51e.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefenderz.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefenderz.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefenderz.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefenderz.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2668
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1