Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2025, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe
-
Size
757KB
-
MD5
23da40a6157e13bbeccdf5118648598c
-
SHA1
a46387e0d067862d3db1248e7e0d76b780020764
-
SHA256
032a0d61592304cf5f4e55e10a1628e540774e70d91b737de23f457e89b44b4b
-
SHA512
f38b731122c22ecd36ab8233a844097d9880211dc3f58220d02776495616fdf9a225de9dfa72c71f66ff39cc049df439cad09fb3f7c55dbfbe9926d4c99f4078
-
SSDEEP
12288:d/caYzHNMe7ab5jD8towM08wPojn92jwKL2rekk8c:d/c1NMrlEFxPM92jbL2m8c
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral2/memory/4592-4-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-5-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-22-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-23-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-25-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-26-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-27-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-29-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-30-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-31-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades behavioral2/memory/4592-35-0x0000000000400000-0x00000000005A9000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TaskManager\taskhost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TaskManager\\taskhost.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Executes dropped EXE 1 IoCs
pid Process 1968 nsCfg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4936 set thread context of 4592 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nsCfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4520 reg.exe 4856 reg.exe 3708 reg.exe 1444 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe Token: 1 4592 cvtres.exe Token: SeCreateTokenPrivilege 4592 cvtres.exe Token: SeAssignPrimaryTokenPrivilege 4592 cvtres.exe Token: SeLockMemoryPrivilege 4592 cvtres.exe Token: SeIncreaseQuotaPrivilege 4592 cvtres.exe Token: SeMachineAccountPrivilege 4592 cvtres.exe Token: SeTcbPrivilege 4592 cvtres.exe Token: SeSecurityPrivilege 4592 cvtres.exe Token: SeTakeOwnershipPrivilege 4592 cvtres.exe Token: SeLoadDriverPrivilege 4592 cvtres.exe Token: SeSystemProfilePrivilege 4592 cvtres.exe Token: SeSystemtimePrivilege 4592 cvtres.exe Token: SeProfSingleProcessPrivilege 4592 cvtres.exe Token: SeIncBasePriorityPrivilege 4592 cvtres.exe Token: SeCreatePagefilePrivilege 4592 cvtres.exe Token: SeCreatePermanentPrivilege 4592 cvtres.exe Token: SeBackupPrivilege 4592 cvtres.exe Token: SeRestorePrivilege 4592 cvtres.exe Token: SeShutdownPrivilege 4592 cvtres.exe Token: SeDebugPrivilege 4592 cvtres.exe Token: SeAuditPrivilege 4592 cvtres.exe Token: SeSystemEnvironmentPrivilege 4592 cvtres.exe Token: SeChangeNotifyPrivilege 4592 cvtres.exe Token: SeRemoteShutdownPrivilege 4592 cvtres.exe Token: SeUndockPrivilege 4592 cvtres.exe Token: SeSyncAgentPrivilege 4592 cvtres.exe Token: SeEnableDelegationPrivilege 4592 cvtres.exe Token: SeManageVolumePrivilege 4592 cvtres.exe Token: SeImpersonatePrivilege 4592 cvtres.exe Token: SeCreateGlobalPrivilege 4592 cvtres.exe Token: 31 4592 cvtres.exe Token: 32 4592 cvtres.exe Token: 33 4592 cvtres.exe Token: 34 4592 cvtres.exe Token: 35 4592 cvtres.exe Token: SeDebugPrivilege 1968 nsCfg.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4592 cvtres.exe 4592 cvtres.exe 4592 cvtres.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4936 wrote to memory of 4592 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 93 PID 4936 wrote to memory of 4592 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 93 PID 4936 wrote to memory of 4592 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 93 PID 4936 wrote to memory of 4592 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 93 PID 4936 wrote to memory of 4592 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 93 PID 4936 wrote to memory of 4592 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 93 PID 4936 wrote to memory of 4592 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 93 PID 4936 wrote to memory of 4592 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 93 PID 4592 wrote to memory of 928 4592 cvtres.exe 94 PID 4592 wrote to memory of 928 4592 cvtres.exe 94 PID 4592 wrote to memory of 928 4592 cvtres.exe 94 PID 4592 wrote to memory of 1380 4592 cvtres.exe 95 PID 4592 wrote to memory of 1380 4592 cvtres.exe 95 PID 4592 wrote to memory of 1380 4592 cvtres.exe 95 PID 4592 wrote to memory of 1328 4592 cvtres.exe 96 PID 4592 wrote to memory of 1328 4592 cvtres.exe 96 PID 4592 wrote to memory of 1328 4592 cvtres.exe 96 PID 4592 wrote to memory of 520 4592 cvtres.exe 97 PID 4592 wrote to memory of 520 4592 cvtres.exe 97 PID 4592 wrote to memory of 520 4592 cvtres.exe 97 PID 928 wrote to memory of 4856 928 cmd.exe 102 PID 928 wrote to memory of 4856 928 cmd.exe 102 PID 928 wrote to memory of 4856 928 cmd.exe 102 PID 1380 wrote to memory of 3708 1380 cmd.exe 103 PID 1380 wrote to memory of 3708 1380 cmd.exe 103 PID 1380 wrote to memory of 3708 1380 cmd.exe 103 PID 520 wrote to memory of 1444 520 cmd.exe 104 PID 520 wrote to memory of 1444 520 cmd.exe 104 PID 520 wrote to memory of 1444 520 cmd.exe 104 PID 1328 wrote to memory of 4520 1328 cmd.exe 105 PID 1328 wrote to memory of 4520 1328 cmd.exe 105 PID 1328 wrote to memory of 4520 1328 cmd.exe 105 PID 4936 wrote to memory of 1968 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 108 PID 4936 wrote to memory of 1968 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 108 PID 4936 wrote to memory of 1968 4936 JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23da40a6157e13bbeccdf5118648598c.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4856
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TaskManager\taskhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TaskManager\taskhost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TaskManager\taskhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TaskManager\taskhost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1444
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\nsCfg.exeC:\Users\Admin\AppData\Roaming\Microsoft\nsCfg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
757KB
MD523da40a6157e13bbeccdf5118648598c
SHA1a46387e0d067862d3db1248e7e0d76b780020764
SHA256032a0d61592304cf5f4e55e10a1628e540774e70d91b737de23f457e89b44b4b
SHA512f38b731122c22ecd36ab8233a844097d9880211dc3f58220d02776495616fdf9a225de9dfa72c71f66ff39cc049df439cad09fb3f7c55dbfbe9926d4c99f4078