Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2025, 07:42
Behavioral task
behavioral1
Sample
JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe
-
Size
498KB
-
MD5
246f717d8e59e2a847ea10088e7fc420
-
SHA1
c8712eb6b011a03ff58ff1aacbc30fb732f5ea75
-
SHA256
9fd51adb9f0b82d257fd080853a946401bd2f9ddf58f1ff25580ab03f7a22137
-
SHA512
39b21a2e8c2034ba1f2131b9802a15de8b18120523c9b7176c82840241297976fa6dcbcb94b85061c0ae381a8b3501d3c6389de83418dd41db542a7c9c80e933
-
SSDEEP
12288:d9nbva6OOTChMrM8TjJH/XrOlznR1oMG2PdHI/:d9nbyWbfTdXi5oMG21HA
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral2/memory/2160-3-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-5-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-13-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-14-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-16-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-17-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-18-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-20-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-21-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-22-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/2160-26-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\82ddEJPWZKIZ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\82ddEJPWZKIZ.exe:*:Enabled:Windows Messanger" reg.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4816 set thread context of 2160 4816 JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1984 reg.exe 1944 reg.exe 640 reg.exe 2016 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2160 vbc.exe Token: SeCreateTokenPrivilege 2160 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2160 vbc.exe Token: SeLockMemoryPrivilege 2160 vbc.exe Token: SeIncreaseQuotaPrivilege 2160 vbc.exe Token: SeMachineAccountPrivilege 2160 vbc.exe Token: SeTcbPrivilege 2160 vbc.exe Token: SeSecurityPrivilege 2160 vbc.exe Token: SeTakeOwnershipPrivilege 2160 vbc.exe Token: SeLoadDriverPrivilege 2160 vbc.exe Token: SeSystemProfilePrivilege 2160 vbc.exe Token: SeSystemtimePrivilege 2160 vbc.exe Token: SeProfSingleProcessPrivilege 2160 vbc.exe Token: SeIncBasePriorityPrivilege 2160 vbc.exe Token: SeCreatePagefilePrivilege 2160 vbc.exe Token: SeCreatePermanentPrivilege 2160 vbc.exe Token: SeBackupPrivilege 2160 vbc.exe Token: SeRestorePrivilege 2160 vbc.exe Token: SeShutdownPrivilege 2160 vbc.exe Token: SeDebugPrivilege 2160 vbc.exe Token: SeAuditPrivilege 2160 vbc.exe Token: SeSystemEnvironmentPrivilege 2160 vbc.exe Token: SeChangeNotifyPrivilege 2160 vbc.exe Token: SeRemoteShutdownPrivilege 2160 vbc.exe Token: SeUndockPrivilege 2160 vbc.exe Token: SeSyncAgentPrivilege 2160 vbc.exe Token: SeEnableDelegationPrivilege 2160 vbc.exe Token: SeManageVolumePrivilege 2160 vbc.exe Token: SeImpersonatePrivilege 2160 vbc.exe Token: SeCreateGlobalPrivilege 2160 vbc.exe Token: 31 2160 vbc.exe Token: 32 2160 vbc.exe Token: 33 2160 vbc.exe Token: 34 2160 vbc.exe Token: 35 2160 vbc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2160 vbc.exe 2160 vbc.exe 2160 vbc.exe 2160 vbc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4816 wrote to memory of 2160 4816 JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe 87 PID 4816 wrote to memory of 2160 4816 JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe 87 PID 4816 wrote to memory of 2160 4816 JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe 87 PID 4816 wrote to memory of 2160 4816 JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe 87 PID 4816 wrote to memory of 2160 4816 JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe 87 PID 4816 wrote to memory of 2160 4816 JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe 87 PID 4816 wrote to memory of 2160 4816 JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe 87 PID 4816 wrote to memory of 2160 4816 JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe 87 PID 2160 wrote to memory of 2404 2160 vbc.exe 88 PID 2160 wrote to memory of 2404 2160 vbc.exe 88 PID 2160 wrote to memory of 2404 2160 vbc.exe 88 PID 2160 wrote to memory of 2940 2160 vbc.exe 89 PID 2160 wrote to memory of 2940 2160 vbc.exe 89 PID 2160 wrote to memory of 2940 2160 vbc.exe 89 PID 2160 wrote to memory of 3856 2160 vbc.exe 90 PID 2160 wrote to memory of 3856 2160 vbc.exe 90 PID 2160 wrote to memory of 3856 2160 vbc.exe 90 PID 2160 wrote to memory of 5056 2160 vbc.exe 91 PID 2160 wrote to memory of 5056 2160 vbc.exe 91 PID 2160 wrote to memory of 5056 2160 vbc.exe 91 PID 2404 wrote to memory of 1984 2404 cmd.exe 96 PID 2404 wrote to memory of 1984 2404 cmd.exe 96 PID 2404 wrote to memory of 1984 2404 cmd.exe 96 PID 5056 wrote to memory of 2016 5056 cmd.exe 97 PID 5056 wrote to memory of 2016 5056 cmd.exe 97 PID 5056 wrote to memory of 2016 5056 cmd.exe 97 PID 3856 wrote to memory of 640 3856 cmd.exe 98 PID 3856 wrote to memory of 640 3856 cmd.exe 98 PID 3856 wrote to memory of 640 3856 cmd.exe 98 PID 2940 wrote to memory of 1944 2940 cmd.exe 99 PID 2940 wrote to memory of 1944 2940 cmd.exe 99 PID 2940 wrote to memory of 1944 2940 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_246f717d8e59e2a847ea10088e7fc420.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\82ddEJPWZKIZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\82ddEJPWZKIZ.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\82ddEJPWZKIZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\82ddEJPWZKIZ.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2016
-
-
-