Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/02/2025, 12:23

General

  • Target

    JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe

  • Size

    291KB

  • MD5

    25e92fd1aa07db2d111cdaca3d8b2f80

  • SHA1

    971b431292c7f8f926fc312f9be26e94a8086a38

  • SHA256

    611534fac217fb87d8f78173a046007a8fcd04141eb1436a155438d8cdc712df

  • SHA512

    c255e85868e77f3f273f9b4ec70d82f9fcbddc9adead97536800fb54baef02e0c3e877c0a5242ab61e6f1a110db751a7ebc9a69e089cbfa3b086b29d7bfe3382

  • SSDEEP

    6144:aNVcahFkKjejspcd41iUv5mBtzOd0e4omeqNMUtEfqGI+DPoSy:EmaP7jQ401D6d0ameDCGICoSy

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 12 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEDnl.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2344
    • C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe
      "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe
        "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2592
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4756
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4048
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:880
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1136
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4956
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4452
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4884
      • C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe
        "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JEDnl.txt

    Filesize

    152B

    MD5

    deba559edd7e3c8dcc3e27362ac41cde

    SHA1

    a5688d69bc779c836262874f344de154ae7e7219

    SHA256

    49f5709cc8357f7e406ae904f54d82d476094e2e93dc93308147d8ed9a175a90

    SHA512

    9296532fd85f48b49802be12a8581453f84274cada2433d082d5901bd86c57c86bdcc4bd4420d2f6014d1e964f0b1234eb0d34bd23ffad22c9ae02f615847fbd

  • C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.txt

    Filesize

    291KB

    MD5

    b16e489021ad0785d22542668ce80ce5

    SHA1

    83c659c0e4aaebd681fafef27a290cb4c14d4c15

    SHA256

    726390d8c95580825133cd70fdf6ba46036dc24ad0164d752a76a5b6aa64e7ba

    SHA512

    4ba36c0d4f36205a72a4ae897ef77872a6c1a83db5018e75ee6c5c7b8aa06bc85158db78ba2db1422af0223f3449eb10618fdcbcdd7ac3782ad7cf4a77b3f566

  • memory/1904-61-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-68-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-32-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-37-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-35-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-84-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-79-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-77-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-70-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-54-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-65-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-56-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-58-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1904-63-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1924-55-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1924-46-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1924-43-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1924-38-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4436-0-0x0000000000400000-0x00000000005B5000-memory.dmp

    Filesize

    1.7MB

  • memory/4436-29-0x0000000000400000-0x00000000005B5000-memory.dmp

    Filesize

    1.7MB

  • memory/4696-51-0x0000000000400000-0x00000000005B5000-memory.dmp

    Filesize

    1.7MB