Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2025, 12:23
Behavioral task
behavioral1
Sample
JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe
-
Size
291KB
-
MD5
25e92fd1aa07db2d111cdaca3d8b2f80
-
SHA1
971b431292c7f8f926fc312f9be26e94a8086a38
-
SHA256
611534fac217fb87d8f78173a046007a8fcd04141eb1436a155438d8cdc712df
-
SHA512
c255e85868e77f3f273f9b4ec70d82f9fcbddc9adead97536800fb54baef02e0c3e877c0a5242ab61e6f1a110db751a7ebc9a69e089cbfa3b086b29d7bfe3382
-
SSDEEP
6144:aNVcahFkKjejspcd41iUv5mBtzOd0e4omeqNMUtEfqGI+DPoSy:EmaP7jQ401D6d0ameDCGICoSy
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral2/memory/1904-37-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-54-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-56-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-58-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-61-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-63-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-65-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-68-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-70-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-77-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-79-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/1904-84-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\winupdt3.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe -
Executes dropped EXE 3 IoCs
pid Process 4696 winupdt3.exe 1904 winupdt3.exe 1924 winupdt3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdt = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\winupdt3.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4696 set thread context of 1904 4696 winupdt3.exe 92 PID 4696 set thread context of 1924 4696 winupdt3.exe 93 -
resource yara_rule behavioral2/memory/4436-0-0x0000000000400000-0x00000000005B5000-memory.dmp upx behavioral2/files/0x000a000000023c06-16.dat upx behavioral2/memory/4436-29-0x0000000000400000-0x00000000005B5000-memory.dmp upx behavioral2/memory/1904-32-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-37-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-35-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1924-38-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/1924-43-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/1924-46-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4696-51-0x0000000000400000-0x00000000005B5000-memory.dmp upx behavioral2/memory/1904-54-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1924-55-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/1904-56-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-58-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-61-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-63-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-65-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-68-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-70-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-77-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-79-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1904-84-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4756 reg.exe 4884 reg.exe 4956 reg.exe 880 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 1924 winupdt3.exe Token: 1 1904 winupdt3.exe Token: SeCreateTokenPrivilege 1904 winupdt3.exe Token: SeAssignPrimaryTokenPrivilege 1904 winupdt3.exe Token: SeLockMemoryPrivilege 1904 winupdt3.exe Token: SeIncreaseQuotaPrivilege 1904 winupdt3.exe Token: SeMachineAccountPrivilege 1904 winupdt3.exe Token: SeTcbPrivilege 1904 winupdt3.exe Token: SeSecurityPrivilege 1904 winupdt3.exe Token: SeTakeOwnershipPrivilege 1904 winupdt3.exe Token: SeLoadDriverPrivilege 1904 winupdt3.exe Token: SeSystemProfilePrivilege 1904 winupdt3.exe Token: SeSystemtimePrivilege 1904 winupdt3.exe Token: SeProfSingleProcessPrivilege 1904 winupdt3.exe Token: SeIncBasePriorityPrivilege 1904 winupdt3.exe Token: SeCreatePagefilePrivilege 1904 winupdt3.exe Token: SeCreatePermanentPrivilege 1904 winupdt3.exe Token: SeBackupPrivilege 1904 winupdt3.exe Token: SeRestorePrivilege 1904 winupdt3.exe Token: SeShutdownPrivilege 1904 winupdt3.exe Token: SeDebugPrivilege 1904 winupdt3.exe Token: SeAuditPrivilege 1904 winupdt3.exe Token: SeSystemEnvironmentPrivilege 1904 winupdt3.exe Token: SeChangeNotifyPrivilege 1904 winupdt3.exe Token: SeRemoteShutdownPrivilege 1904 winupdt3.exe Token: SeUndockPrivilege 1904 winupdt3.exe Token: SeSyncAgentPrivilege 1904 winupdt3.exe Token: SeEnableDelegationPrivilege 1904 winupdt3.exe Token: SeManageVolumePrivilege 1904 winupdt3.exe Token: SeImpersonatePrivilege 1904 winupdt3.exe Token: SeCreateGlobalPrivilege 1904 winupdt3.exe Token: 31 1904 winupdt3.exe Token: 32 1904 winupdt3.exe Token: 33 1904 winupdt3.exe Token: 34 1904 winupdt3.exe Token: 35 1904 winupdt3.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4436 JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe 4696 winupdt3.exe 1904 winupdt3.exe 1924 winupdt3.exe 1904 winupdt3.exe 1904 winupdt3.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4436 wrote to memory of 4112 4436 JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe 87 PID 4436 wrote to memory of 4112 4436 JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe 87 PID 4436 wrote to memory of 4112 4436 JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe 87 PID 4112 wrote to memory of 2344 4112 cmd.exe 90 PID 4112 wrote to memory of 2344 4112 cmd.exe 90 PID 4112 wrote to memory of 2344 4112 cmd.exe 90 PID 4436 wrote to memory of 4696 4436 JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe 91 PID 4436 wrote to memory of 4696 4436 JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe 91 PID 4436 wrote to memory of 4696 4436 JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe 91 PID 4696 wrote to memory of 1904 4696 winupdt3.exe 92 PID 4696 wrote to memory of 1904 4696 winupdt3.exe 92 PID 4696 wrote to memory of 1904 4696 winupdt3.exe 92 PID 4696 wrote to memory of 1904 4696 winupdt3.exe 92 PID 4696 wrote to memory of 1904 4696 winupdt3.exe 92 PID 4696 wrote to memory of 1904 4696 winupdt3.exe 92 PID 4696 wrote to memory of 1904 4696 winupdt3.exe 92 PID 4696 wrote to memory of 1904 4696 winupdt3.exe 92 PID 4696 wrote to memory of 1924 4696 winupdt3.exe 93 PID 4696 wrote to memory of 1924 4696 winupdt3.exe 93 PID 4696 wrote to memory of 1924 4696 winupdt3.exe 93 PID 4696 wrote to memory of 1924 4696 winupdt3.exe 93 PID 4696 wrote to memory of 1924 4696 winupdt3.exe 93 PID 4696 wrote to memory of 1924 4696 winupdt3.exe 93 PID 4696 wrote to memory of 1924 4696 winupdt3.exe 93 PID 4696 wrote to memory of 1924 4696 winupdt3.exe 93 PID 1904 wrote to memory of 2592 1904 winupdt3.exe 94 PID 1904 wrote to memory of 2592 1904 winupdt3.exe 94 PID 1904 wrote to memory of 2592 1904 winupdt3.exe 94 PID 1904 wrote to memory of 4048 1904 winupdt3.exe 95 PID 1904 wrote to memory of 4048 1904 winupdt3.exe 95 PID 1904 wrote to memory of 4048 1904 winupdt3.exe 95 PID 1904 wrote to memory of 1136 1904 winupdt3.exe 96 PID 1904 wrote to memory of 1136 1904 winupdt3.exe 96 PID 1904 wrote to memory of 1136 1904 winupdt3.exe 96 PID 1904 wrote to memory of 4452 1904 winupdt3.exe 97 PID 1904 wrote to memory of 4452 1904 winupdt3.exe 97 PID 1904 wrote to memory of 4452 1904 winupdt3.exe 97 PID 2592 wrote to memory of 4756 2592 cmd.exe 102 PID 2592 wrote to memory of 4756 2592 cmd.exe 102 PID 2592 wrote to memory of 4756 2592 cmd.exe 102 PID 4452 wrote to memory of 4884 4452 cmd.exe 103 PID 4452 wrote to memory of 4884 4452 cmd.exe 103 PID 4452 wrote to memory of 4884 4452 cmd.exe 103 PID 1136 wrote to memory of 4956 1136 cmd.exe 104 PID 1136 wrote to memory of 4956 1136 cmd.exe 104 PID 1136 wrote to memory of 4956 1136 cmd.exe 104 PID 4048 wrote to memory of 880 4048 cmd.exe 105 PID 4048 wrote to memory of 880 4048 cmd.exe 105 PID 4048 wrote to memory of 880 4048 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25e92fd1aa07db2d111cdaca3d8b2f80.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEDnl.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2344
-
-
-
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe"C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe"C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4756
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4956
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4884
-
-
-
-
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe"C:\Users\Admin\AppData\Roaming\Window Updates\winupdt3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1924
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5deba559edd7e3c8dcc3e27362ac41cde
SHA1a5688d69bc779c836262874f344de154ae7e7219
SHA25649f5709cc8357f7e406ae904f54d82d476094e2e93dc93308147d8ed9a175a90
SHA5129296532fd85f48b49802be12a8581453f84274cada2433d082d5901bd86c57c86bdcc4bd4420d2f6014d1e964f0b1234eb0d34bd23ffad22c9ae02f615847fbd
-
Filesize
291KB
MD5b16e489021ad0785d22542668ce80ce5
SHA183c659c0e4aaebd681fafef27a290cb4c14d4c15
SHA256726390d8c95580825133cd70fdf6ba46036dc24ad0164d752a76a5b6aa64e7ba
SHA5124ba36c0d4f36205a72a4ae897ef77872a6c1a83db5018e75ee6c5c7b8aa06bc85158db78ba2db1422af0223f3449eb10618fdcbcdd7ac3782ad7cf4a77b3f566