Overview

overview

10

Static

static

3

JaffaCakes...54.exe

windows7-x64

10

JaffaCakes...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/02/2025, 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_27dc34502ddd2b8fc2a33592154f4a54.exe

  • Size

    714KB

  • MD5

    27dc34502ddd2b8fc2a33592154f4a54

  • SHA1

    08b89cd4607dd9c3832c9678fa8f5ab50b089dbd

  • SHA256

    902dd6c3f7d699ae5fe651e9e5889ca2574bfc765f559ced1eb44553dfb92d44

  • SHA512

    5bf3fc950a3ec3baabb636c92be09cf42e760fb32b1d501bba46eadc32f3fe171d3fc914f32db4e72bc703efea0cc4068fb9227d03f658b39abf8a4669b19c56

  • SSDEEP

    12288:lwaGGmMtAONTKIKv3kYpDm2gh+EAck42ueKb1wGOyTx7yXH49N4rcWLqB:2aGGmifKBkYBm2Ek42BK4OzN4rcWg

Score
10/10
blackshadesdefense_evasiondiscoverypersistenceratupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 12 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27dc34502ddd2b8fc2a33592154f4a54.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27dc34502ddd2b8fc2a33592154f4a54.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Users\Admin\AppData\Local\Temp\MeTube.exe
      "C:\Users\Admin\AppData\Local\Temp\MeTube.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3132
    • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
      "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240685078.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Dynamic Link Library Host Application" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\dllhost.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2252
      • C:\Users\Admin\AppData\Roaming\dllhost.exe
        "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Users\Admin\AppData\Roaming\dllhost.exe
          C:\Users\Admin\AppData\Roaming\dllhost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3348
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4440
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:4572
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\dllhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\dllhost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4752
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\dllhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\dllhost.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2856
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3188
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:4988
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\dllhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\dllhost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1700
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\dllhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\dllhost.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:3764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240685078.bat
    Filesize

    164B

    MD5

    b9704bf428b27bd87e5ae473a01b74c5

    SHA1

    7c866d6ab4b427e3a98a02c393bcece54330948f

    SHA256

    88cc264bb711f3b783e5a77e907470ac068806a6e8b893a3ed1191bd32a45ba6

    SHA512

    b7eba47bef65b06d09fcfb7bf9a6a0b7080b2e231edd9b45ad2ace29aafeeae2129f488a01ac140ea1434788fdd804a316b69bfa45a575fa10748a4ea98418a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MeTube.exe
    Filesize

    832KB

    MD5

    b0950b5dfa21732d042c41c539f00e95

    SHA1

    0a16d588b930380d03b8d04df1047430c6b5e589

    SHA256

    b95db549a97977f4ef413d5ce66e25e12328bd8cb807400eaefa3619b32a1f8d

    SHA512

    b5d2b2edb41604cddd7001fba16d75801dffa0bda63cbf6fe7ca0ed28355637d6facec372dfbea2b8b929d8417f034896d332bc1ee6ac8e6e7630584c150e166

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
    Filesize

    260KB

    MD5

    ebd4d45d8e851f771e036dd04e7d7fba

    SHA1

    0c3ab59a6cae1a5a69f87dcd545a72ed81446bee

    SHA256

    dc70917774ea5f98d9f8ee7b8a7e5d4a62827ff042f9c656d68cc8d71fbd1128

    SHA512

    861820282abc758f7f7fb599bdddf8f97ae0c9f211f4b978c9e607f66862f89e17b75b36ec806a54cdbca7c3cd72801d5283d6f17d0209808745f0164b7b0176

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dllhost.exe
    Filesize

    260KB

    MD5

    a805b839564f87cf4df5bb412bdddf33

    SHA1

    897aaaefce07e64c4178b792b941b6578c8d5a7d

    SHA256

    7cc48825f8bce1350b1f10f231c921234d2ecfdf917fd65b8de60742665df004

    SHA512

    28a64177af601f7d7bc56952ccc91733115adc4ba2a9a9884a73281652a02f41c400a736dc91af8236581fcc96ba7432ce96ce4965b964e9b4ad3da984647309

    Download Submit

  • memory/3132-22-0x0000000073D12000-0x0000000073D13000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-25-0x0000000073D10000-0x00000000742C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3132-26-0x0000000073D10000-0x00000000742C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3132-27-0x0000000073D10000-0x00000000742C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3132-28-0x0000000073D10000-0x00000000742C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3132-29-0x0000000073D12000-0x0000000073D13000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-30-0x0000000073D10000-0x00000000742C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3132-31-0x0000000073D10000-0x00000000742C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3348-50-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-53-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-54-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-61-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-62-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-64-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-65-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-66-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-68-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-69-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-70-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-72-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-73-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3348-74-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download