blackshades | 10d2aaa78746040de85adcf15dd3f3f88743fdfd330fc3119eac17138d4720c7 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...b0.exe

windows7-x64

JaffaCakes...b0.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_2d20442e0e96b9d965dbf668672b18b0
Size

544KB
Sample

250227-pavnjswxbs
MD5

2d20442e0e96b9d965dbf668672b18b0
SHA1

6f9cbaa81b9b9a78b5bca5c30212ab54b57c9109
SHA256

10d2aaa78746040de85adcf15dd3f3f88743fdfd330fc3119eac17138d4720c7
SHA512

47362165f75422be711b5a505a095cba92d73dd169ae2dd6d672d45beae325f46dffe87c34da34d3dd1880657dc0966d7238ec0ad0c0d412581e6a6525c2c433
SSDEEP

12288:5YQaAjZygAX+U4h4C2m4NWYjjS6vmuKXMlVVvG:faAjZylXaqCL45xuMlVV+

Score

10^/10

blackshades defense_evasion discovery persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_2d20442e0e96b9d965dbf668672b18b0.exe

Resource

win7-20240903-en

blackshades defense_evasion discovery persistence rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_2d20442e0e96b9d965dbf668672b18b0.exe

Resource

win10v2004-20250217-en

blackshades defense_evasion discovery persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_2d20442e0e96b9d965dbf668672b18b0
- Size
  
  544KB
- MD5
  
  2d20442e0e96b9d965dbf668672b18b0
- SHA1
  
  6f9cbaa81b9b9a78b5bca5c30212ab54b57c9109
- SHA256
  
  10d2aaa78746040de85adcf15dd3f3f88743fdfd330fc3119eac17138d4720c7
- SHA512
  
  47362165f75422be711b5a505a095cba92d73dd169ae2dd6d672d45beae325f46dffe87c34da34d3dd1880657dc0966d7238ec0ad0c0d412581e6a6525c2c433
- SSDEEP
  
  12288:5YQaAjZygAX+U4h4C2m4NWYjjS6vmuKXMlVVvG:faAjZylXaqCL45xuMlVV+
Score

10^/10

blackshades defense_evasion discovery persistence rat
- Blackshades
  Blackshades is a remote access trojan with various capabilities.
  rat blackshades
- Blackshades family
  blackshades
- Blackshades payload
- Modifies firewall policy service
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackshadesdefense_evasiondiscoverypersistencerat

behavioral2

blackshadesdefense_evasiondiscoverypersistencerat

© 2018-2025

Terms | Privacy