Overview

overview

10

Static

static

3

JaffaCakes...ce.exe

windows7-x64

10

JaffaCakes...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2025, 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3fc5b83fa65d7d09f83b9c2f6f60e8ce.exe

  • Size

    700KB

  • MD5

    3fc5b83fa65d7d09f83b9c2f6f60e8ce

  • SHA1

    9215a586003885fd92107ff03dd4f016d460f6fa

  • SHA256

    70313ae036ec75401b0b91ec06330572648a09f5e2a17b54315ea276630f4e2a

  • SHA512

    62a6eafa29e729d87ea9a1b14aa05d2b6dbe596adeea5d76dee82ae9631a9310d4c49f378688f965d08f405a243c4c5b76ca78794eb4385b9d0d17eaf9199ee3

  • SSDEEP

    12288:7hIxtRSqedX/75S9VKMreV5VoxLieB9CtV6tU+YsvqamctoJX4zNvGlEVFxhff:+xtiS9VBebkLCjzEA4zxCSFxhff

Score
10/10
blackshadesisrstealerbootkitdefense_evasiondiscoverypersistenceratspywarestealertrojanupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 9 IoCs
  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 1 IoCs
  • Isrstealer family
    isrstealer
  • Modifies firewall policy service 3 TTPs 8 IoCs
    defense_evasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fc5b83fa65d7d09f83b9c2f6f60e8ce.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fc5b83fa65d7d09f83b9c2f6f60e8ce.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fc5b83fa65d7d09f83b9c2f6f60e8ce.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fc5b83fa65d7d09f83b9c2f6f60e8ce.exe"
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Users\Admin\AppData\Local\Temp\bot (2).exe
        "C:\Users\Admin\AppData\Local\Temp\bot (2).exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          PID:2928
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3008
      • C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe
        "C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe
          "C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe
            "C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2900
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1512
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                7⤵
                • Modifies firewall policy service
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:1968
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:340
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\A1Z7zq562.exe:*:Enabled:Windows Messanger" /f
                7⤵
                • Modifies firewall policy service
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:2136
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2592
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                7⤵
                • Modifies firewall policy service
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:1916
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1764
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
                7⤵
                • Modifies firewall policy service
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bot (2).exe
    Filesize

    127KB

    MD5

    57b97c1ab59765101441f95d90670b4f

    SHA1

    8a576f8102f418f59b6ddbcc1a84299e81aece43

    SHA256

    ee3557ca77ab8bedc49f5d7c55c278fd374a818617857b96e4471e181d72200d

    SHA512

    cdb184136dd2b7fe12a315db65d4f17ed89c9811e491955cd969f5e6ac751bde267ef12f9c4ff79ea16ea5a363c67d0c9e7554b1313f49364f14f711537d601b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\A1Z7zq562.exe
    Filesize

    332KB

    MD5

    ba5aac079caacb4fb1ecd39e7350a5b1

    SHA1

    b19c80ae8758990b1ed0252d5b33d40c050df3d5

    SHA256

    afb68924dcba04d8a37241c50a3795dca4976886f0ce3ce104f62ba54cb71435

    SHA512

    a7a116a75b3e0f760e332cd2a3b013e2152e820459aa06cf980e3decd9d01287da8dd6dc43997a4daaa7ef1bc922390a3dc8fdd03282ce7b11e5fa4f3ea72680

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    76KB

    MD5

    c42235295f14a41e311f0fb12df25993

    SHA1

    f5c1bac4ddbc54159b9fc306d460477a334f3b2c

    SHA256

    9ef27dbb8625812d1e45d38f1d897e88ca48077bc630f6c9cd8352d0a5ada39c

    SHA512

    9b749496f2ef75dda3a039e4381ce1aa057abff42f40bf5c3c67284c755bc0a22148520ec467438dc373e6f6eb4ee708d2eea6ceda569141fcbfd8fdebaf16ae

    Download Submit

  • memory/2368-60-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2404-6-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2404-4-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2404-2-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2404-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2404-12-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2404-15-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2404-95-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2860-66-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2860-75-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2860-73-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2860-68-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2860-64-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2860-90-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2900-86-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-101-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-83-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-81-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-79-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-89-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-121-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-98-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-118-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-88-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-105-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-115-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-108-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2900-111-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2928-110-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2928-107-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2928-117-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2928-100-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2928-120-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2928-97-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download