Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2025, 06:38

General

  • Target

    JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe

  • Size

    1.2MB

  • MD5

    50f12ac2dcbccdbca6f02556c59ad333

  • SHA1

    4edcf3d507d2d6cbf2c72dc863f81f266edc4b03

  • SHA256

    16e829c8ae6df558052c2fcf11b3657bafb371a5eadb4e401edd7d84739837e4

  • SHA512

    bfc0ac12d07405885318679fad12d4b47d70ff2139aa90357619f0acfebf3c019b90609d086430ef36e17f825919cd5e8bd262b211612cfb37d5c94d8f83d89a

  • SSDEEP

    24576:FjJNlqSmMf3k1szAy3h/FYMdTydelOJED0z3X9W2oe20h/HWlDBj:dJ+yfEs0y3BFYMdTydhJC0LXJX205HWj

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 12 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Users\Admin\AppData\Local\Temp\wmplayer.exe
      "C:\Users\Admin\AppData\Local\Temp\wmplayer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4524
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2888
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3000
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1968
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ApexDC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ApexDC.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ApexDC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ApexDC.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4084
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe"
      2⤵
        PID:2144

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\wmplayer.exe

            Filesize

            161KB

            MD5

            a0f1dfc9e47b2524213aff32e26be92d

            SHA1

            a58cb4ebd3fb3901235169b4eeba7737845ad735

            SHA256

            6ce68d565bbae511fd16cb6919efd18366990a06cf9c4a25f28dfd3345085d10

            SHA512

            bffcb2adbc2dc2d60e780d1cece068d9306eb6f1e94fe00833b9d5e45c8d78ad8decea513ca6a656fa71752c9696597ac849783f9178770261f4e4a0d6d83bbd

          • memory/1884-23-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-26-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-14-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-39-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-22-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-34-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-25-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-16-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-27-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-29-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-30-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/1884-31-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

          • memory/4228-0-0x0000000000400000-0x0000000000616000-memory.dmp

            Filesize

            2.1MB

          • memory/4228-21-0x0000000000400000-0x0000000000616000-memory.dmp

            Filesize

            2.1MB