Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 06:38
Behavioral task
behavioral1
Sample
JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe
-
Size
1.2MB
-
MD5
50f12ac2dcbccdbca6f02556c59ad333
-
SHA1
4edcf3d507d2d6cbf2c72dc863f81f266edc4b03
-
SHA256
16e829c8ae6df558052c2fcf11b3657bafb371a5eadb4e401edd7d84739837e4
-
SHA512
bfc0ac12d07405885318679fad12d4b47d70ff2139aa90357619f0acfebf3c019b90609d086430ef36e17f825919cd5e8bd262b211612cfb37d5c94d8f83d89a
-
SSDEEP
24576:FjJNlqSmMf3k1szAy3h/FYMdTydelOJED0z3X9W2oe20h/HWlDBj:dJ+yfEs0y3BFYMdTydhJC0LXJX205HWj
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral2/memory/1884-16-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-14-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-22-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-23-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-25-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-26-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-27-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-29-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-30-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-31-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-34-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/1884-39-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ApexDC.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ApexDC.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe -
Executes dropped EXE 1 IoCs
pid Process 4524 wmplayer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4228 set thread context of 1884 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 91 -
resource yara_rule behavioral2/memory/4228-0-0x0000000000400000-0x0000000000616000-memory.dmp upx behavioral2/memory/4228-21-0x0000000000400000-0x0000000000616000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3000 reg.exe 1968 reg.exe 4084 reg.exe 2888 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeCreateTokenPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeAssignPrimaryTokenPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeLockMemoryPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeIncreaseQuotaPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeMachineAccountPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeTcbPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeSecurityPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeTakeOwnershipPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeLoadDriverPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeSystemProfilePrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeSystemtimePrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeProfSingleProcessPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeIncBasePriorityPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeCreatePagefilePrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeCreatePermanentPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeBackupPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeRestorePrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeShutdownPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeDebugPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeAuditPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeSystemEnvironmentPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeChangeNotifyPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeRemoteShutdownPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeUndockPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeSyncAgentPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeEnableDelegationPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeManageVolumePrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeImpersonatePrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: SeCreateGlobalPrivilege 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: 31 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: 32 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: 33 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: 34 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe Token: 35 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4228 wrote to memory of 4524 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 89 PID 4228 wrote to memory of 4524 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 89 PID 4228 wrote to memory of 4524 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 89 PID 4228 wrote to memory of 1884 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 91 PID 4228 wrote to memory of 1884 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 91 PID 4228 wrote to memory of 1884 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 91 PID 4228 wrote to memory of 1884 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 91 PID 4228 wrote to memory of 1884 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 91 PID 4228 wrote to memory of 1884 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 91 PID 4228 wrote to memory of 1884 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 91 PID 4228 wrote to memory of 1884 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 91 PID 1884 wrote to memory of 2192 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 92 PID 1884 wrote to memory of 2192 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 92 PID 1884 wrote to memory of 2192 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 92 PID 1884 wrote to memory of 4772 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 93 PID 1884 wrote to memory of 4772 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 93 PID 1884 wrote to memory of 4772 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 93 PID 1884 wrote to memory of 3340 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 94 PID 1884 wrote to memory of 3340 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 94 PID 1884 wrote to memory of 3340 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 94 PID 1884 wrote to memory of 4928 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 95 PID 1884 wrote to memory of 4928 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 95 PID 1884 wrote to memory of 4928 1884 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 95 PID 4228 wrote to memory of 2144 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 99 PID 4228 wrote to memory of 2144 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 99 PID 4228 wrote to memory of 2144 4228 JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe 99 PID 4772 wrote to memory of 3000 4772 cmd.exe 101 PID 4772 wrote to memory of 3000 4772 cmd.exe 101 PID 4772 wrote to memory of 3000 4772 cmd.exe 101 PID 3340 wrote to memory of 1968 3340 cmd.exe 102 PID 3340 wrote to memory of 1968 3340 cmd.exe 102 PID 3340 wrote to memory of 1968 3340 cmd.exe 102 PID 4928 wrote to memory of 4084 4928 cmd.exe 103 PID 4928 wrote to memory of 4084 4928 cmd.exe 103 PID 4928 wrote to memory of 4084 4928 cmd.exe 103 PID 2192 wrote to memory of 2888 2192 cmd.exe 104 PID 2192 wrote to memory of 2888 2192 cmd.exe 104 PID 2192 wrote to memory of 2888 2192 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\wmplayer.exe"C:\Users\Admin\AppData\Local\Temp\wmplayer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ApexDC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ApexDC.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ApexDC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ApexDC.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4084
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50f12ac2dcbccdbca6f02556c59ad333.exe"2⤵PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161KB
MD5a0f1dfc9e47b2524213aff32e26be92d
SHA1a58cb4ebd3fb3901235169b4eeba7737845ad735
SHA2566ce68d565bbae511fd16cb6919efd18366990a06cf9c4a25f28dfd3345085d10
SHA512bffcb2adbc2dc2d60e780d1cece068d9306eb6f1e94fe00833b9d5e45c8d78ad8decea513ca6a656fa71752c9696597ac849783f9178770261f4e4a0d6d83bbd