Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe
-
Size
2.2MB
-
MD5
5342bb5c52f3d500f72b8af90f55037b
-
SHA1
baf8aea13305a21bbc68e5d4307556f5bbbc8a45
-
SHA256
44a9fc0e80e1c0fc336ad9ffbcfb6798df39edce12e3307e99856262609af562
-
SHA512
6ea93af0a65a86e19e66e1de17c7f679e022b1df8d72a7b0ccc49c082731f4c18c4a983b4965d845ef5c0366f79e4fa1ab9d2d12a7a09d5917584b9a6ac65c92
-
SSDEEP
3072:70flfMKbX5Mp9Zit/oRr69t6lKpQRrndKEbt1z8P8mBo6:T9Zit/oRr69t6lKpQRrndKEbMD
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 1 IoCs
resource yara_rule behavioral2/memory/2296-29-0x000000001B490000-0x000000001B4DF000-memory.dmp family_blackshades -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe -
Executes dropped EXE 2 IoCs
pid Process 2296 CC.exe 4972 ErrorMessage.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\CC.exe" CC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ErrorMessage.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4552 wrote to memory of 2296 4552 JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe 85 PID 4552 wrote to memory of 2296 4552 JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe 85 PID 4552 wrote to memory of 4972 4552 JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe 86 PID 4552 wrote to memory of 4972 4552 JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe 86 PID 4552 wrote to memory of 4972 4552 JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe 86 PID 2296 wrote to memory of 1052 2296 CC.exe 87 PID 2296 wrote to memory of 1052 2296 CC.exe 87 PID 2296 wrote to memory of 1052 2296 CC.exe 87 PID 2296 wrote to memory of 4560 2296 CC.exe 88 PID 2296 wrote to memory of 4560 2296 CC.exe 88 PID 2296 wrote to memory of 4560 2296 CC.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Roaming\CC.exe"C:\Users\Admin\AppData\Roaming\CC.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵PID:1052
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵PID:4560
-
-
-
C:\Users\Admin\AppData\Roaming\ErrorMessage.exe"C:\Users\Admin\AppData\Roaming\ErrorMessage.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
812KB
MD5c513692858adb889f6af422ba6e81d33
SHA1723b34d53579dfa45afbd95ce9867b7da5ef4b3b
SHA2566cdb5e83b3f36eaef7b0d1378fbd0c16192d13bf82ee6a48effeca17174bd8ff
SHA512af3dcbef4034815756d6f3243448b8bb89fed58b7ae9109ef0f91b3a9198910c2e7de15f3cb214efb5df6be961b5415fa4f64d04e9d7461c5fb9636098a21842
-
Filesize
7KB
MD5213f86f19f786737fd34ba47e048b024
SHA10b6676d878f350b6089e380ac1494113df2344ac
SHA25640d7b4eb607e1089a18f97ee9016a05c15e7266d5882c0b7d9e678341cfb2d78
SHA512fb7f2eda15f048f0d345c047b86af0b227b2ac07dd0c331e29bb7611d10583f4b47a1ba981fbb1a46c04c083d8b38717693771bab9e733e8e8689d98e95cf79b