Malware Analysis Report

2025-05-28 17:56

Sample ID 250305-xstg7swry5
Target JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b
SHA256 44a9fc0e80e1c0fc336ad9ffbcfb6798df39edce12e3307e99856262609af562
Tags
blackshades discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44a9fc0e80e1c0fc336ad9ffbcfb6798df39edce12e3307e99856262609af562

Threat Level: Known bad

The file JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b was found to be: Known bad.

Malicious Activity Summary

blackshades discovery persistence rat

Blackshades

Blackshades family

Blackshades payload

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 19:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 19:07

Reported

2025-03-05 19:10

Platform

win7-20241010-en

Max time kernel

12s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ErrorMessage.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\CC.exe" C:\Users\Admin\AppData\Roaming\CC.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ErrorMessage.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\CC.exe
PID 2988 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\CC.exe
PID 2988 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\CC.exe
PID 2988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\ErrorMessage.exe
PID 2988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\ErrorMessage.exe
PID 2988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\ErrorMessage.exe
PID 2988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\ErrorMessage.exe
PID 1172 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1172 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1172 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1172 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe"

C:\Users\Admin\AppData\Roaming\CC.exe

"C:\Users\Admin\AppData\Roaming\CC.exe"

C:\Users\Admin\AppData\Roaming\ErrorMessage.exe

"C:\Users\Admin\AppData\Roaming\ErrorMessage.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Network

N/A

Files

memory/2988-0-0x000007FEF672E000-0x000007FEF672F000-memory.dmp

C:\Users\Admin\AppData\Roaming\CC.exe

MD5 c513692858adb889f6af422ba6e81d33
SHA1 723b34d53579dfa45afbd95ce9867b7da5ef4b3b
SHA256 6cdb5e83b3f36eaef7b0d1378fbd0c16192d13bf82ee6a48effeca17174bd8ff
SHA512 af3dcbef4034815756d6f3243448b8bb89fed58b7ae9109ef0f91b3a9198910c2e7de15f3cb214efb5df6be961b5415fa4f64d04e9d7461c5fb9636098a21842

C:\Users\Admin\AppData\Roaming\ErrorMessage.exe

MD5 213f86f19f786737fd34ba47e048b024
SHA1 0b6676d878f350b6089e380ac1494113df2344ac
SHA256 40d7b4eb607e1089a18f97ee9016a05c15e7266d5882c0b7d9e678341cfb2d78
SHA512 fb7f2eda15f048f0d345c047b86af0b227b2ac07dd0c331e29bb7611d10583f4b47a1ba981fbb1a46c04c083d8b38717693771bab9e733e8e8689d98e95cf79b

memory/2988-14-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

memory/1172-15-0x00000000020F0000-0x000000000213F000-memory.dmp

memory/1172-16-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

memory/1172-17-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

memory/2956-18-0x00000000006B0000-0x00000000006F0000-memory.dmp

memory/1172-19-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 19:07

Reported

2025-03-05 19:09

Platform

win10v2004-20250217-en

Max time kernel

91s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ErrorMessage.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\CC.exe" C:\Users\Admin\AppData\Roaming\CC.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ErrorMessage.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\CC.exe
PID 4552 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\CC.exe
PID 4552 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\ErrorMessage.exe
PID 4552 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\ErrorMessage.exe
PID 4552 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe C:\Users\Admin\AppData\Roaming\ErrorMessage.exe
PID 2296 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2296 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2296 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2296 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2296 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2296 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\CC.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5342bb5c52f3d500f72b8af90f55037b.exe"

C:\Users\Admin\AppData\Roaming\CC.exe

"C:\Users\Admin\AppData\Roaming\CC.exe"

C:\Users\Admin\AppData\Roaming\ErrorMessage.exe

"C:\Users\Admin\AppData\Roaming\ErrorMessage.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4552-0-0x00007FFDAF6E5000-0x00007FFDAF6E6000-memory.dmp

memory/4552-1-0x000000001B430000-0x000000001B4D6000-memory.dmp

memory/4552-2-0x00007FFDAF430000-0x00007FFDAFDD1000-memory.dmp

memory/4552-4-0x00007FFDAF430000-0x00007FFDAFDD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\CC.exe

MD5 c513692858adb889f6af422ba6e81d33
SHA1 723b34d53579dfa45afbd95ce9867b7da5ef4b3b
SHA256 6cdb5e83b3f36eaef7b0d1378fbd0c16192d13bf82ee6a48effeca17174bd8ff
SHA512 af3dcbef4034815756d6f3243448b8bb89fed58b7ae9109ef0f91b3a9198910c2e7de15f3cb214efb5df6be961b5415fa4f64d04e9d7461c5fb9636098a21842

C:\Users\Admin\AppData\Roaming\ErrorMessage.exe

MD5 213f86f19f786737fd34ba47e048b024
SHA1 0b6676d878f350b6089e380ac1494113df2344ac
SHA256 40d7b4eb607e1089a18f97ee9016a05c15e7266d5882c0b7d9e678341cfb2d78
SHA512 fb7f2eda15f048f0d345c047b86af0b227b2ac07dd0c331e29bb7611d10583f4b47a1ba981fbb1a46c04c083d8b38717693771bab9e733e8e8689d98e95cf79b

memory/2296-28-0x000000001BA80000-0x000000001BF4E000-memory.dmp

memory/2296-31-0x00007FFDAF430000-0x00007FFDAFDD1000-memory.dmp

memory/4552-30-0x00007FFDAF430000-0x00007FFDAFDD1000-memory.dmp

memory/2296-29-0x000000001B490000-0x000000001B4DF000-memory.dmp

memory/2296-27-0x00007FFDAF430000-0x00007FFDAFDD1000-memory.dmp

memory/4972-35-0x0000000074612000-0x0000000074613000-memory.dmp

memory/2296-34-0x00007FFDAF430000-0x00007FFDAFDD1000-memory.dmp

memory/4972-36-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/2296-33-0x00007FFDAF430000-0x00007FFDAFDD1000-memory.dmp

memory/4972-38-0x0000000074610000-0x0000000074BC1000-memory.dmp