Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 09:49
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe
-
Size
183KB
-
MD5
55e4addec5ae8395a4a2f0f54e8a8874
-
SHA1
d723dfe11796983824bc019323336da59177765b
-
SHA256
2e41ecd94e42fc99d61b18a2d7006fc7dc2b022443acb40138cd36071ad50eb5
-
SHA512
d8eb5171ae1ca6f363470734f0ac55bfe2c42a0196763f8f16316654507832fab79b13d8468b7ff01affda961ee549c28c7450b1b0d2f50104423c38f9028b5b
-
SSDEEP
3072:6s2mdXGrYfOGJRUDLlpNp4q1drRn/lTLY7XrFW6SRuYWJTb:cUfcLlpNjl/hLY777SRuN
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral1/memory/2588-10-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-11-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-17-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-18-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-20-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-21-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-22-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-24-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-25-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-26-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-29-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral1/memory/2588-32-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ziao.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ziao.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2020 set thread context of 2588 2020 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 31 -
resource yara_rule behavioral1/memory/2588-4-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-8-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-5-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-3-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-9-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-10-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-11-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-17-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-18-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-20-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-21-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-22-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-24-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-25-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-26-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-29-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2588-32-0x0000000000400000-0x0000000000473000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2832 reg.exe 2788 reg.exe 2912 reg.exe 2880 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeCreateTokenPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeAssignPrimaryTokenPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeLockMemoryPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeIncreaseQuotaPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeMachineAccountPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeTcbPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSecurityPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeTakeOwnershipPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeLoadDriverPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSystemProfilePrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSystemtimePrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeProfSingleProcessPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeIncBasePriorityPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeCreatePagefilePrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeCreatePermanentPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeBackupPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeRestorePrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeShutdownPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeDebugPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeAuditPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSystemEnvironmentPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeChangeNotifyPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeRemoteShutdownPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeUndockPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSyncAgentPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeEnableDelegationPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeManageVolumePrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeImpersonatePrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeCreateGlobalPrivilege 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 31 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 32 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 33 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 34 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 35 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2588 2020 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 31 PID 2020 wrote to memory of 2588 2020 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 31 PID 2020 wrote to memory of 2588 2020 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 31 PID 2020 wrote to memory of 2588 2020 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 31 PID 2020 wrote to memory of 2588 2020 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 31 PID 2020 wrote to memory of 2588 2020 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 31 PID 2020 wrote to memory of 2588 2020 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 31 PID 2588 wrote to memory of 2592 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 32 PID 2588 wrote to memory of 2592 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 32 PID 2588 wrote to memory of 2592 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 32 PID 2588 wrote to memory of 2592 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 32 PID 2588 wrote to memory of 2612 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 33 PID 2588 wrote to memory of 2612 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 33 PID 2588 wrote to memory of 2612 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 33 PID 2588 wrote to memory of 2612 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 33 PID 2588 wrote to memory of 1732 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 35 PID 2588 wrote to memory of 1732 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 35 PID 2588 wrote to memory of 1732 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 35 PID 2588 wrote to memory of 1732 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 35 PID 2588 wrote to memory of 2604 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 36 PID 2588 wrote to memory of 2604 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 36 PID 2588 wrote to memory of 2604 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 36 PID 2588 wrote to memory of 2604 2588 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 36 PID 2592 wrote to memory of 2832 2592 cmd.exe 41 PID 2592 wrote to memory of 2832 2592 cmd.exe 41 PID 2592 wrote to memory of 2832 2592 cmd.exe 41 PID 2592 wrote to memory of 2832 2592 cmd.exe 41 PID 2604 wrote to memory of 2912 2604 cmd.exe 43 PID 2604 wrote to memory of 2912 2604 cmd.exe 43 PID 2604 wrote to memory of 2912 2604 cmd.exe 43 PID 2604 wrote to memory of 2912 2604 cmd.exe 43 PID 1732 wrote to memory of 2880 1732 cmd.exe 42 PID 1732 wrote to memory of 2880 1732 cmd.exe 42 PID 1732 wrote to memory of 2880 1732 cmd.exe 42 PID 1732 wrote to memory of 2880 1732 cmd.exe 42 PID 2612 wrote to memory of 2788 2612 cmd.exe 40 PID 2612 wrote to memory of 2788 2612 cmd.exe 40 PID 2612 wrote to memory of 2788 2612 cmd.exe 40 PID 2612 wrote to memory of 2788 2612 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ziao.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ziao.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ziao.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ziao.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2912
-
-
-