Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 09:49

General

  • Target

    JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe

  • Size

    183KB

  • MD5

    55e4addec5ae8395a4a2f0f54e8a8874

  • SHA1

    d723dfe11796983824bc019323336da59177765b

  • SHA256

    2e41ecd94e42fc99d61b18a2d7006fc7dc2b022443acb40138cd36071ad50eb5

  • SHA512

    d8eb5171ae1ca6f363470734f0ac55bfe2c42a0196763f8f16316654507832fab79b13d8468b7ff01affda961ee549c28c7450b1b0d2f50104423c38f9028b5b

  • SSDEEP

    3072:6s2mdXGrYfOGJRUDLlpNp4q1drRn/lTLY7XrFW6SRuYWJTb:cUfcLlpNjl/hLY777SRuN

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 12 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ziao.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ziao.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ziao.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ziao.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2912

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2020-7-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

        • memory/2020-0-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

        • memory/2588-17-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-18-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-5-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-3-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-9-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-1-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-10-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-11-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-4-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-8-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-20-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-21-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-22-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-24-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-25-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-26-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-29-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

        • memory/2588-32-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB