Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 09:49
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe
-
Size
183KB
-
MD5
55e4addec5ae8395a4a2f0f54e8a8874
-
SHA1
d723dfe11796983824bc019323336da59177765b
-
SHA256
2e41ecd94e42fc99d61b18a2d7006fc7dc2b022443acb40138cd36071ad50eb5
-
SHA512
d8eb5171ae1ca6f363470734f0ac55bfe2c42a0196763f8f16316654507832fab79b13d8468b7ff01affda961ee549c28c7450b1b0d2f50104423c38f9028b5b
-
SSDEEP
3072:6s2mdXGrYfOGJRUDLlpNp4q1drRn/lTLY7XrFW6SRuYWJTb:cUfcLlpNjl/hLY777SRuN
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral2/memory/1112-6-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-12-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-14-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-16-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-17-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-18-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-20-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-21-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-22-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-24-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-25-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/1112-26-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ziao.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ziao.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe:*:Enabled:Windows Messanger" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1548 set thread context of 1112 1548 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 86 -
resource yara_rule behavioral2/memory/1112-1-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-3-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-6-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-12-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-14-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-16-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-17-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-18-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-20-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-21-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-22-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-24-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-25-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1112-26-0x0000000000400000-0x0000000000473000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 724 reg.exe 4044 reg.exe 3928 reg.exe 4560 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeCreateTokenPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeAssignPrimaryTokenPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeLockMemoryPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeIncreaseQuotaPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeMachineAccountPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeTcbPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSecurityPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeTakeOwnershipPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeLoadDriverPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSystemProfilePrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSystemtimePrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeProfSingleProcessPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeIncBasePriorityPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeCreatePagefilePrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeCreatePermanentPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeBackupPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeRestorePrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeShutdownPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeDebugPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeAuditPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSystemEnvironmentPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeChangeNotifyPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeRemoteShutdownPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeUndockPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeSyncAgentPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeEnableDelegationPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeManageVolumePrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeImpersonatePrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: SeCreateGlobalPrivilege 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 31 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 32 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 33 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 34 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe Token: 35 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1548 wrote to memory of 1112 1548 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 86 PID 1548 wrote to memory of 1112 1548 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 86 PID 1548 wrote to memory of 1112 1548 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 86 PID 1548 wrote to memory of 1112 1548 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 86 PID 1548 wrote to memory of 1112 1548 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 86 PID 1548 wrote to memory of 1112 1548 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 86 PID 1548 wrote to memory of 1112 1548 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 86 PID 1112 wrote to memory of 3564 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 87 PID 1112 wrote to memory of 3564 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 87 PID 1112 wrote to memory of 3564 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 87 PID 1112 wrote to memory of 4300 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 88 PID 1112 wrote to memory of 4300 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 88 PID 1112 wrote to memory of 4300 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 88 PID 1112 wrote to memory of 3136 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 89 PID 1112 wrote to memory of 3136 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 89 PID 1112 wrote to memory of 3136 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 89 PID 1112 wrote to memory of 5104 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 90 PID 1112 wrote to memory of 5104 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 90 PID 1112 wrote to memory of 5104 1112 JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe 90 PID 3564 wrote to memory of 724 3564 cmd.exe 95 PID 3564 wrote to memory of 724 3564 cmd.exe 95 PID 3564 wrote to memory of 724 3564 cmd.exe 95 PID 4300 wrote to memory of 4044 4300 cmd.exe 96 PID 4300 wrote to memory of 4044 4300 cmd.exe 96 PID 4300 wrote to memory of 4044 4300 cmd.exe 96 PID 3136 wrote to memory of 3928 3136 cmd.exe 97 PID 3136 wrote to memory of 3928 3136 cmd.exe 97 PID 3136 wrote to memory of 3928 3136 cmd.exe 97 PID 5104 wrote to memory of 4560 5104 cmd.exe 98 PID 5104 wrote to memory of 4560 5104 cmd.exe 98 PID 5104 wrote to memory of 4560 5104 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e4addec5ae8395a4a2f0f54e8a8874.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ziao.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ziao.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ziao.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ziao.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4560
-
-
-