Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 18:14
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe
-
Size
828KB
-
MD5
57449e4ec51e0e580ea3fd9373e5b993
-
SHA1
b7c7174467a77b06f3a52d24129c14327d01a272
-
SHA256
b0b7826222f2111b2eff65ac0340d27d9e8ce4bafa0556dea43bc51f3d4a53c0
-
SHA512
5f418cf9760c3f6cb36670a47c6270d8c4e2570b05b0c8ef51cb09dd43ec8cac66f2de9b7cd8caf4bcb06af5785abf034faad183153b5442882c99541c928560
-
SSDEEP
12288:jcNaZqYtGuiMsUprCMj3QEZcQTScEirp5NzSZALU:jcNatCMsUprC3QTj5tU
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 16 IoCs
resource yara_rule behavioral1/memory/1592-15-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-12-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-25-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-24-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-28-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-29-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-31-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-33-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-34-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-35-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-36-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-38-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-39-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-43-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-46-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/1592-47-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\gpvjaymn.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpvjaymn.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\flash.exe = "C:\\Users\\Admin\\AppData\\Roaming\\flash.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Executes dropped EXE 1 IoCs
pid Process 1592 gpvjaymn.exe -
Loads dropped DLL 1 IoCs
pid Process 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1628 set thread context of 1592 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpvjaymn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2340 reg.exe 2492 reg.exe 2644 reg.exe 2760 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 1592 gpvjaymn.exe Token: SeCreateTokenPrivilege 1592 gpvjaymn.exe Token: SeAssignPrimaryTokenPrivilege 1592 gpvjaymn.exe Token: SeLockMemoryPrivilege 1592 gpvjaymn.exe Token: SeIncreaseQuotaPrivilege 1592 gpvjaymn.exe Token: SeMachineAccountPrivilege 1592 gpvjaymn.exe Token: SeTcbPrivilege 1592 gpvjaymn.exe Token: SeSecurityPrivilege 1592 gpvjaymn.exe Token: SeTakeOwnershipPrivilege 1592 gpvjaymn.exe Token: SeLoadDriverPrivilege 1592 gpvjaymn.exe Token: SeSystemProfilePrivilege 1592 gpvjaymn.exe Token: SeSystemtimePrivilege 1592 gpvjaymn.exe Token: SeProfSingleProcessPrivilege 1592 gpvjaymn.exe Token: SeIncBasePriorityPrivilege 1592 gpvjaymn.exe Token: SeCreatePagefilePrivilege 1592 gpvjaymn.exe Token: SeCreatePermanentPrivilege 1592 gpvjaymn.exe Token: SeBackupPrivilege 1592 gpvjaymn.exe Token: SeRestorePrivilege 1592 gpvjaymn.exe Token: SeShutdownPrivilege 1592 gpvjaymn.exe Token: SeDebugPrivilege 1592 gpvjaymn.exe Token: SeAuditPrivilege 1592 gpvjaymn.exe Token: SeSystemEnvironmentPrivilege 1592 gpvjaymn.exe Token: SeChangeNotifyPrivilege 1592 gpvjaymn.exe Token: SeRemoteShutdownPrivilege 1592 gpvjaymn.exe Token: SeUndockPrivilege 1592 gpvjaymn.exe Token: SeSyncAgentPrivilege 1592 gpvjaymn.exe Token: SeEnableDelegationPrivilege 1592 gpvjaymn.exe Token: SeManageVolumePrivilege 1592 gpvjaymn.exe Token: SeImpersonatePrivilege 1592 gpvjaymn.exe Token: SeCreateGlobalPrivilege 1592 gpvjaymn.exe Token: 31 1592 gpvjaymn.exe Token: 32 1592 gpvjaymn.exe Token: 33 1592 gpvjaymn.exe Token: 34 1592 gpvjaymn.exe Token: 35 1592 gpvjaymn.exe Token: SeDebugPrivilege 1592 gpvjaymn.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1592 gpvjaymn.exe 1592 gpvjaymn.exe 1592 gpvjaymn.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1592 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe 30 PID 1628 wrote to memory of 1592 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe 30 PID 1628 wrote to memory of 1592 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe 30 PID 1628 wrote to memory of 1592 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe 30 PID 1628 wrote to memory of 1592 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe 30 PID 1628 wrote to memory of 1592 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe 30 PID 1628 wrote to memory of 1592 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe 30 PID 1628 wrote to memory of 1592 1628 JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe 30 PID 1592 wrote to memory of 2072 1592 gpvjaymn.exe 31 PID 1592 wrote to memory of 2072 1592 gpvjaymn.exe 31 PID 1592 wrote to memory of 2072 1592 gpvjaymn.exe 31 PID 1592 wrote to memory of 2072 1592 gpvjaymn.exe 31 PID 1592 wrote to memory of 2508 1592 gpvjaymn.exe 32 PID 1592 wrote to memory of 2508 1592 gpvjaymn.exe 32 PID 1592 wrote to memory of 2508 1592 gpvjaymn.exe 32 PID 1592 wrote to memory of 2508 1592 gpvjaymn.exe 32 PID 1592 wrote to memory of 2740 1592 gpvjaymn.exe 34 PID 1592 wrote to memory of 2740 1592 gpvjaymn.exe 34 PID 1592 wrote to memory of 2740 1592 gpvjaymn.exe 34 PID 1592 wrote to memory of 2740 1592 gpvjaymn.exe 34 PID 1592 wrote to memory of 2780 1592 gpvjaymn.exe 36 PID 1592 wrote to memory of 2780 1592 gpvjaymn.exe 36 PID 1592 wrote to memory of 2780 1592 gpvjaymn.exe 36 PID 1592 wrote to memory of 2780 1592 gpvjaymn.exe 36 PID 2508 wrote to memory of 2760 2508 cmd.exe 39 PID 2508 wrote to memory of 2760 2508 cmd.exe 39 PID 2508 wrote to memory of 2760 2508 cmd.exe 39 PID 2508 wrote to memory of 2760 2508 cmd.exe 39 PID 2072 wrote to memory of 2644 2072 cmd.exe 40 PID 2072 wrote to memory of 2644 2072 cmd.exe 40 PID 2072 wrote to memory of 2644 2072 cmd.exe 40 PID 2072 wrote to memory of 2644 2072 cmd.exe 40 PID 2740 wrote to memory of 2492 2740 cmd.exe 41 PID 2740 wrote to memory of 2492 2740 cmd.exe 41 PID 2740 wrote to memory of 2492 2740 cmd.exe 41 PID 2740 wrote to memory of 2492 2740 cmd.exe 41 PID 2780 wrote to memory of 2340 2780 cmd.exe 42 PID 2780 wrote to memory of 2340 2780 cmd.exe 42 PID 2780 wrote to memory of 2340 2780 cmd.exe 42 PID 2780 wrote to memory of 2340 2780 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57449e4ec51e0e580ea3fd9373e5b993.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\gpvjaymn.exeC:\Users\Admin\AppData\Local\Temp\gpvjaymn.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\gpvjaymn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\gpvjaymn.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\gpvjaymn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\gpvjaymn.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\flash.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\flash.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\flash.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\flash.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2340
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98