Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 11:06
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe
-
Size
520KB
-
MD5
58adf2b14a157ee7a5b5a89c077ed551
-
SHA1
446ed64d9b9bcd5050e95e3af444f989357cfed7
-
SHA256
241ce822127c929fa0b9e8a06248a708a8d67511da06ead372216cc5768f4d73
-
SHA512
7b61702509774b84e18cd14d614a6772bcfaede95a2cf0aa15e4f1bfe91925ba81242eceeeebbd2141253062c4ae0475a221696d98f2924a130872e86864467b
-
SSDEEP
12288:jgxBjGAPubtjL0j8s63H2apT3sdBV8ocQxHmvVVVVVVVVVVVVVVVVVVVVVVVVVV+:jgHCF90q2ayP66
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 17 IoCs
resource yara_rule behavioral1/memory/1872-27-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-23-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-37-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-40-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-41-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-45-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-46-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-47-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-49-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-50-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-51-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-53-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-54-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-55-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-57-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-58-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral1/memory/1872-59-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe = "C:\\Users\\Admin\\AppData\\Roaming\\CXZRDLVMGF.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe -
Executes dropped EXE 1 IoCs
pid Process 1872 winlogon.exe -
Loads dropped DLL 5 IoCs
pid Process 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2520 set thread context of 1872 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2896 reg.exe 1712 reg.exe 2972 reg.exe 2992 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 1872 winlogon.exe Token: SeCreateTokenPrivilege 1872 winlogon.exe Token: SeAssignPrimaryTokenPrivilege 1872 winlogon.exe Token: SeLockMemoryPrivilege 1872 winlogon.exe Token: SeIncreaseQuotaPrivilege 1872 winlogon.exe Token: SeMachineAccountPrivilege 1872 winlogon.exe Token: SeTcbPrivilege 1872 winlogon.exe Token: SeSecurityPrivilege 1872 winlogon.exe Token: SeTakeOwnershipPrivilege 1872 winlogon.exe Token: SeLoadDriverPrivilege 1872 winlogon.exe Token: SeSystemProfilePrivilege 1872 winlogon.exe Token: SeSystemtimePrivilege 1872 winlogon.exe Token: SeProfSingleProcessPrivilege 1872 winlogon.exe Token: SeIncBasePriorityPrivilege 1872 winlogon.exe Token: SeCreatePagefilePrivilege 1872 winlogon.exe Token: SeCreatePermanentPrivilege 1872 winlogon.exe Token: SeBackupPrivilege 1872 winlogon.exe Token: SeRestorePrivilege 1872 winlogon.exe Token: SeShutdownPrivilege 1872 winlogon.exe Token: SeDebugPrivilege 1872 winlogon.exe Token: SeAuditPrivilege 1872 winlogon.exe Token: SeSystemEnvironmentPrivilege 1872 winlogon.exe Token: SeChangeNotifyPrivilege 1872 winlogon.exe Token: SeRemoteShutdownPrivilege 1872 winlogon.exe Token: SeUndockPrivilege 1872 winlogon.exe Token: SeSyncAgentPrivilege 1872 winlogon.exe Token: SeEnableDelegationPrivilege 1872 winlogon.exe Token: SeManageVolumePrivilege 1872 winlogon.exe Token: SeImpersonatePrivilege 1872 winlogon.exe Token: SeCreateGlobalPrivilege 1872 winlogon.exe Token: 31 1872 winlogon.exe Token: 32 1872 winlogon.exe Token: 33 1872 winlogon.exe Token: 34 1872 winlogon.exe Token: 35 1872 winlogon.exe Token: SeDebugPrivilege 1872 winlogon.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1872 winlogon.exe 1872 winlogon.exe 1872 winlogon.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1872 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 30 PID 2520 wrote to memory of 1872 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 30 PID 2520 wrote to memory of 1872 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 30 PID 2520 wrote to memory of 1872 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 30 PID 2520 wrote to memory of 1872 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 30 PID 2520 wrote to memory of 1872 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 30 PID 2520 wrote to memory of 1872 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 30 PID 2520 wrote to memory of 1872 2520 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 30 PID 1872 wrote to memory of 2852 1872 winlogon.exe 31 PID 1872 wrote to memory of 2852 1872 winlogon.exe 31 PID 1872 wrote to memory of 2852 1872 winlogon.exe 31 PID 1872 wrote to memory of 2852 1872 winlogon.exe 31 PID 1872 wrote to memory of 2868 1872 winlogon.exe 32 PID 1872 wrote to memory of 2868 1872 winlogon.exe 32 PID 1872 wrote to memory of 2868 1872 winlogon.exe 32 PID 1872 wrote to memory of 2868 1872 winlogon.exe 32 PID 1872 wrote to memory of 3020 1872 winlogon.exe 34 PID 1872 wrote to memory of 3020 1872 winlogon.exe 34 PID 1872 wrote to memory of 3020 1872 winlogon.exe 34 PID 1872 wrote to memory of 3020 1872 winlogon.exe 34 PID 1872 wrote to memory of 2752 1872 winlogon.exe 35 PID 1872 wrote to memory of 2752 1872 winlogon.exe 35 PID 1872 wrote to memory of 2752 1872 winlogon.exe 35 PID 1872 wrote to memory of 2752 1872 winlogon.exe 35 PID 2752 wrote to memory of 2896 2752 cmd.exe 39 PID 2752 wrote to memory of 2896 2752 cmd.exe 39 PID 2752 wrote to memory of 2896 2752 cmd.exe 39 PID 2752 wrote to memory of 2896 2752 cmd.exe 39 PID 2852 wrote to memory of 1712 2852 cmd.exe 40 PID 2852 wrote to memory of 1712 2852 cmd.exe 40 PID 2852 wrote to memory of 1712 2852 cmd.exe 40 PID 2852 wrote to memory of 1712 2852 cmd.exe 40 PID 2868 wrote to memory of 2972 2868 cmd.exe 41 PID 2868 wrote to memory of 2972 2868 cmd.exe 41 PID 2868 wrote to memory of 2972 2868 cmd.exe 41 PID 2868 wrote to memory of 2972 2868 cmd.exe 41 PID 3020 wrote to memory of 2992 3020 cmd.exe 42 PID 3020 wrote to memory of 2992 3020 cmd.exe 42 PID 3020 wrote to memory of 2992 3020 cmd.exe 42 PID 3020 wrote to memory of 2992 3020 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2896
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD583c8aea2d2e7afa01b0f25d9abc7f390
SHA14f374926246348c508471b032dd4b0739c72b31e
SHA2569ad553a84e90331aeba318956669bdb6fb4cd0d5d59eff0a77b813a3ccb02122
SHA512ae49f0767adffd5df997da3946f6f6136cca2567d5401ef57b1045b88487082664880b1b8fb4f58178e3b30f7b1cd90a621c1b412fff8e048fd2821734c2b080
-
Filesize
16KB
MD567a6c1b343c7dbbfb669496d5d31c334
SHA192a924b7e5278d8033dc0395ba366c15e3d853d0
SHA256e472cbdc13921006e4fd3504e697db5843b55eee59ca20b06489a173f79b6e8b
SHA512ccc401ebfea3acf3441e93ebe2d27c4b18b617ba88d4577cc3d0bbec30247d8815f9b85647fedde6d71a3e85a4fd073e6b84c8d0e19833e5f2b69726c24d6558