Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2025, 11:06
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe
-
Size
520KB
-
MD5
58adf2b14a157ee7a5b5a89c077ed551
-
SHA1
446ed64d9b9bcd5050e95e3af444f989357cfed7
-
SHA256
241ce822127c929fa0b9e8a06248a708a8d67511da06ead372216cc5768f4d73
-
SHA512
7b61702509774b84e18cd14d614a6772bcfaede95a2cf0aa15e4f1bfe91925ba81242eceeeebbd2141253062c4ae0475a221696d98f2924a130872e86864467b
-
SSDEEP
12288:jgxBjGAPubtjL0j8s63H2apT3sdBV8ocQxHmvVVVVVVVVVVVVVVVVVVVVVVVVVV+:jgHCF90q2ayP66
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 16 IoCs
resource yara_rule behavioral2/memory/1836-16-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-20-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-26-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-29-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-30-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-38-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-41-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-44-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-48-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-51-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-54-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-57-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-61-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-64-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-68-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades behavioral2/memory/1836-71-0x0000000000400000-0x000000000045A000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe = "C:\\Users\\Admin\\AppData\\Roaming\\CXZRDLVMGF.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe -
Executes dropped EXE 1 IoCs
pid Process 1836 winlogon.exe -
Loads dropped DLL 4 IoCs
pid Process 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4564 set thread context of 1836 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 872 reg.exe 1688 reg.exe 3392 reg.exe 5076 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 1836 winlogon.exe Token: SeCreateTokenPrivilege 1836 winlogon.exe Token: SeAssignPrimaryTokenPrivilege 1836 winlogon.exe Token: SeLockMemoryPrivilege 1836 winlogon.exe Token: SeIncreaseQuotaPrivilege 1836 winlogon.exe Token: SeMachineAccountPrivilege 1836 winlogon.exe Token: SeTcbPrivilege 1836 winlogon.exe Token: SeSecurityPrivilege 1836 winlogon.exe Token: SeTakeOwnershipPrivilege 1836 winlogon.exe Token: SeLoadDriverPrivilege 1836 winlogon.exe Token: SeSystemProfilePrivilege 1836 winlogon.exe Token: SeSystemtimePrivilege 1836 winlogon.exe Token: SeProfSingleProcessPrivilege 1836 winlogon.exe Token: SeIncBasePriorityPrivilege 1836 winlogon.exe Token: SeCreatePagefilePrivilege 1836 winlogon.exe Token: SeCreatePermanentPrivilege 1836 winlogon.exe Token: SeBackupPrivilege 1836 winlogon.exe Token: SeRestorePrivilege 1836 winlogon.exe Token: SeShutdownPrivilege 1836 winlogon.exe Token: SeDebugPrivilege 1836 winlogon.exe Token: SeAuditPrivilege 1836 winlogon.exe Token: SeSystemEnvironmentPrivilege 1836 winlogon.exe Token: SeChangeNotifyPrivilege 1836 winlogon.exe Token: SeRemoteShutdownPrivilege 1836 winlogon.exe Token: SeUndockPrivilege 1836 winlogon.exe Token: SeSyncAgentPrivilege 1836 winlogon.exe Token: SeEnableDelegationPrivilege 1836 winlogon.exe Token: SeManageVolumePrivilege 1836 winlogon.exe Token: SeImpersonatePrivilege 1836 winlogon.exe Token: SeCreateGlobalPrivilege 1836 winlogon.exe Token: 31 1836 winlogon.exe Token: 32 1836 winlogon.exe Token: 33 1836 winlogon.exe Token: 34 1836 winlogon.exe Token: 35 1836 winlogon.exe Token: SeDebugPrivilege 1836 winlogon.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1836 winlogon.exe 1836 winlogon.exe 1836 winlogon.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4564 wrote to memory of 1836 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 88 PID 4564 wrote to memory of 1836 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 88 PID 4564 wrote to memory of 1836 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 88 PID 4564 wrote to memory of 1836 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 88 PID 4564 wrote to memory of 1836 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 88 PID 4564 wrote to memory of 1836 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 88 PID 4564 wrote to memory of 1836 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 88 PID 4564 wrote to memory of 1836 4564 JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe 88 PID 1836 wrote to memory of 4004 1836 winlogon.exe 89 PID 1836 wrote to memory of 4004 1836 winlogon.exe 89 PID 1836 wrote to memory of 4004 1836 winlogon.exe 89 PID 1836 wrote to memory of 4988 1836 winlogon.exe 90 PID 1836 wrote to memory of 4988 1836 winlogon.exe 90 PID 1836 wrote to memory of 4988 1836 winlogon.exe 90 PID 1836 wrote to memory of 4660 1836 winlogon.exe 91 PID 1836 wrote to memory of 4660 1836 winlogon.exe 91 PID 1836 wrote to memory of 4660 1836 winlogon.exe 91 PID 1836 wrote to memory of 1228 1836 winlogon.exe 92 PID 1836 wrote to memory of 1228 1836 winlogon.exe 92 PID 1836 wrote to memory of 1228 1836 winlogon.exe 92 PID 4004 wrote to memory of 1688 4004 cmd.exe 97 PID 4004 wrote to memory of 1688 4004 cmd.exe 97 PID 4004 wrote to memory of 1688 4004 cmd.exe 97 PID 1228 wrote to memory of 3392 1228 cmd.exe 98 PID 1228 wrote to memory of 3392 1228 cmd.exe 98 PID 1228 wrote to memory of 3392 1228 cmd.exe 98 PID 4988 wrote to memory of 5076 4988 cmd.exe 99 PID 4988 wrote to memory of 5076 4988 cmd.exe 99 PID 4988 wrote to memory of 5076 4988 cmd.exe 99 PID 4660 wrote to memory of 872 4660 cmd.exe 100 PID 4660 wrote to memory of 872 4660 cmd.exe 100 PID 4660 wrote to memory of 872 4660 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58adf2b14a157ee7a5b5a89c077ed551.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\CXZRDLVMGF.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3392
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD583c8aea2d2e7afa01b0f25d9abc7f390
SHA14f374926246348c508471b032dd4b0739c72b31e
SHA2569ad553a84e90331aeba318956669bdb6fb4cd0d5d59eff0a77b813a3ccb02122
SHA512ae49f0767adffd5df997da3946f6f6136cca2567d5401ef57b1045b88487082664880b1b8fb4f58178e3b30f7b1cd90a621c1b412fff8e048fd2821734c2b080
-
Filesize
16KB
MD567a6c1b343c7dbbfb669496d5d31c334
SHA192a924b7e5278d8033dc0395ba366c15e3d853d0
SHA256e472cbdc13921006e4fd3504e697db5843b55eee59ca20b06489a173f79b6e8b
SHA512ccc401ebfea3acf3441e93ebe2d27c4b18b617ba88d4577cc3d0bbec30247d8815f9b85647fedde6d71a3e85a4fd073e6b84c8d0e19833e5f2b69726c24d6558