Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...fd.exe

windows7-x64

10

JaffaCakes...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2025, 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5d020f63e6132f6cc5d648c1320b35fd.exe

  • Size

    232KB

  • MD5

    5d020f63e6132f6cc5d648c1320b35fd

  • SHA1

    ab94a4264221665fcd4838a5025f39bdd3983ab6

  • SHA256

    9218caaf75357ca9de019d2992d1cfa4434f7fc5b5a31c6d1994246cc1260acd

  • SHA512

    d8e1ff5a43a465127e40576e94e07634732cd53d876642474d42949aa358de9b37b554ae5828b8f6e6c30fb17c7dfdcec2528a2d2781bbaea782c7560c84f9e5

  • SSDEEP

    3072:uFizYn1ySqkABILn38irWzR0wvJB0vDSZF9fqwRlpfK/88CjaIIPjW5niFx5qWY:qQFq8oe+wvL0vqKwRHK6+ImjF

Score
10/10
blackshadesdefense_evasiondiscoverypersistenceratupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 19 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
    defense_evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d020f63e6132f6cc5d648c1320b35fd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d020f63e6132f6cc5d648c1320b35fd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:264
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ji8tzeag.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD02C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD02B.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2096
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2360
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2024
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WinDefender.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WinDefender.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD02C.tmp
    Filesize

    1KB

    MD5

    057fee693f9f55bb491e8510a6ef11c1

    SHA1

    780ab33317b811db5e0741609e4b2281773bfd40

    SHA256

    983e5cb3c1a3b2cbf017d51997e84a1840a1befc3afb701ffb08ce0bdb7302b9

    SHA512

    63778cf18f45efe4fa6b6361883d5ed021c273b51a5a15d9b0c8f9ed149e4c9f0c477bccb3e28f95b9915e28b89e673671e35842c7998b3fc521343aa41c08f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ji8tzeag.dll
    Filesize

    5KB

    MD5

    28a84b8d6fdfdf1170b4e4f6071e36d8

    SHA1

    f7f3d633fafbca70354603dc84b6fb9306744ab6

    SHA256

    22648a2705f93315b0114d71642e5aaca6ebc0e753c64043547364f111dbc107

    SHA512

    003e98b11d19dd191fa9988d094efebe6875744be9302718d63e3ede8eabc87743e74955d35f5a3961629a731f2f2954a8038495b71fde30f703c7e8b32fc74c

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCD02B.tmp
    Filesize

    652B

    MD5

    6b49c3cb69895f54909c9431c871c9b4

    SHA1

    c526e2050d0fedbbf5e539e877090f029be6d1f3

    SHA256

    619adb71368ed40099999f7c36eba0134a867f7b013491c177ded65e2320e1ec

    SHA512

    4e29fd8d7a11aafe450f2091a5e41a171285582c7674b98d6d86f35bb9b7015addb482a36a45bc2827081eeed58eea21c28d0f7c06df6168c5283f3149076039

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ji8tzeag.0.cs
    Filesize

    4KB

    MD5

    2216d197bc442e875016eba15c07a937

    SHA1

    37528e21ea3271b85d276c6bd003e6c60c81545d

    SHA256

    2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

    SHA512

    7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ji8tzeag.cmdline
    Filesize

    206B

    MD5

    582a4f57db804877096ea51b130254e4

    SHA1

    cd2ca36ed918fffe1387c87b21159cde8184a9b1

    SHA256

    567d83eb8d5ce0d033e1671d399ed8d478418850cabf1f48157dbf11d12ed4ec

    SHA512

    48daa5863e6b01c499a6510a536ba0ab98ac614f2378abd12da19e1f71008f034897aacede18b538766aee5d1aea63cf76d98cbc151c51cef81e606039e0e946

    Download Submit

  • \Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    12KB

    MD5

    bb5b2961567e68995464801d3bb2a964

    SHA1

    5d82ae2b8d24208418bfb09cbb3074c056e790dc

    SHA256

    a2d3d892c68a84208a9887cb34ecae820e59c4aa25c22db5c23379df344df004

    SHA512

    050550640a7bf2b65b3cd537f252b64465ec451555ff1831a9d799922e8c3382e83a52bc46015c5ed1ac79ebb233616f72aa8ed72f01e8be578ca383a304ff7a

    Download Submit

  • memory/264-0-0x0000000074EE1000-0x0000000074EE2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/264-1-0x0000000074EE0000-0x000000007548B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/264-2-0x0000000074EE0000-0x000000007548B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/264-50-0x0000000074EE0000-0x000000007548B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/264-49-0x0000000074EE0000-0x000000007548B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2296-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2296-58-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-45-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-42-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-38-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-37-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-36-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-33-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-27-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-25-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-29-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-46-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-70-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-69-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-51-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-52-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-54-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-56-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-57-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-44-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-60-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-61-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-62-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-66-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2296-68-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2936-9-0x0000000074EE0000-0x000000007548B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2936-16-0x0000000074EE0000-0x000000007548B000-memory.dmp

    Filesize

    5.7MB

    Download