General

  • Target

    JaffaCakes118_5edb3230658eebe0f2f5c789c66da733

  • Size

    476KB

  • Sample

    250310-nktnkaspy7

  • MD5

    5edb3230658eebe0f2f5c789c66da733

  • SHA1

    468781275f28f369a177ce6455cf09dfbe0523ff

  • SHA256

    0113ceeef346cafc21c8eea37061f3ef379c73256b61834253bd40c2bd377ca1

  • SHA512

    8c7c816e3804342be788eb28b9c8668b5a2cb2782b78f400bc7ac1e07b082f1c74b8900554a9471f1759d81fe3cb5ce2e3c57edfa05e92d308b7759f1271e17b

  • SSDEEP

    12288:0dyzj0ChxffnblzxtfCJziSJKobiOFIIhII:0qh7/xzxtCzF

Malware Config

Targets

    • Target

      JaffaCakes118_5edb3230658eebe0f2f5c789c66da733

    • Size

      476KB

    • MD5

      5edb3230658eebe0f2f5c789c66da733

    • SHA1

      468781275f28f369a177ce6455cf09dfbe0523ff

    • SHA256

      0113ceeef346cafc21c8eea37061f3ef379c73256b61834253bd40c2bd377ca1

    • SHA512

      8c7c816e3804342be788eb28b9c8668b5a2cb2782b78f400bc7ac1e07b082f1c74b8900554a9471f1759d81fe3cb5ce2e3c57edfa05e92d308b7759f1271e17b

    • SSDEEP

      12288:0dyzj0ChxffnblzxtfCJziSJKobiOFIIhII:0qh7/xzxtCzF

    • Blackshades

      Blackshades is a remote access trojan with various capabilities.

    • Blackshades family

    • Blackshades payload

    • Modifies firewall policy service

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks