Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...35.exe

windows7-x64

10

JaffaCakes...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2025, 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_62c89b7d49c638c2a90186089fac7f35.exe

  • Size

    3.0MB

  • MD5

    62c89b7d49c638c2a90186089fac7f35

  • SHA1

    eaf5d3510f0e0643b093129e711e00e3044f49c9

  • SHA256

    9f6288cce4bb1e115f6c787896108c8c4565a807ba4f660dcdbb1e5588c063db

  • SHA512

    3ae1d2bc828e1b737567900122d3dda43d4815c3a2d4827aa3d6d46d317a014b10131e68e67cc367b9f37e96e78fe2f5d9d6a885ed1376cffff308e385655f56

  • SSDEEP

    49152:bP8oDKyjpYE6z/A/dmcRdHxNWnHIvVGeFlf+xyiVXiDzG3:llFlfEyi023

Score
10/10
blackshadesdefense_evasiondiscoverypersistenceratspywarestealertrojan

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 12 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
    defense_evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62c89b7d49c638c2a90186089fac7f35.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62c89b7d49c638c2a90186089fac7f35.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Roaming\taskmgr.exe
      C:\Users\Admin\AppData\Roaming\taskmgr.exe
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\epicbot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\epicbot.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\epicbot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\epicbot.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2624
    • C:\Users\Admin\AppData\Roaming\epicbot_520.exe
      "C:\Users\Admin\AppData\Roaming\epicbot_520.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Users\Admin\AppData\Roaming\epicbot_520.exe
        "C:\Users\Admin\AppData\Roaming\epicbot_520.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_233162420" /pproc="JaffaCakes118_62c89b7d49c638c2a90186089fac7f35.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2736
        • C:\Users\Admin\AppData\LocalLow\cookieman.exe
          "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
          4⤵
          • Executes dropped EXE
          PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

6
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\cookie.ini
    Filesize

    34B

    MD5

    3f4519b56cb1e006dfe4341e72112913

    SHA1

    0ff5675d359c898b6a6bdc1dff10f71097bc9927

    SHA256

    125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

    SHA512

    78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\cookieman.exe
    Filesize

    45KB

    MD5

    e7abfa4ef85624e68a312ac0f8c7ab80

    SHA1

    a6e5d5ce0e18f105b47f3fd3233ca7fc0617cef3

    SHA256

    2a847efb0b92366bc794198254e3fe62ba2da42ff93bec5154879d89385bff4d

    SHA512

    4dfc5e95f88d0241a2a3c3d42b6dc487c78cb185bed0ca559761721fa02e0fec83a5196df36dc5e95d0bc95ffc845a202d05acf5ff26d0a581eff5afe6b5d4e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pkg_233162420\autorun.txt
    Filesize

    114B

    MD5

    c819368178ce1e40fd55c813340a597a

    SHA1

    81aef3fd883c52de4fe211f3e43f70137cbccdf6

    SHA256

    1334449583ff7823df9ba97e57bed51eaaba21eed4551e25b07794f1d48c3e31

    SHA512

    753ce58ed7b76de63f8d68bf95949dfd772e805d0ab514f2706d72b2d504fb53e9beadaed0d34d933fee4f98d3ea13172c8b3a0e391bcab639c3d70003ec71a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pkg_233162420\wrapper.xml
    Filesize

    798B

    MD5

    1d45a29e3511b982a1f91b33c70e964f

    SHA1

    176a47b489be3f27dc354a2b9dd0b580bb2f3904

    SHA256

    0a69c29fe16727b18425df8ded1cfe9d07a380b9f23f1beb32f60fefc000b3dc

    SHA512

    c574719f56a9cc0a3c393001f0774a5826afa5972906d9d9d214a183724a9f7226483a7181a0030e0f801b481a19957761efc170a10850aec786623eb939eb69

    Download Submit

  • C:\Users\Admin\AppData\Roaming\epicbot_520.exe
    Filesize

    1.6MB

    MD5

    13c33f8dfba6dce09cba47873cf07d3c

    SHA1

    e9e548a5d17c1290a847845eeb4a49bc53e168d8

    SHA256

    d6b10b87890447f58063be9674be7bb0beb65294c463400ef5c88e3fa9961a65

    SHA512

    32ee4128f79528bf3862daad7ae6d7fde724e7ef3dea673670cf263091f29172871c6381c50828a93dacc6dc321b08571cdeae7cadb433b2476c6e08f56692d3

    Download Submit

  • \Users\Admin\AppData\Roaming\taskmgr.exe
    Filesize

    3KB

    MD5

    cd9f104ea953a4bce8c6383639b1c946

    SHA1

    efbfbdeb0f2e291c3a7746ef5942712e82433942

    SHA256

    966a92ff963438f7d3fcf1f048ad716eb5308d80ac01282f1cc4e24cba98edae

    SHA512

    05063d2b5a53bb1ad0e2505a6add805d4742affa9a02c88b434a2809253eba9012fa981fa71c5cb61a758bbc529877b6465c75b9edcaece2e00a6f69f9e0b6e7

    Download Submit

  • memory/1900-1-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1900-2-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1900-37-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1900-0-0x0000000074661000-0x0000000074662000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2504-13-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-104-0x00000000766D0000-0x00000000767E0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2504-31-0x00000000766D0000-0x00000000767E0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2504-34-0x00000000766D0000-0x00000000767E0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2504-28-0x00000000766E8000-0x00000000766E9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2504-12-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2504-17-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-10-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-29-0x00000000766D0000-0x00000000767E0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2504-105-0x00000000766D0000-0x00000000767E0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2504-106-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-107-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-109-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-110-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-111-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-114-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-117-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2504-123-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download