blackshades | 379c236657df94f4b7b43050986c2f8a2a088c3d57c9f3083d856372c9aab273

General

Target

JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe
Size

355KB
MD5

95e34fa0f492ecf553ed7eff7ebbc49d
SHA1

54ae756a8953dc634a1c5c2dc046600ae6b9198a
SHA256

379c236657df94f4b7b43050986c2f8a2a088c3d57c9f3083d856372c9aab273
SHA512

6881d40be60c075e9b0530fe42a13e1523bd177f5eaaf9c9d7868985f23bf132f006c37f7ad8d3b7aa65644c2991f9d33cc036344a8fb40369b9f070b33b3fea
SSDEEP

6144:TU7DRHFiJ/mDE1P9XCHrCh4NX/jsF65P6AlV/5/pdSOwb3j19PMB:o7DVu/mDELXCHrCh4xwF65P6AlVR/pc+

Score

10^/10

blackshades discovery rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 3 IoCs

resource	yara_rule
behavioral1/memory/1976-20-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/1976-25-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/1976-24-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades

Loads dropped DLL 1 IoCs

pid	Process
1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 1976	1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe	30

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1976-10-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1976-15-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1976-20-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1976-25-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1976-24-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1976-18-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1976-12-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1976-37-0x0000000000400000-0x000000000047B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2320	RSPinGenerator.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1976	1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe	30
PID 1284 wrote to memory of 1976	1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe	30
PID 1284 wrote to memory of 1976	1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe	30
PID 1284 wrote to memory of 1976	1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe	30
PID 1284 wrote to memory of 1976	1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe	30
PID 1284 wrote to memory of 1976	1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe	30
PID 1284 wrote to memory of 1976	1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe	30
PID 1284 wrote to memory of 1976	1284	JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\RSPinGenerator.exe
  "C:\Users\Admin\AppData\Local\Temp\RSPinGenerator.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RSPinGenerator.exe

Filesize
34KB

MD5
7561bc2a2877ce2848d805d4b31fffb9

SHA1
de8cbc7778e62651e487dfc6a9ae5634b55ad13c

SHA256
d24e2ce5367fcf2b82b3eec2acc0875b07215db00aaaa0d6dc9b0a4c0dc3809e

SHA512
3120aaafcc9d0dc01ecd7e2fc7d33ef7bfdf1efb3bf3080c1d6a494aa3d95b0692f36e40aad087aab96721853cd1829f2ffcd66b905faf580b953fcfbf45d02b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1284-0-0x00000000748C1000-0x00000000748C2000-memory.dmp

Filesize
4KB

Download
memory/1284-1-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-2-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-3-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-20-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-15-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-10-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-25-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-24-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-18-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-12-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-8-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1976-37-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing