blackshades | fc7d586e78034884dc0f040932991fe2fde15146a3b92c7ad27f3b48e96da5a2

Analysis

max time kernel
103s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9d10221f075caefcbcdc4c76de70faa5.exe
Size

4.2MB
MD5

9d10221f075caefcbcdc4c76de70faa5
SHA1

2ae712f970d7ed27670cfb810ac4327c86e6ac14
SHA256

fc7d586e78034884dc0f040932991fe2fde15146a3b92c7ad27f3b48e96da5a2
SHA512

cad567c39ed4da439d23b288ef4fc9f251ef12a47213c8d7452d82db32852e3a600e510e550b7c80618172019cad73c44e7cf3d6ade60774a96a4d3238b59451
SSDEEP

49152:pmccZDNLHQrcvDpKmntqii36tN4p92qQfN6uSz+uZjWxPyJlnNwydgfjNNGVdKbc:D5rcvB66tyaNBS3CyPpmQsfawYTbpZR

Score

10^/10

blackshades discovery rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 2 IoCs

resource	yara_rule
behavioral1/memory/1680-3-0x0000000000400000-0x0000000000FD4000-memory.dmp	family_blackshades
behavioral1/memory/1680-4-0x0000000000400000-0x0000000000FD4000-memory.dmp	family_blackshades

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1680	JaffaCakes118_9d10221f075caefcbcdc4c76de70faa5.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9d10221f075caefcbcdc4c76de70faa5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1680	JaffaCakes118_9d10221f075caefcbcdc4c76de70faa5.exe
1680	JaffaCakes118_9d10221f075caefcbcdc4c76de70faa5.exe
1680	JaffaCakes118_9d10221f075caefcbcdc4c76de70faa5.exe
1680	JaffaCakes118_9d10221f075caefcbcdc4c76de70faa5.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d10221f075caefcbcdc4c76de70faa5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d10221f075caefcbcdc4c76de70faa5.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-0-0x0000000000400000-0x0000000000FD4000-memory.dmp

Filesize
11.8MB

Download
memory/1680-1-0x00000000008C5000-0x00000000008CF000-memory.dmp

Filesize
40KB

Download
memory/1680-2-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/1680-3-0x0000000000400000-0x0000000000FD4000-memory.dmp

Filesize
11.8MB

Download
memory/1680-4-0x0000000000400000-0x0000000000FD4000-memory.dmp

Filesize
11.8MB

Download