Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 05:34
Behavioral task
behavioral1
Sample
JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe
-
Size
420KB
-
MD5
045542e9adb32b39adba08d93dd6b071
-
SHA1
0dea99e9cf48c1af198e05f43cf2db9138713574
-
SHA256
bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f
-
SHA512
e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f
-
SSDEEP
6144:LK3HTNGVvHI2zBHng5HaVsbZgRnyR4mULJhkHM6jI7H1D7puVSF:u3HcVvo21ga0aQ4HLJhkHM6jI7VD7wc
Malware Config
Extracted
latentbot
alternative.zapto.org
1alternative.zapto.org
2alternative.zapto.org
3alternative.zapto.org
4alternative.zapto.org
5alternative.zapto.org
6alternative.zapto.org
7alternative.zapto.org
8alternative.zapto.org
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 3 IoCs
resource yara_rule behavioral1/memory/3456-6-0x0000000075870000-0x0000000075960000-memory.dmp family_blackshades behavioral1/files/0x000a00000002408d-9.dat family_blackshades behavioral1/memory/3456-14-0x0000000075870000-0x0000000075960000-memory.dmp family_blackshades -
Latentbot family
-
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1} JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1} JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe -
Executes dropped EXE 1 IoCs
pid Process 4240 ZUXMY7FV0B.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZUXMY7FV0B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3344 reg.exe 4744 reg.exe 4276 reg.exe 548 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeCreateTokenPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeAssignPrimaryTokenPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeLockMemoryPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeIncreaseQuotaPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeMachineAccountPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeTcbPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSecurityPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeTakeOwnershipPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeLoadDriverPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSystemProfilePrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSystemtimePrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeProfSingleProcessPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeIncBasePriorityPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeCreatePagefilePrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeCreatePermanentPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeBackupPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeRestorePrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeShutdownPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeDebugPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeAuditPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSystemEnvironmentPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeChangeNotifyPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeRemoteShutdownPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeUndockPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSyncAgentPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeEnableDelegationPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeManageVolumePrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeImpersonatePrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeCreateGlobalPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 31 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 32 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 33 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 34 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 35 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeDebugPrivilege 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 4240 ZUXMY7FV0B.exe 4240 ZUXMY7FV0B.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3456 wrote to memory of 1352 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 86 PID 3456 wrote to memory of 1352 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 86 PID 3456 wrote to memory of 1352 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 86 PID 3456 wrote to memory of 2376 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 87 PID 3456 wrote to memory of 2376 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 87 PID 3456 wrote to memory of 2376 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 87 PID 3456 wrote to memory of 4800 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 88 PID 3456 wrote to memory of 4800 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 88 PID 3456 wrote to memory of 4800 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 88 PID 3456 wrote to memory of 2756 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 90 PID 3456 wrote to memory of 2756 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 90 PID 3456 wrote to memory of 2756 3456 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 90 PID 1352 wrote to memory of 3344 1352 cmd.exe 97 PID 1352 wrote to memory of 3344 1352 cmd.exe 97 PID 1352 wrote to memory of 3344 1352 cmd.exe 97 PID 2376 wrote to memory of 4744 2376 cmd.exe 98 PID 2376 wrote to memory of 4744 2376 cmd.exe 98 PID 2376 wrote to memory of 4744 2376 cmd.exe 98 PID 2756 wrote to memory of 4276 2756 cmd.exe 99 PID 2756 wrote to memory of 4276 2756 cmd.exe 99 PID 2756 wrote to memory of 4276 2756 cmd.exe 99 PID 3168 wrote to memory of 4240 3168 cmd.exe 100 PID 3168 wrote to memory of 4240 3168 cmd.exe 100 PID 3168 wrote to memory of 4240 3168 cmd.exe 100 PID 4800 wrote to memory of 548 4800 cmd.exe 101 PID 4800 wrote to memory of 548 4800 cmd.exe 101 PID 4800 wrote to memory of 548 4800 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4744
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exeC:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4240
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD5045542e9adb32b39adba08d93dd6b071
SHA10dea99e9cf48c1af198e05f43cf2db9138713574
SHA256bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f
SHA512e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f