Analysis
-
max time kernel
147s -
max time network
137s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/05/2025, 05:34
Behavioral task
behavioral1
Sample
JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe
-
Size
420KB
-
MD5
045542e9adb32b39adba08d93dd6b071
-
SHA1
0dea99e9cf48c1af198e05f43cf2db9138713574
-
SHA256
bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f
-
SHA512
e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f
-
SSDEEP
6144:LK3HTNGVvHI2zBHng5HaVsbZgRnyR4mULJhkHM6jI7H1D7puVSF:u3HcVvo21ga0aQ4HLJhkHM6jI7VD7wc
Malware Config
Extracted
latentbot
alternative.zapto.org
1alternative.zapto.org
3alternative.zapto.org
5alternative.zapto.org
7alternative.zapto.org
2alternative.zapto.org
4alternative.zapto.org
6alternative.zapto.org
8alternative.zapto.org
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 2 IoCs
resource yara_rule behavioral2/files/0x000c0000000270de-10.dat family_blackshades behavioral2/memory/8-15-0x0000000075DF0000-0x0000000075EE0000-memory.dmp family_blackshades -
Latentbot family
-
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1} JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8765FD16-99DC-D178-AB7F-A90ECF7C2FB1} JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe -
Executes dropped EXE 1 IoCs
pid Process 4376 ZUXMY7FV0B.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ZUXMY7FV0B.exe" JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZUXMY7FV0B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 5020 reg.exe 436 reg.exe 4996 reg.exe 4924 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeCreateTokenPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeAssignPrimaryTokenPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeLockMemoryPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeIncreaseQuotaPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeMachineAccountPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeTcbPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSecurityPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeTakeOwnershipPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeLoadDriverPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSystemProfilePrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSystemtimePrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeProfSingleProcessPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeIncBasePriorityPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeCreatePagefilePrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeCreatePermanentPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeBackupPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeRestorePrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeShutdownPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeDebugPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeAuditPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSystemEnvironmentPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeChangeNotifyPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeRemoteShutdownPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeUndockPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeSyncAgentPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeEnableDelegationPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeManageVolumePrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeImpersonatePrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeCreateGlobalPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 31 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 32 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 33 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 34 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: 35 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe Token: SeDebugPrivilege 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 4376 ZUXMY7FV0B.exe 4376 ZUXMY7FV0B.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 8 wrote to memory of 5396 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 82 PID 8 wrote to memory of 5396 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 82 PID 8 wrote to memory of 5396 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 82 PID 8 wrote to memory of 2952 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 83 PID 8 wrote to memory of 2952 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 83 PID 8 wrote to memory of 2952 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 83 PID 8 wrote to memory of 2320 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 84 PID 8 wrote to memory of 2320 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 84 PID 8 wrote to memory of 2320 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 84 PID 8 wrote to memory of 5872 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 85 PID 8 wrote to memory of 5872 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 85 PID 8 wrote to memory of 5872 8 JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe 85 PID 2952 wrote to memory of 4924 2952 cmd.exe 92 PID 2952 wrote to memory of 4924 2952 cmd.exe 92 PID 2952 wrote to memory of 4924 2952 cmd.exe 92 PID 2320 wrote to memory of 5020 2320 cmd.exe 93 PID 2320 wrote to memory of 5020 2320 cmd.exe 93 PID 2320 wrote to memory of 5020 2320 cmd.exe 93 PID 5872 wrote to memory of 436 5872 cmd.exe 95 PID 5872 wrote to memory of 436 5872 cmd.exe 95 PID 5872 wrote to memory of 436 5872 cmd.exe 95 PID 4152 wrote to memory of 4376 4152 cmd.exe 94 PID 4152 wrote to memory of 4376 4152 cmd.exe 94 PID 4152 wrote to memory of 4376 4152 cmd.exe 94 PID 5396 wrote to memory of 4996 5396 cmd.exe 96 PID 5396 wrote to memory of 4996 5396 cmd.exe 96 PID 5396 wrote to memory of 4996 5396 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5396 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5872 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exeC:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4376
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD5045542e9adb32b39adba08d93dd6b071
SHA10dea99e9cf48c1af198e05f43cf2db9138713574
SHA256bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f
SHA512e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f