e809d7f1bed617ba65f621b7ae35f3bbe87fe43c288893174a0a431352187c31

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
Size

239KB
MD5

1c50b2118f2ab8f60d4223c1a1c016b5
SHA1

cb2bcda326061c0639bdaaa3a5cfe1f9c4ad8a01
SHA256

e809d7f1bed617ba65f621b7ae35f3bbe87fe43c288893174a0a431352187c31
SHA512

6165da0e8861680f465986c9bcd56771b9885cbc4c0eed9f02680f1a0fa1e2c899b51e7f833b58916eaf13a1c0d24e0c787334241b869c14dd8a7ae1364bf092
SSDEEP

6144:pn3/YeakKhXr1ImCIB2Y1PDNZWeLJbAuIfoEBS:q91Im3BDVDT3LxAuUoE

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\gema\\gema.exe,Explorer.exe,"	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\ProgramData\\gema\\gema.exe,userinit.exe,"	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-0-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000700000001508a-10.dat	upx
behavioral1/files/0x00080000000122cd-48.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gema. = "C:\\ProgramData\\gema\\gema.exe"	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\gema = "C:\\Users\\Admin\\AppData\\Roaming\\gema\\gema.exe"	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\gema.exe	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\gema.exe	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
2156	1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c50b2118f2ab8f60d4223c1a1c016b5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gema\gema.exe

Filesize
239KB

MD5
1c50b2118f2ab8f60d4223c1a1c016b5

SHA1
cb2bcda326061c0639bdaaa3a5cfe1f9c4ad8a01

SHA256
e809d7f1bed617ba65f621b7ae35f3bbe87fe43c288893174a0a431352187c31

SHA512
6165da0e8861680f465986c9bcd56771b9885cbc4c0eed9f02680f1a0fa1e2c899b51e7f833b58916eaf13a1c0d24e0c787334241b869c14dd8a7ae1364bf092

Download Submit
C:\Windows\System32\gema.exe

Filesize
239KB

MD5
582716d22d94e45be2d6e7da22b1cfcc

SHA1
58629c3ccc686448487d9a05976a198c9e1232c4

SHA256
feb6e1a756603857ae3f46b86cabdbdeac915b29c6b862647b5b714e85b2a897

SHA512
ebd17afca720b7a7657070755c0c25f13818e8883c456e348ca9cc4dd725ad91b9cac2a806554f26825fef58425676dff05c77c7f67c3394ecfd5756c9e03591

Download Submit
memory/2156-0-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2156-1-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2156-2-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2156-63-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download