56697e6820fc8506de19fdc58ad8e940a7616c9076c7c02d1f2cba2d8aafb816

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe
Size

136KB
MD5

60fda9278c32587c063f0c8f978ab735
SHA1

c23a96a05d17474b1cd6963a60cfdfa1c39bbff4
SHA256

56697e6820fc8506de19fdc58ad8e940a7616c9076c7c02d1f2cba2d8aafb816
SHA512

6c2e246898964ef8b5f108c6f3ef43625a89b8df6f91606c32bf3ee92dfb336e7a6dc3e93ea7fc47979ec4527b9c3859a5b2f5472c5120367b40ac8113e4716f
SSDEEP

1536:fUA0xj1ihnBpE6d5rqI43olY5hKyUb/rEG+yY:8A0xj0BW6TrqIoolYsRY

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	keamia.exe

Executes dropped EXE 1 IoCs

pid	Process
1864	keamia.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe
3008	60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /u"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /S"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /A"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /x"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /X"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /U"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /O"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /H"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /N"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /L"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /s"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /m"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /n"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /a"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /K"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /Q"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /o"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /T"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /E"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /W"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /d"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /y"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /C"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /q"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /v"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /g"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /R"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /j"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /I"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /Z"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /V"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /r"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /f"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /D"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /k"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /e"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /M"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /G"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /h"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /l"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /Y"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /z"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /F"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /p"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /J"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /c"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /P"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /i"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /B"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /b"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /t"	keamia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\keamia = "C:\\Users\\Admin\\keamia.exe /w"	keamia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe
1864	keamia.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3008	60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe
1864	keamia.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1864	3008	60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe	30
PID 3008 wrote to memory of 1864	3008	60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe	30
PID 3008 wrote to memory of 1864	3008	60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe	30
PID 3008 wrote to memory of 1864	3008	60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe	30
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29
PID 1864 wrote to memory of 3008	1864	keamia.exe	29

C:\Users\Admin\AppData\Local\Temp\60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60fda9278c32587c063f0c8f978ab735_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\keamia.exe
  "C:\Users\Admin\keamia.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\keamia.exe

Filesize
136KB

MD5
83ab73184b44a7286b454067fe8fcbc3

SHA1
c7e57feaae869bf47dc7ea2249b97e98691e2f72

SHA256
6e3998536bb5e1cc256136a943bfa3b44c3b92a0d72bbabb345406298d4fdbd1

SHA512
dc42839900b75baed3747bb2e4f2a9a4c941f7388cc1773dcea1b16a0842bfa364d81aad9da9e6e9355af5573ee572c74ae4c2c614bf02a99b0f50aa758d26fb

Download Submit