a3af1cb9e96111f1b22cf571faee8b8b8853649375f3c3866605178c03054e1a

General

Target

114923912de5c2f125812a476724ce51_JaffaCakes118.exe
Size

14KB
MD5

114923912de5c2f125812a476724ce51
SHA1

1bc16556b93ec6118d47a761098ebde9de4db657
SHA256

a3af1cb9e96111f1b22cf571faee8b8b8853649375f3c3866605178c03054e1a
SHA512

361afadb639d7f8c6115e5a815992dfb00188d07f36a750e7b8e72ea33699bbf4686f50cb41ddace6eb7abda46740dc0f5dfaadf5f94ea17adf79b9db2c454c6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0xEp:hDXWipuE+K3/SSHgxm0Cp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM213F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM81DD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMDA1F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM32AF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM8CB6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	114923912de5c2f125812a476724ce51_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3176	DEM213F.exe
2372	DEM81DD.exe
3152	DEMDA1F.exe
3596	DEM32AF.exe
996	DEM8CB6.exe
2100	DEME5D2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 3176	2128	114923912de5c2f125812a476724ce51_JaffaCakes118.exe	103
PID 2128 wrote to memory of 3176	2128	114923912de5c2f125812a476724ce51_JaffaCakes118.exe	103
PID 2128 wrote to memory of 3176	2128	114923912de5c2f125812a476724ce51_JaffaCakes118.exe	103
PID 3176 wrote to memory of 2372	3176	DEM213F.exe	107
PID 3176 wrote to memory of 2372	3176	DEM213F.exe	107
PID 3176 wrote to memory of 2372	3176	DEM213F.exe	107
PID 2372 wrote to memory of 3152	2372	DEM81DD.exe	109
PID 2372 wrote to memory of 3152	2372	DEM81DD.exe	109
PID 2372 wrote to memory of 3152	2372	DEM81DD.exe	109
PID 3152 wrote to memory of 3596	3152	DEMDA1F.exe	111
PID 3152 wrote to memory of 3596	3152	DEMDA1F.exe	111
PID 3152 wrote to memory of 3596	3152	DEMDA1F.exe	111
PID 3596 wrote to memory of 996	3596	DEM32AF.exe	113
PID 3596 wrote to memory of 996	3596	DEM32AF.exe	113
PID 3596 wrote to memory of 996	3596	DEM32AF.exe	113
PID 996 wrote to memory of 2100	996	DEM8CB6.exe	115
PID 996 wrote to memory of 2100	996	DEM8CB6.exe	115
PID 996 wrote to memory of 2100	996	DEM8CB6.exe	115

C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\DEM213F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM213F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\DEMDA1F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDA1F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Users\Admin\AppData\Local\Temp\DEM32AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM32AF.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
      - C:\Users\Admin\AppData\Local\Temp\DEM8CB6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8CB6.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\DEME5D2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME5D2.exe"
        7⤵
        Executes dropped EXE
        
        PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4208 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM213F.exe

Filesize
15KB

MD5
06d8cece62939908437637fea966c759

SHA1
8b0c2ae1f82bef68778926dff312598871a4812b

SHA256
1d8c24f0cf153e639cbc7f101ec6ae23ab5729fb9d5d2ffc2ade1cdf99a3e4ec

SHA512
3219282ee165b620115a3fe6dd2b55cb595cfae3f92085d92eb49a6c6bec7aef589ef446f902e739a91396a97f39c13b3b118e61688ee14d8d77f8c304c474df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM32AF.exe

Filesize
15KB

MD5
ad957d8aa394eb4e2300b00d85f1769d

SHA1
6afc2af9c0691de482a5b605b8f01778a6431a68

SHA256
2625ec9c518e16d62afa230775257390538550e002a1e8245eaf0b7c8427f7d8

SHA512
587c454cc35b247bbe0d90003ac154722e3312b2007c86502ee3cd2910aee9089447439af698e86ea798eaeef468dcc3abedb4e4db3483a60c16afd4f3da11b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe

Filesize
15KB

MD5
07208def1b7c01ff9d24abf8ae9a88c3

SHA1
8dce02cde3a96a4313ce4c66d72cbbbde88e6deb

SHA256
5a153fda7361f3218ae24816fd76581d6c17512fcef0e264f37905c9da0458be

SHA512
3ff8d15ea314a09b57c5f39e1101f63c35c39f54cf4f5b0675d32b91f9878fa8218b24104c9e451e9a19bf42edacf75e27fbc8238d9ff1b4366fc693e9f1fbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CB6.exe

Filesize
15KB

MD5
1926acc5afc1ed841b5b05a189f92c53

SHA1
57c2094a36f28db854c4a91c41626b181fce3f36

SHA256
cfbfdfdc798747b45f3a2bd11a67414d598817739c00738d1460f5ef61e0b219

SHA512
efbf3b79bbc9e8c59b3ed3ccc7e15982ee1a3fea4b0065944085d1665302922414369b313fd527015531c1b22a95fdafbd5ab65297618be18c86d14d1616c5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDA1F.exe

Filesize
15KB

MD5
785f1c0d2f4998af44c352da25966487

SHA1
4e53de2a326c7fec99d6d9910b6fc891a544b630

SHA256
b9e81fd334a3838583e73b1a2c203d74ff42dd28140abb659e939102cfc79fee

SHA512
fc7e6278d87c1eac7535da25b55e48f801c7f2de346ea334f8d28612f9c306cc59a94ecb8fac36b3f01a29eac483614a63082cb417519021f37cb179054f368e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME5D2.exe

Filesize
15KB

MD5
47ec214204fe0363be6d3695b8bd7c18

SHA1
1d10dbb5e7763d34bf6f38fd4dd7052e1b595026

SHA256
06c57abf9fdc618599d2242870aa90bb90e6ab04c502defe1601acfc7d7cd96e

SHA512
db95692e243fc75e43d32c29e63f615a2be03ddff2c1ae23d53884a09e99ed8536e9a603594441b4b52841fcbda44c5ca606d43d72f882fd2b0bedc85e8577ad

Download Submit

Analysis

Sharing