7ceb6e19e6392bc2b057c462a40504ebb2b4aae0b819f04090e37119e7956c5f

General

Target

1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe
Size

16KB
MD5

1214eb7ef069fc2d751934f233e2fb50
SHA1

cd38d08b64069a158fd798a2ca69da3b0f1a370a
SHA256

7ceb6e19e6392bc2b057c462a40504ebb2b4aae0b819f04090e37119e7956c5f
SHA512

1d14395efdf9325935f52f1ca400def14b8e4b5ef5ee4c63852710441c58bd5bf2d20baba62b829c80395807c698ca1ba05f622ba6bb0ad39a8eb763becf2ada
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxB:hDXWipuE+K3/SSHgxmHD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM6944.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMC157.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1989.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMD793.exe

Executes dropped EXE 5 IoCs

pid	Process
3472	DEMD793.exe
2796	DEM6944.exe
2380	DEMC157.exe
780	DEM1989.exe
1488	DEM7238.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3472	2744	1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe	105
PID 2744 wrote to memory of 3472	2744	1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe	105
PID 2744 wrote to memory of 3472	2744	1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe	105
PID 3472 wrote to memory of 2796	3472	DEMD793.exe	108
PID 3472 wrote to memory of 2796	3472	DEMD793.exe	108
PID 3472 wrote to memory of 2796	3472	DEMD793.exe	108
PID 2796 wrote to memory of 2380	2796	DEM6944.exe	110
PID 2796 wrote to memory of 2380	2796	DEM6944.exe	110
PID 2796 wrote to memory of 2380	2796	DEM6944.exe	110
PID 2380 wrote to memory of 780	2380	DEMC157.exe	112
PID 2380 wrote to memory of 780	2380	DEMC157.exe	112
PID 2380 wrote to memory of 780	2380	DEMC157.exe	112
PID 780 wrote to memory of 1488	780	DEM1989.exe	114
PID 780 wrote to memory of 1488	780	DEM1989.exe	114
PID 780 wrote to memory of 1488	780	DEM1989.exe	114

C:\Users\Admin\AppData\Local\Temp\1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1214eb7ef069fc2d751934f233e2fb50_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\DEMD793.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD793.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\DEM6944.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6944.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\DEMC157.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC157.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\DEM1989.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1989.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Users\Admin\AppData\Local\Temp\DEM7238.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7238.exe"
        6⤵
        Executes dropped EXE
        
        PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1989.exe

Filesize
16KB

MD5
b2905ae9918695aad8e7f9d2f00d5d21

SHA1
4479c99e9d275b379b5655f99f7a8bd3919aca3a

SHA256
9b092f2ee354106f89715ce84f926b6f6b6093621c2464e306c5c8f1e3ea9165

SHA512
dc91f41af190737dafba5de8a324d37b645a804e39c4903232d5387120e26943449493979b2b225bb5b726f66648bdf327be3a3e5a1f5c2366ca092fb87bbfb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6944.exe

Filesize
16KB

MD5
8d4f964c279e5ff076526f5e4e40bcf1

SHA1
dc5b743aaf9c934578f411c201b6d29c8e5e147c

SHA256
98fb8f7554d4dacd7ffd523ce8f90352f3752c699ec45d0d4c82f027b1672839

SHA512
141ab64045b560ab8492a6fc58bb56f27299874c2df15f0bc32fffdf0acfcbcc265a4a4e50d9f861985490ef94e74889da8caf7ab261ba673c953b0ce498d6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7238.exe

Filesize
16KB

MD5
54f6c07f0708f972782a6a39d0543dbe

SHA1
8523f9e815330c35a168ee9bcf50967d309649f6

SHA256
8a428261e0183160162404a0a46909e7476448b46f44dec568ace2e9ff7d556f

SHA512
cc930fc001f5f2ad5078029b2f30c4ffd83c3402b51d1d302006ffa3e78a1e8589c0aacb0f4de077ac884077ef694ce70c492fdf9250109f4f440526d844a6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC157.exe

Filesize
16KB

MD5
2bf317a2f62f8aff44c7697ada61a9a1

SHA1
f91c0abfbfdbba18fc9d7774ef3470fd38f0c4ac

SHA256
f67697f91e86e547e1843e67ae6f48d79a3ed613f962bb347d6166327299f7d4

SHA512
f42e935777173e6ec2b0a59271dbfc9a7dcff8bc3a39e39997942f3f3c39b422fe34b061ee51fbdb9ee0cbf066ca2d2e27563f6317623da9eba3a027f8fa3f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD793.exe

Filesize
16KB

MD5
9ce36139049cdcf927636731ffe24d3c

SHA1
2879ac2dfad2f742c0e4d7d957825e6d60c90f03

SHA256
b39babca21b00f61d5f2d448e1865015b216d9681a76b1070484f11fea70a182

SHA512
ccedcec197a01a94861faa028e4186c9fa459f00e0afd806e83fafff400b6adb6691b290c4f80f18a74a15b546347a92ba53e83dfcd40ab9c25681b40ce77a68

Download Submit

Analysis

Sharing