c98ab7441e92ba4107cf63062c8b43ec8c0bc0e0b40c66e870194dea78360a09

General

Target

004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe
Size

16KB
MD5

004df9eda4bb9a7589cdc8d4e5ed9620
SHA1

35c6338c8dc3f3a89dcb6ad89722697e82ef04e6
SHA256

c98ab7441e92ba4107cf63062c8b43ec8c0bc0e0b40c66e870194dea78360a09
SHA512

61254800e0aa4658cb60946a999a3c8a80bca3b309fd28eb822b2b8501adf4a932190ad4aae33b809cfa925b571d37e591864717d46d1867793353a70da3194f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJUc+2:hDXWipuE+K3/SSHgxy2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM9D59.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMF647.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM4E3A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMA563.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMFD18.exe

Executes dropped EXE 6 IoCs

pid	Process
2296	DEM9D59.exe
1956	DEMF647.exe
2576	DEM4E3A.exe
4296	DEMA563.exe
2580	DEMFD18.exe
1516	DEM54EC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 2296	800	004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe	104
PID 800 wrote to memory of 2296	800	004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe	104
PID 800 wrote to memory of 2296	800	004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe	104
PID 2296 wrote to memory of 1956	2296	DEM9D59.exe	108
PID 2296 wrote to memory of 1956	2296	DEM9D59.exe	108
PID 2296 wrote to memory of 1956	2296	DEM9D59.exe	108
PID 1956 wrote to memory of 2576	1956	DEMF647.exe	110
PID 1956 wrote to memory of 2576	1956	DEMF647.exe	110
PID 1956 wrote to memory of 2576	1956	DEMF647.exe	110
PID 2576 wrote to memory of 4296	2576	DEM4E3A.exe	112
PID 2576 wrote to memory of 4296	2576	DEM4E3A.exe	112
PID 2576 wrote to memory of 4296	2576	DEM4E3A.exe	112
PID 4296 wrote to memory of 2580	4296	DEMA563.exe	114
PID 4296 wrote to memory of 2580	4296	DEMA563.exe	114
PID 4296 wrote to memory of 2580	4296	DEMA563.exe	114
PID 2580 wrote to memory of 1516	2580	DEMFD18.exe	116
PID 2580 wrote to memory of 1516	2580	DEMFD18.exe	116
PID 2580 wrote to memory of 1516	2580	DEMFD18.exe	116

C:\Users\Admin\AppData\Local\Temp\004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\004df9eda4bb9a7589cdc8d4e5ed9620_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\DEM9D59.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9D59.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\DEMF647.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF647.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\DEM4E3A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4E3A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Users\Admin\AppData\Local\Temp\DEMA563.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA563.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
      - C:\Users\Admin\AppData\Local\Temp\DEMFD18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFD18.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\DEM54EC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM54EC.exe"
        7⤵
        Executes dropped EXE
        
        PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4E3A.exe

Filesize
16KB

MD5
cf3434901f06bd9f9724699843e97681

SHA1
6108db5a04ddb33141b49048bcd18fc1184d1cfc

SHA256
d08641e0462e4627d63a1320574597ffc3d6b5743a05ef52928c5aa53fa1be01

SHA512
fd9aef7caf8a51477fe646d5b0941e9a114de2c01527d0d5c37faf70de3e29a9c0b9915fba916e05b9d19297021241ed44013e0884456ccdf1d1e2923b1414e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM54EC.exe

Filesize
16KB

MD5
57337defc3d0c090c1d76a43555b70e0

SHA1
b8c588b59f5df54162012cc64600d534ad919c17

SHA256
ecd6e49143f2c5fb2681d32178fa20d1664e3ea04a4c8523d430bcbe849386c0

SHA512
22cdfdfb591692c0e9a404fb8b03d8ba3a1527a233a060248c17ecdf39555bdd0909c3b8cfa9575379b344503df1e72111b2830b992930382edf45f998c9892b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9D59.exe

Filesize
16KB

MD5
4a3713ebf13f0323f27e0a27dd18e27c

SHA1
9a1b96ae94772a5074f6ac0b70e267c2647f95f3

SHA256
6a5904bf23fd6701b258cecc3cc063f6838aa30a18abb9e71e3d382e80d116f0

SHA512
0fc14e9c22ec1959111153c64fac8faf89e93d6256858a5c8f9e34443c7f6d4e2b4b9e7858f38597a49f469da5ab01e0a14d2e728ab576026aaff7f969f7316d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA563.exe

Filesize
16KB

MD5
3145fa50edb90bba8364322147417ae1

SHA1
e809bdda154f1cff5917cb36de3ad0abb4055be5

SHA256
b13db9bfc7fad8771790d5404c3052cabf02a66742349d228525849bf52cf7c7

SHA512
8e6878da7d21cc7d69b88c3a5aac4c4a7fbb00638061d4c9bddb4d7872f7cbb7136c75d7205904d3dbeb7e7f0e55c8c44be71b1c74db1ae1e0d424063c98026f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF647.exe

Filesize
16KB

MD5
e06fd3c9adcb2cf836f93d43011fb7d7

SHA1
11ea117f64587845957a718bd967a4c782fd347c

SHA256
f1a6e6ac17ceab80efbef253758e135c46845182cfb952938d932dc02b869d3e

SHA512
e2517f80618e78d2e4adb3df2c7359234a2a6bd556f6c9e4ac6cabbf6175f1aa783b9f9970c3237660be5e9ef534a1323fee4d6f9736ec9c980a262b5685274c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFD18.exe

Filesize
16KB

MD5
6fd9b4f6935f625f98eeee51e086f88f

SHA1
ccd688a409211ff96745eee532f9a61ec7f580e5

SHA256
264483ad6452eac875fca7338ff2603872d1185d0c03ae603bc52f1e886b4cf5

SHA512
39e9c2b4406d37d2c700f409c814b596180e5a87d6c4aac94415be31bbde2f6216c1f775723a3e099f8e9fe490e6732f72c290c6f6627aacfed42a49937d711e

Download Submit

Analysis

Sharing