9cf686382c3c0848923eddf9fbd377eecac6ecaf69c9259757f6c516601fb1b4

General

Target

03928971beb1886c54bf1f2bd6ae90d2_JaffaCakes118.exe
Size

14KB
MD5

03928971beb1886c54bf1f2bd6ae90d2
SHA1

2e7f89a31bea38a8e4576cdb4a0ff024809cbd73
SHA256

9cf686382c3c0848923eddf9fbd377eecac6ecaf69c9259757f6c516601fb1b4
SHA512

c45aa6ea76cda6aefacafce9b72039fdb9eac02fda786dab5ea5c894155c1180fc038c7b048e265dd62a6fef4d9702419a1f67f0eb97ffd01da9053d8e6c331f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYO:hDXWipuE+K3/SSHgxmO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM819F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMD906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	03928971beb1886c54bf1f2bd6ae90d2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM7B3B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMD33E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM2A47.exe

Executes dropped EXE 6 IoCs

pid	Process
3192	DEM7B3B.exe
3420	DEMD33E.exe
2512	DEM2A47.exe
3180	DEM819F.exe
3780	DEMD906.exe
3852	DEM2FF0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4856	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 3192	3704	03928971beb1886c54bf1f2bd6ae90d2_JaffaCakes118.exe	109
PID 3704 wrote to memory of 3192	3704	03928971beb1886c54bf1f2bd6ae90d2_JaffaCakes118.exe	109
PID 3704 wrote to memory of 3192	3704	03928971beb1886c54bf1f2bd6ae90d2_JaffaCakes118.exe	109
PID 3192 wrote to memory of 3420	3192	DEM7B3B.exe	114
PID 3192 wrote to memory of 3420	3192	DEM7B3B.exe	114
PID 3192 wrote to memory of 3420	3192	DEM7B3B.exe	114
PID 3420 wrote to memory of 2512	3420	DEMD33E.exe	117
PID 3420 wrote to memory of 2512	3420	DEMD33E.exe	117
PID 3420 wrote to memory of 2512	3420	DEMD33E.exe	117
PID 2512 wrote to memory of 3180	2512	DEM2A47.exe	120
PID 2512 wrote to memory of 3180	2512	DEM2A47.exe	120
PID 2512 wrote to memory of 3180	2512	DEM2A47.exe	120
PID 3180 wrote to memory of 3780	3180	DEM819F.exe	129
PID 3180 wrote to memory of 3780	3180	DEM819F.exe	129
PID 3180 wrote to memory of 3780	3180	DEM819F.exe	129
PID 3780 wrote to memory of 3852	3780	DEMD906.exe	131
PID 3780 wrote to memory of 3852	3780	DEMD906.exe	131
PID 3780 wrote to memory of 3852	3780	DEMD906.exe	131

C:\Users\Admin\AppData\Local\Temp\03928971beb1886c54bf1f2bd6ae90d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03928971beb1886c54bf1f2bd6ae90d2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\DEM7B3B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7B3B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\DEMD33E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD33E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\DEM2A47.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2A47.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\DEM819F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM819F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Users\Admin\AppData\Local\Temp\DEMD906.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD906.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\DEM2FF0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2FF0.exe"
        7⤵
        Executes dropped EXE
        
        PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2232,i,3915538061666887171,15629965885515244134,262144 --variations-seed-version /prefetch:8
1⤵
PID:3444

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2A47.exe

Filesize
14KB

MD5
6e2e799c25993b23bb9ac7bc6729eaf6

SHA1
5c31fbd2691e94b1a8904705f53aec8677ca4327

SHA256
b63a8c4bd4f82f691a2fe319cac36675a4f6fbeeb55f16bb8360a6f632bb019b

SHA512
7f52606c9ad32509141c1635189e0986c8e0233ec25c028f68ce6c7e63365e6944c34ee302c4873ef3efd8e4d452a28012d60dbdeac49401d75f28b62379d795

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2FF0.exe

Filesize
14KB

MD5
286c9342251a6c01b86cab6645374055

SHA1
33eccc5087510080bb3dda4dad797c9933250dd7

SHA256
1d71fa00631a7f0b31aefd670760807d9e461df5ef6dd4d46461cbec0485ccdd

SHA512
1e8ed624a69188fd7d64144a783a4ddb28bf7841c9acb2cf1d1e56ca534fc1fc26fd09bd64054d34beba087e39714f2dd2e746a4aeb3e196c60b18907d9cc9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B3B.exe

Filesize
14KB

MD5
4105b8e6bb60577571286e63cf677234

SHA1
16dc5d4f9c266261fcfe8395d16407aa02a8d413

SHA256
573161d94eb416910e9fdde53cbabeb23803e4520b5c241df89e08e91aeb97bb

SHA512
591284e3f2bec9ef6d207f006553430ed9012a30aa611a3c195873649356b9c431e507aca6e988f803e7b6ff0e6a75e35589fc81721b376be0a74936c6a517cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM819F.exe

Filesize
14KB

MD5
91b09aef02ff94956d89ef253af9e043

SHA1
56ab2beb25bf06d539cf76e4c355a54f7ae31d0e

SHA256
ae90d1ca074fd4bb134e52e3fa4e13205623b8c3e08de544b2790297cab0d380

SHA512
15cd59c8b5054af7b312dd665249109899da64b5f7b1ef56e01bf1f84dcda2e94941218185b0cf102666099db5c4bf451fdde5d7e75d9b04529b4410860ebd78

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD33E.exe

Filesize
14KB

MD5
bd3dd544d86fb93811482e34e0abb618

SHA1
d4e165453bbc2d57574a308021d1851c12bf4c4c

SHA256
3696e23714a67415aa4e8bc1a9500dfa72121ff603f618d611c7d15ae6ecde96

SHA512
68df3e518167b01af38ef13cc8ea26fd0a177ae6155105b5165f91a062d4349bc1ef24f8c50804bffc66b51eebeaf87f8455e1cd607aa70612c7f8524e080785

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD906.exe

Filesize
14KB

MD5
e4c2ab49d494eadc0b9a448735764675

SHA1
98c699c46dc9f47484dbe8e701cf24d53effb73f

SHA256
f5fcacd6ab7bd36cbad52d0cb41a46bc0bc75fcaf2546f44befd2f44590b2810

SHA512
ee9803d65c39854577cf93e3d0a282d83472e7be0bee4149e561d0ff17cb446c668c73326831b2066d30ece17b9bcebf45206a8bb9a50683859780bf3817a111

Download Submit
memory/4856-49-0x000001BE2DB40000-0x000001BE2DB50000-memory.dmp

Filesize
64KB

Download
memory/4856-65-0x000001BE2DC40000-0x000001BE2DC50000-memory.dmp

Filesize
64KB

Download
memory/4856-81-0x000001BE35F60000-0x000001BE35F61000-memory.dmp

Filesize
4KB

Download
memory/4856-83-0x000001BE35F90000-0x000001BE35F91000-memory.dmp

Filesize
4KB

Download
memory/4856-84-0x000001BE35F90000-0x000001BE35F91000-memory.dmp

Filesize
4KB

Download
memory/4856-85-0x000001BE360A0000-0x000001BE360A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing