9805ece8c7410316d9a7e1b4438aa1be201e6319d38ec443ce3a4b88ff03b6b2

General

Target

0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe
Size

14KB
MD5

0521dc76431d25b55b8a84183dc7f6e3
SHA1

b29546b4db76dc5f9a89abeda7c790a88aca572e
SHA256

9805ece8c7410316d9a7e1b4438aa1be201e6319d38ec443ce3a4b88ff03b6b2
SHA512

e2adb9f88e61d8cfd17fa5e71a87d2813bc004054b54240c4435eeb653b2554019d0d8b6bdcb2db6208974107516d42f815ad9848c1d2a09d9dd3d5f78054aac
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh75:hDXWipuE+K3/SSHgxz9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM6992.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMC290.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1B7D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM742C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMBA3.exe

Executes dropped EXE 6 IoCs

pid	Process
1260	DEMBA3.exe
4944	DEM6992.exe
2940	DEMC290.exe
2248	DEM1B7D.exe
1880	DEM742C.exe
4028	DEMCCDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1260	2588	0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe	104
PID 2588 wrote to memory of 1260	2588	0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe	104
PID 2588 wrote to memory of 1260	2588	0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe	104
PID 1260 wrote to memory of 4944	1260	DEMBA3.exe	108
PID 1260 wrote to memory of 4944	1260	DEMBA3.exe	108
PID 1260 wrote to memory of 4944	1260	DEMBA3.exe	108
PID 4944 wrote to memory of 2940	4944	DEM6992.exe	110
PID 4944 wrote to memory of 2940	4944	DEM6992.exe	110
PID 4944 wrote to memory of 2940	4944	DEM6992.exe	110
PID 2940 wrote to memory of 2248	2940	DEMC290.exe	112
PID 2940 wrote to memory of 2248	2940	DEMC290.exe	112
PID 2940 wrote to memory of 2248	2940	DEMC290.exe	112
PID 2248 wrote to memory of 1880	2248	DEM1B7D.exe	114
PID 2248 wrote to memory of 1880	2248	DEM1B7D.exe	114
PID 2248 wrote to memory of 1880	2248	DEM1B7D.exe	114
PID 1880 wrote to memory of 4028	1880	DEM742C.exe	116
PID 1880 wrote to memory of 4028	1880	DEM742C.exe	116
PID 1880 wrote to memory of 4028	1880	DEM742C.exe	116

C:\Users\Admin\AppData\Local\Temp\0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0521dc76431d25b55b8a84183dc7f6e3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\DEMBA3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBA3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\DEM6992.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6992.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\DEMC290.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC290.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\DEM1B7D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1B7D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\DEM742C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM742C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\DEMCCDB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCCDB.exe"
        7⤵
        Executes dropped EXE
        
        PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1B7D.exe

Filesize
14KB

MD5
dbdb883be69e201e1b2869622828c9a7

SHA1
bf4d920fa039763cb255d3c2088bd04fe4c0b0de

SHA256
eb70c8f1283cd30814ca65168b7f0bb3231abe36a88df8cce30727c74f688df3

SHA512
08b260ab93039b7713bb33493a34085a68398617f1b5ce2f7a458e318fdec1c70344c45de8919d1beff09d06f081dd889c45b217a34e5f90326ad5d9a76cc890

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6992.exe

Filesize
14KB

MD5
c816babafcf1de86c8d117143f60c962

SHA1
9dede064bd2ec9978acc28c92ace8437d9f5318e

SHA256
879b3ad8d06e92d6d05f2a5f081a80fbfae245a9c9a44889c4b3bbb7319b3b52

SHA512
ca1cd47679505626c26c00b412b08933bb19381188466cd8d225ba9519f33b5f2f549429114b902b52773a4ba60fc272057a53b39a5146ada30fe9e6693cb8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM742C.exe

Filesize
14KB

MD5
0306ae246e3492385c347c08c1e2d496

SHA1
e26fd5d220e2df349aa5ccdc4add9b36cf82fb15

SHA256
fe8cdd2edc23bfeac8a2388fc860c4d19292a1253a95d382df63daf29fab7280

SHA512
6f9b8ab0df381e8dac076b3822a69d07418202da30fd27596c2a95af8d38885334cd83bb2774cd3553a7cf9b6f260e51d4bc17059a45ac88d36bebba9f1034a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA3.exe

Filesize
14KB

MD5
956d4e9ba3b2f3e7158081c5e6298121

SHA1
6ff19cc15e60de96156d59e9aede4be821976fdd

SHA256
e4099920ea1ab9cdaf077e8406979ba806b65aa290e88d973d90b90d6fbbf35e

SHA512
58e6ceb0c8faf5243f626b9fde228c59845089bc293401ac5fba15ef7ebb87340df0ba74407f871b0d111bc36bbe174f9e58a79190245626531eaac9a6344079

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC290.exe

Filesize
14KB

MD5
19d186530c49e357306f6f4c982be615

SHA1
1420ea45bf420502fb6445cfcfd95a78fdf74a1e

SHA256
d5d7e862e48f102acaf341b150984b4b0a55fa9780135ac0cf6a116c2006f4bb

SHA512
e9768f51e8150d43f9ddc58db0953e47ae3c4a9ab94a274c2ceca7651be23c7e6a4ff3ee815992eebd23ab1279ad74896e0d2e68d866a3d8df95f2c2c6745cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCCDB.exe

Filesize
14KB

MD5
c8e959829de4c9f2df184958b0702940

SHA1
2ef6e28854ef30311c501fb28d79510b1963b3dc

SHA256
18e692d7c3dafb95bc239ae454644b1541127c89288e92760752962bb75a038c

SHA512
fc7681f20edda643bb2c173d93cbaa18ce292648321e256795851a8200f485ce63f8e52331eb3b1f49a4310bb05fa9bb34723d8737170652e44405fe15ac7492

Download Submit

Analysis

Sharing