7a32ee3d2c39bef305d908f01d728e18f10ff8a000968e3a31604bc2ce1e9ad7

Analysis

max time kernel
160s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe
Size

16KB
MD5

0753273de4214a1dd437b9d487587efa
SHA1

65dc8ef10aae6634441c178014c91e52631ac60f
SHA256

7a32ee3d2c39bef305d908f01d728e18f10ff8a000968e3a31604bc2ce1e9ad7
SHA512

3e1fb07a06552999f22a6986c953563375bd154d04dc131f9738b4eef47aedd50dd8050713779cee9113305d0191a2b4184053805c886ef58cdc9470efe00aff
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4XL:hDXWipuE+K3/SSHgxmML

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMAA88.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMD3A7.exe

Executes dropped EXE 3 IoCs

pid	Process
2756	DEMAA88.exe
3876	DEMD3A7.exe
1848	DEM42EB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2756	2464	0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe	98
PID 2464 wrote to memory of 2756	2464	0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe	98
PID 2464 wrote to memory of 2756	2464	0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe	98
PID 2756 wrote to memory of 3876	2756	DEMAA88.exe	102
PID 2756 wrote to memory of 3876	2756	DEMAA88.exe	102
PID 2756 wrote to memory of 3876	2756	DEMAA88.exe	102
PID 3876 wrote to memory of 1848	3876	DEMD3A7.exe	105
PID 3876 wrote to memory of 1848	3876	DEMD3A7.exe	105
PID 3876 wrote to memory of 1848	3876	DEMD3A7.exe	105

C:\Users\Admin\AppData\Local\Temp\0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0753273de4214a1dd437b9d487587efa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\DEMAA88.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAA88.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\DEMD3A7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD3A7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\DEM42EB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM42EB.exe"
      4⤵
      Executes dropped EXE
      PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM42EB.exe

Filesize
16KB

MD5
d28f35fcf08174e2b87e4e8ceab4802a

SHA1
09c904499ba2b15e352339ba3e84c84705d7e5ee

SHA256
0fae5ca4be38ddb35b777d667abe1a1c69515bd53e60f6045474f33b071bfb4b

SHA512
f5f5bc12a317062b7b7d8b6c3a907593882cae073821359670184a844cca1083b2a1694b1a7d71a8e66f5169950427ac91cf58ec6c439bf4994f7e5e708995aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAA88.exe

Filesize
16KB

MD5
c15c7b8b0e129d83ce0cf1f10f088dfc

SHA1
0d9ab4b65d80cdb23f60afae1018161458e8bd72

SHA256
fe53ccae1b4957e6b846f5b43540a03d4037bd6c96679616aefb8c5ff8b64f6e

SHA512
938d37187af81a04a8d1dddf48cedc74c6a2cae972708657f24ccb3592ea03f2ea4e1128eaba0a4cf8700c68c63b8bc19cef0671b31d944137480cdc4c7744bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD3A7.exe

Filesize
16KB

MD5
dc0783e2a653c036670bc24060855588

SHA1
07dbfa8598d12ecc81399832b2a77da177b41982

SHA256
96a64f0d0ff9fa72e2cabc5159c64bd0b1cbc3b29c2381995d9043bf2ca843f2

SHA512
d4aa1ec956e4a544c970a66d4936e5f383f00bc458bc6dbecd96b8ec48eddd8ea04b075b84e81aaaea2f11594bcdd7e8393382430dab91d24888dc7ada25edcf

Download Submit