3a987258428a234acca7a1b6ed6d8d884e6fcbeafe89711265891ede265e2bda

General

Target

077974dc2cd5f501cf4c8f0a3f297bf1_JaffaCakes118.exe
Size

20KB
MD5

077974dc2cd5f501cf4c8f0a3f297bf1
SHA1

fba575c214522a811b773de5496856767f8c9ef9
SHA256

3a987258428a234acca7a1b6ed6d8d884e6fcbeafe89711265891ede265e2bda
SHA512

22ad975d62ec7d3c1948e90fe87abf701e98e02ff077d29af6371f900f848b8a49292b04813ff5f1e1d43dbc307e74b0faf92549d5333cd23f479b3e01b20634
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L410:hDXWipuE+K3/SSHgxmHZ10

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	077974dc2cd5f501cf4c8f0a3f297bf1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMEE0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM75E7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMCE76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM26D7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7F96.exe

Executes dropped EXE 6 IoCs

pid	Process
3184	DEMEE0.exe
444	DEM75E7.exe
1456	DEMCE76.exe
1384	DEM26D7.exe
1872	DEM7F96.exe
828	DEMD7A9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3184	1256	077974dc2cd5f501cf4c8f0a3f297bf1_JaffaCakes118.exe	103
PID 1256 wrote to memory of 3184	1256	077974dc2cd5f501cf4c8f0a3f297bf1_JaffaCakes118.exe	103
PID 1256 wrote to memory of 3184	1256	077974dc2cd5f501cf4c8f0a3f297bf1_JaffaCakes118.exe	103
PID 3184 wrote to memory of 444	3184	DEMEE0.exe	107
PID 3184 wrote to memory of 444	3184	DEMEE0.exe	107
PID 3184 wrote to memory of 444	3184	DEMEE0.exe	107
PID 444 wrote to memory of 1456	444	DEM75E7.exe	109
PID 444 wrote to memory of 1456	444	DEM75E7.exe	109
PID 444 wrote to memory of 1456	444	DEM75E7.exe	109
PID 1456 wrote to memory of 1384	1456	DEMCE76.exe	111
PID 1456 wrote to memory of 1384	1456	DEMCE76.exe	111
PID 1456 wrote to memory of 1384	1456	DEMCE76.exe	111
PID 1384 wrote to memory of 1872	1384	DEM26D7.exe	113
PID 1384 wrote to memory of 1872	1384	DEM26D7.exe	113
PID 1384 wrote to memory of 1872	1384	DEM26D7.exe	113
PID 1872 wrote to memory of 828	1872	DEM7F96.exe	115
PID 1872 wrote to memory of 828	1872	DEM7F96.exe	115
PID 1872 wrote to memory of 828	1872	DEM7F96.exe	115

C:\Users\Admin\AppData\Local\Temp\077974dc2cd5f501cf4c8f0a3f297bf1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\077974dc2cd5f501cf4c8f0a3f297bf1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\DEMEE0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEE0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\DEM75E7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM75E7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\DEM26D7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM26D7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Users\Admin\AppData\Local\Temp\DEM7F96.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7F96.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\DEMD7A9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD7A9.exe"
        7⤵
        Executes dropped EXE
        
        PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM26D7.exe

Filesize
20KB

MD5
751016f1f143d9a84d9b5b16142878ef

SHA1
f4294fd2f7a67977f73a6f728031dc755a807348

SHA256
a88c1593ce5ee44a30d114b6d8828f0dcb6cbdc2e19c79d5e4e11809bda0fe6b

SHA512
f81b6dd1c20b9c9868ad021eb7ff03b6f8855750697995001ddb6b8d40126fa875517253cc24659e2d8b95019d7d2f8a283bc719c2eb7a9fcec9b2b6e47bdddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM75E7.exe

Filesize
20KB

MD5
ae6620cf1ad28fc05d1b46f518ba844a

SHA1
b3dd173ac035932933a383cd0f50077befdcc011

SHA256
0a5c4eeb814bac91b34590566cff1e767519bb480de2bd98bc7ccee53ab9d49e

SHA512
a90fa7b1345b0c16f3c80c401212fb9c889098c72df7b19bd0d094b2bb4a9c443bf81f37b55693f124721bc88888d9041e4fd6c7ee1e8ae5d172eb5c1e482866

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F96.exe

Filesize
20KB

MD5
e2995fda59ee2d4b208f9c81933a8e78

SHA1
7d6ae6e5493b2bec8cb6e7f1e822e381225aa1e0

SHA256
8eb3ec2c49b840017ac2683a93058ececb9fe8e73ad4bb2e8bf3bd67b121fd3f

SHA512
cfed753d4b45f05f6b7db1c5a299f744814db75a89fa707cba6980b77aa2de916c714ce900481cb2a7da672bfc921d1a1d51a9f3038497112c3ddfd02610298a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe

Filesize
20KB

MD5
b93f7a13d0494778e584ebdecb4f15f0

SHA1
21c8aea421ff04bace7e6895e03dcb077423af1f

SHA256
da10d3e4f03384484a35f9f4941bdc42a4cb5c19942ebc7668fe5f5ee1c4615e

SHA512
5afe9bf6c8ce10fcab5fbdd22831904f41e3e422cdf79f15c8fcf0f694a09cd031dfef5c430f8ddc6c15e1c7ded7461bc80238d788be31de5ab8feb401fccfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD7A9.exe

Filesize
20KB

MD5
b1fc69e5a3eaa253f9d475ed3f0f8b33

SHA1
daf99c153a3d7aeaa1c9ed3233fcf77d73011bf1

SHA256
40c9bdf4e856804f7e161635a5f67b6ffd0c13d7c0a0dae9727088df46c2bebd

SHA512
1153bc760ffc20d80f56b87da557d963cc778c5b5f45aa07ce6ab4ed17af2d088f163304e55a905afe657963b19ce39f66f28cc3bd6db137c49263fe27b00a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE0.exe

Filesize
20KB

MD5
5ff0cf5a87fb2806174367a9bd5078c6

SHA1
fc460369f742c251845bdd01c19cb7c34a0afd72

SHA256
977e1b8ab979c93a8b4189346becab66638db3079b29f6ed25c752801ea0cf82

SHA512
b3e187257d8fcc778ca965638ff600595cd4814b5d88fa93c3394ec26136a14b2b590490e7b3d9c24f6a2ddfa5b21f331921edee096a46a013dbbc12f39ad91a

Download Submit

Analysis

Sharing