4eb30f9ef046ff8cc420c6fd54a77d7595b7544b6f5b28dd9b9dc9da896840d3

General

Target

09f612804dc52cb93587c62135351097_JaffaCakes118.exe
Size

15KB
MD5

09f612804dc52cb93587c62135351097
SHA1

7810ff828c246e9354172f17f54bf30c79031b3e
SHA256

4eb30f9ef046ff8cc420c6fd54a77d7595b7544b6f5b28dd9b9dc9da896840d3
SHA512

53f3e0952e21fd4c9b6bfca34812a3e7261dc07b6a10e1c07e3990df92bf8088305e7329658882407e1e11944136a4030976d8bde78c567c662c0b420b9d432e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvAhV:hDXWipuE+K3/SSHgxm4T

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	09f612804dc52cb93587c62135351097_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMC1BA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM266F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7E24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMD702.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM2F44.exe

Executes dropped EXE 6 IoCs

pid	Process
1460	DEMC1BA.exe
3684	DEM266F.exe
2680	DEM7E24.exe
1652	DEMD702.exe
908	DEM2F44.exe
4980	DEM86DA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1460	1652	09f612804dc52cb93587c62135351097_JaffaCakes118.exe	105
PID 1652 wrote to memory of 1460	1652	09f612804dc52cb93587c62135351097_JaffaCakes118.exe	105
PID 1652 wrote to memory of 1460	1652	09f612804dc52cb93587c62135351097_JaffaCakes118.exe	105
PID 1460 wrote to memory of 3684	1460	DEMC1BA.exe	108
PID 1460 wrote to memory of 3684	1460	DEMC1BA.exe	108
PID 1460 wrote to memory of 3684	1460	DEMC1BA.exe	108
PID 3684 wrote to memory of 2680	3684	DEM266F.exe	110
PID 3684 wrote to memory of 2680	3684	DEM266F.exe	110
PID 3684 wrote to memory of 2680	3684	DEM266F.exe	110
PID 2680 wrote to memory of 1652	2680	DEM7E24.exe	112
PID 2680 wrote to memory of 1652	2680	DEM7E24.exe	112
PID 2680 wrote to memory of 1652	2680	DEM7E24.exe	112
PID 1652 wrote to memory of 908	1652	DEMD702.exe	114
PID 1652 wrote to memory of 908	1652	DEMD702.exe	114
PID 1652 wrote to memory of 908	1652	DEMD702.exe	114
PID 908 wrote to memory of 4980	908	DEM2F44.exe	116
PID 908 wrote to memory of 4980	908	DEM2F44.exe	116
PID 908 wrote to memory of 4980	908	DEM2F44.exe	116

C:\Users\Admin\AppData\Local\Temp\09f612804dc52cb93587c62135351097_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09f612804dc52cb93587c62135351097_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\DEMC1BA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC1BA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\DEM266F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM266F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\DEM7E24.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7E24.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\DEMD702.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD702.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Users\Admin\AppData\Local\Temp\DEM2F44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2F44.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\DEM86DA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM86DA.exe"
        7⤵
        Executes dropped EXE
        
        PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM266F.exe

Filesize
15KB

MD5
291efc49f1e557d133ad95c6e204f3a6

SHA1
a6282c380d606f02735bc2c2f74f327e99234edd

SHA256
a0ed7766884298a106c828fdb39cfb4cd8438eeb05c25162128f1831cb8a14c5

SHA512
d94dcb39c44112d2e7caf4c6ed4c3f60bdc599e96abb8833cbfccef30d9caef346634990159d377647731727f544ad35dcb41948aa6dde69fc120ea08a8abef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2F44.exe

Filesize
15KB

MD5
8589f7eb7cb3074cffd2bdcab3ba6eed

SHA1
fd191bde68092d7fd0c125912632ceb40d80c487

SHA256
48aaadc4a1f585cbf6d042f7126079d5ce2f6478a8b5457381bb9466a1f71b15

SHA512
91ad14f7a88d24628ac7828e9f0640fb42f0375bb792214aeb151f1be59ab6fedc3d552538b09ebcdec1104a8fa027c153898b7afea5f192de8fcc47ce09d294

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7E24.exe

Filesize
15KB

MD5
f6b0eee98a8c2094ac51c048687e773f

SHA1
1bfe4ad7204420efe464cc10a02ab723ee264274

SHA256
c612d49d72d6fccf41424d8b289a5fc7f087c4485eb3fe2189ef778667bddb32

SHA512
3badbd3cb95a5bfc9c1152a070b408a4e77d51c51bb4e3adcd5ed629d79e89989c8fe4496d874bdb2308842917f8a34c4eb041480dd92c0a28f4e7757bddeb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM86DA.exe

Filesize
15KB

MD5
c7e482f8d72ac6ca56c6d95f409e5428

SHA1
4f6428cf8ec9a1f2480bee0e590484b48e92db9a

SHA256
8fe0967dc6e917b6f0bc6331c434522b409c514c6000891c33c62c9d241a9bba

SHA512
53def3ea5037b9aca98b5d377d7aee76949ecb3c91122b87176cef3a4145fa3070601d67368c3b8a87c7d554fb062983a806111eb21d0934587f50e7507cae33

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1BA.exe

Filesize
15KB

MD5
a42ac5bfcd37e5690982cc2d86d27857

SHA1
50b13f2e46cd81e407e0555344656b646c76c04d

SHA256
9818b77e12b6eb3e2e535858dfb51a5f031086673ac533c540d2b097b8a03c94

SHA512
5ba32addaafbace5c4ec8d597657ff044486263c44b0ab7d5001b6de272ef4fd1c43d19e76957a4efb83634222102ddaab3b5ebbddc03f44d3a6a751d1235eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD702.exe

Filesize
15KB

MD5
b656ec89a54362fe9a4b668f0566c6c5

SHA1
d42466fa9534d0dc1e2fbf0359ef4d42d4faa95e

SHA256
350bfb56e8e7d6bf1c0f84db8ffacfe28da80dc9da332776d251ae30942d417f

SHA512
8b4250361e2bc237afd67a5a1d63b7323ebf3f2cf96be792d95e74a76e6c467210f30be6602fd120c9340ffccc5abb71cbf1a85fa0350fcb03076606064599d7

Download Submit

Analysis

Sharing