2c3e242ee5a6d94b2b0eef39e63dc90e564bdc15002d391ef6bcea36f34de0cf

General

Target

0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe
Size

14KB
MD5

0a170fd332a6b77161bb4c18c179bded
SHA1

4489d151fe8e984bad6ce708998c874649b22469
SHA256

2c3e242ee5a6d94b2b0eef39e63dc90e564bdc15002d391ef6bcea36f34de0cf
SHA512

a67da547cecd8e46f19f9ddd2a3d3682bca19456a3a18d1bf8b7dc48afd36cef48b41663775d6334b613864c1595eeab75b08dcc3db47b96e4b5cddd8decddb8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv50:hDXWipuE+K3/SSHgxl50

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMCA7F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM232E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7D44.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1131.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM721E.exe

Executes dropped EXE 6 IoCs

pid	Process
3356	DEM1131.exe
1484	DEM721E.exe
3936	DEMCA7F.exe
5012	DEM232E.exe
4912	DEM7D44.exe
3696	DEMD690.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 3356	696	0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe	105
PID 696 wrote to memory of 3356	696	0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe	105
PID 696 wrote to memory of 3356	696	0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe	105
PID 3356 wrote to memory of 1484	3356	DEM1131.exe	108
PID 3356 wrote to memory of 1484	3356	DEM1131.exe	108
PID 3356 wrote to memory of 1484	3356	DEM1131.exe	108
PID 1484 wrote to memory of 3936	1484	DEM721E.exe	110
PID 1484 wrote to memory of 3936	1484	DEM721E.exe	110
PID 1484 wrote to memory of 3936	1484	DEM721E.exe	110
PID 3936 wrote to memory of 5012	3936	DEMCA7F.exe	112
PID 3936 wrote to memory of 5012	3936	DEMCA7F.exe	112
PID 3936 wrote to memory of 5012	3936	DEMCA7F.exe	112
PID 5012 wrote to memory of 4912	5012	DEM232E.exe	114
PID 5012 wrote to memory of 4912	5012	DEM232E.exe	114
PID 5012 wrote to memory of 4912	5012	DEM232E.exe	114
PID 4912 wrote to memory of 3696	4912	DEM7D44.exe	116
PID 4912 wrote to memory of 3696	4912	DEM7D44.exe	116
PID 4912 wrote to memory of 3696	4912	DEM7D44.exe	116

C:\Users\Admin\AppData\Local\Temp\0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a170fd332a6b77161bb4c18c179bded_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Local\Temp\DEM1131.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1131.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\DEM721E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM721E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\DEMCA7F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCA7F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\DEM232E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM232E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Users\Admin\AppData\Local\Temp\DEM7D44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7D44.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\DEMD690.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD690.exe"
        7⤵
        Executes dropped EXE
        
        PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1131.exe

Filesize
14KB

MD5
9816f3746130767f98cd8a9c0aec4102

SHA1
59e5d05299d7ce70c7b0668f255b1fb7ce8d756b

SHA256
67dae592ac10177077260e04004dd5a4f788dec84d6246a16b67f6ba65f1a938

SHA512
37907fc049781e65302d4d4cd6df8f24c053639262c4e889c40a81ee00946d1625ed9a1a79a917d2b31103ab637e971619c481eaef127c64110ad1f2e018c65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM232E.exe

Filesize
14KB

MD5
585284a0ee153b829ee3c6fb007847c7

SHA1
e7f79d15074dccca6c2d04ed9d18cede7065fc2a

SHA256
d5986950148cb6c5efab54b638109739698dcf651e7c96204d5902ee6cefe074

SHA512
472763b0490f785c9645d99797c98efe4b9090b527c1b5482eaa64e91c6cdaf46da79d319113682020f6d06da6fe7d540f89677030dbb7e84b8e54bfb0a57cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM721E.exe

Filesize
14KB

MD5
57bd15d0f5ac25c9653c3db3ca77061d

SHA1
01c0fb30b489d341ed182d5d020310e60b977ca7

SHA256
703a9647f33c137a0a105544ade2635134fb4ca95c030351e67c9d403a83d261

SHA512
93421bbb18a2749c456b38cb41082c13d1f0ba917bb6d70d8aa5a617c8780a76a538939f8a16090cdc2efa43fdb45b4c0ab5296df6d435d44c8d22546722f139

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7D44.exe

Filesize
14KB

MD5
ef40c4b570a883ed2012bc4609a46d10

SHA1
2bc4d8596a0ec823bad61ba00ebd3bd07168706e

SHA256
46b2f355578ae7ab776b214aac2f6543044a82a7fcab3cf238a4ef0ea29b0e83

SHA512
ebc2bbbdbc26ad15ee75c6301d00b2e73d2e6427dd04972b85d05fcd2a5f6c280ad42e2ca53e1ac98734a3b2e875cc7b7b9f46acbeff9306db5a1c4031dc4216

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA7F.exe

Filesize
14KB

MD5
722300b0528cf7df30cb130c6e1579cd

SHA1
bf7a2b2cd609aa8bcc23ac8bd9d977eb79985d6a

SHA256
8a9712f3066f66352ece630fd6bb30a5e0585c4ebe183bd749f1850da3bf414c

SHA512
d5974fff95d472e70addb777b1797fcc3a469375cdd5a827c5fcf1717559c51fd7bf6600f5edabaa6e825621a250cf92721f9b48864e5c047749ffea412d512c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD690.exe

Filesize
14KB

MD5
2297b012d0e586764b2377a2949f3426

SHA1
28f6fbfada06e10a55bd278445ecb7071f76725f

SHA256
937142c9cddf57e20fe12bd283129dd1ad02f6d857aebd6799fae38c90e6d5f1

SHA512
b82de87f703bb90d80e653a81e1d8ef1032ecd9a0b0af40ed705d1c68b71ba1318866bc62333f790c98feb02bcfede4cc13310ab8d8c136f6b8f2b5aa70222c0

Download Submit

Analysis

Sharing