66db5f8b36aa1ea9da62a3d944ba382026572afcabd15c9bf88c99db5dab7255

General

Target

0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe
Size

14KB
MD5

0a47fb34dcbb21b5141f2fb00b87beb3
SHA1

eadb4d33eb863ffdc55d8d81588a6d551bbdea58
SHA256

66db5f8b36aa1ea9da62a3d944ba382026572afcabd15c9bf88c99db5dab7255
SHA512

8d6ac2497723668ffc22f032e94632239d62e2044a654ffec4859b3f8d12f828a6c864f93d0e03e8470164526b42d6147da5ba73408bbfabc0af5f00eff5a3e1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhXt0HoV:hDXWipuE+K3/SSHgxgHk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM6D7F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMC719.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM1F2B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM771F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMCF13.exe

Executes dropped EXE 6 IoCs

pid	Process
3436	DEM6D7F.exe
4548	DEMC719.exe
2300	DEM1F2B.exe
2128	DEM771F.exe
1804	DEMCF13.exe
1404	DEM26D7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 3436	4176	0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe	102
PID 4176 wrote to memory of 3436	4176	0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe	102
PID 4176 wrote to memory of 3436	4176	0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe	102
PID 3436 wrote to memory of 4548	3436	DEM6D7F.exe	105
PID 3436 wrote to memory of 4548	3436	DEM6D7F.exe	105
PID 3436 wrote to memory of 4548	3436	DEM6D7F.exe	105
PID 4548 wrote to memory of 2300	4548	DEMC719.exe	108
PID 4548 wrote to memory of 2300	4548	DEMC719.exe	108
PID 4548 wrote to memory of 2300	4548	DEMC719.exe	108
PID 2300 wrote to memory of 2128	2300	DEM1F2B.exe	110
PID 2300 wrote to memory of 2128	2300	DEM1F2B.exe	110
PID 2300 wrote to memory of 2128	2300	DEM1F2B.exe	110
PID 2128 wrote to memory of 1804	2128	DEM771F.exe	112
PID 2128 wrote to memory of 1804	2128	DEM771F.exe	112
PID 2128 wrote to memory of 1804	2128	DEM771F.exe	112
PID 1804 wrote to memory of 1404	1804	DEMCF13.exe	114
PID 1804 wrote to memory of 1404	1804	DEMCF13.exe	114
PID 1804 wrote to memory of 1404	1804	DEMCF13.exe	114

C:\Users\Admin\AppData\Local\Temp\0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a47fb34dcbb21b5141f2fb00b87beb3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\DEM6D7F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6D7F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\DEMC719.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC719.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\DEM1F2B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1F2B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\DEM771F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM771F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Users\Admin\AppData\Local\Temp\DEMCF13.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCF13.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\DEM26D7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM26D7.exe"
        7⤵
        Executes dropped EXE
        
        PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1F2B.exe

Filesize
14KB

MD5
c971aaba221fe75aa9a5e4269c60706b

SHA1
c1e08160d529602d2b5e00114fa0b7b169acf846

SHA256
138b79de1ea0f47bd3d3eff01b03a8deb55f429b1b21be74e83eb4a09eb55f93

SHA512
7149cd849ee551cd0d0f205bbdf6d6527b86448b2bffc2bd7db0cc98000a1522427d48a2a0a8b1e73e29b662a963671da92c06576ef4a3c6d30dcca7e2a69dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM26D7.exe

Filesize
14KB

MD5
ddb32ede973a403e009f0b3a7d8db869

SHA1
f8fcb9bdd1f139ecc4818969d6408214fdec3629

SHA256
b2366f3e647a1ad03c59aa6923243c9a19d43da2296345a9fc29e12410ca3052

SHA512
a791e46de17bc381e2e7e3d2c5017fa32d0096b59de5b38057e329360d9ae9f316b089442738ec3af9f0a9996e327405c3a26eee42f1225b3ae233c8aba02775

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6D7F.exe

Filesize
14KB

MD5
94437a9ceca1000bd63d53c363a596f7

SHA1
bae9c92dea10230b77dfa07bab222480286227a5

SHA256
34000e8c12c773c6b8063671f2d41345dfdc70b1fabe5dfd446eda34369883c6

SHA512
a4bea44ebf3c2dfbe8701de83b556e6f00ff735058a6c89cfad27f32772dead924fb0178242be01e1275ba441114e94dac8eeb32f2378a42ec5ba5b12e162dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM771F.exe

Filesize
14KB

MD5
4df08a739bbdb1113dc39cfb28b5067c

SHA1
1f3b58d2e415d9b020ccd9638a060146566c4136

SHA256
cdccf8e068043555f88416798380575c24738bbcfcb95a7c559376b288ac93ec

SHA512
fe31bc51e138d0d33b75039f4e907d6b28fb93f6d27ce23f4ddaaa17099d9151f5ac781f9cde8e1cedcb5b7d66f3d711678700d360892f3227bdb190776a98a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC719.exe

Filesize
14KB

MD5
722afd5407404fef6b69b1dbfac9e5ac

SHA1
89ab0c5d7dc12a2be3e5cc09bd143a01e4618203

SHA256
b65d5bed8f04fd87405e5b2f600ffaef6d89af5681a43992c142665716c4372d

SHA512
7da55a03566c7e505d4b0eb60ed31118a0f792de9f903835fd41e2450652f8aa447a138c239f3d812122e4c2dd9b1a550d74fd8e51e8f43aeefb68f48ddfee7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCF13.exe

Filesize
14KB

MD5
0f0b65c11418f18daf9386fa5a881891

SHA1
012eb2dfb600470daf424ff618fa442d4b67e0c0

SHA256
8c41a450b198bb3c173c05acc5bb47407fd5dd7b8965a02f7184d8e40a0ad3b2

SHA512
8af543c0ba1731296ce79da09647a4de3ec7680cf11e73956669e9d9896df2f74626b33eba9c1035fe3ea3343503d736d7dc652b469712bdfc1a8c389a3af108

Download Submit

Analysis

Sharing