6ed630061d546991665f8961d29275bd9b69f91214cf4a6a0415e9cc092049f8

General

Target

0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
Size

15KB
MD5

0f1804021eb96820702f0ffcb3c72015
SHA1

d8ef69dc7c0a89fe11a29e3c2c77fcf60ea0e473
SHA256

6ed630061d546991665f8961d29275bd9b69f91214cf4a6a0415e9cc092049f8
SHA512

297e22ed028301c4afd23cad60e852bd9d05e6c696f32260ab712bd7e7c130284d25b9a573840eb4a8a7a0129c64def3a0c2e22990677012ede1b14f7670dd18
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyhb:hDXWipuE+K3/SSHgxmyhb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM5B01.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMB3DF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMBC3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM63D6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMBC27.exe

Executes dropped EXE 6 IoCs

pid	Process
3220	DEM5B01.exe
436	DEMB3DF.exe
1344	DEMBC3.exe
1772	DEM63D6.exe
3644	DEMBC27.exe
4400	DEM12C3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3220	3280	0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe	103
PID 3280 wrote to memory of 3220	3280	0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe	103
PID 3280 wrote to memory of 3220	3280	0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe	103
PID 3220 wrote to memory of 436	3220	DEM5B01.exe	106
PID 3220 wrote to memory of 436	3220	DEM5B01.exe	106
PID 3220 wrote to memory of 436	3220	DEM5B01.exe	106
PID 436 wrote to memory of 1344	436	DEMB3DF.exe	109
PID 436 wrote to memory of 1344	436	DEMB3DF.exe	109
PID 436 wrote to memory of 1344	436	DEMB3DF.exe	109
PID 1344 wrote to memory of 1772	1344	DEMBC3.exe	111
PID 1344 wrote to memory of 1772	1344	DEMBC3.exe	111
PID 1344 wrote to memory of 1772	1344	DEMBC3.exe	111
PID 1772 wrote to memory of 3644	1772	DEM63D6.exe	113
PID 1772 wrote to memory of 3644	1772	DEM63D6.exe	113
PID 1772 wrote to memory of 3644	1772	DEM63D6.exe	113
PID 3644 wrote to memory of 4400	3644	DEMBC27.exe	115
PID 3644 wrote to memory of 4400	3644	DEMBC27.exe	115
PID 3644 wrote to memory of 4400	3644	DEMBC27.exe	115

C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\DEM5B01.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5B01.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\DEMB3DF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB3DF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\DEMBC3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBC3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Users\Admin\AppData\Local\Temp\DEM63D6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM63D6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\DEMBC27.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC27.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\DEM12C3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM12C3.exe"
        7⤵
        Executes dropped EXE
        
        PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:8
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM12C3.exe

Filesize
15KB

MD5
bf22fa3d78bc0dc5d5e11cf2e82ea2b0

SHA1
873ee5ba1178a13995c4de6e3e635cc763dfae4e

SHA256
1458ca63a744f189bbbee3e9293fb4fa2c5e78bfee91bcb212bc70fb0b5ded88

SHA512
77138627171de4a57233c6a5474fcc474d6f0842343c9c16e0019a9a20576fc3950f028b0dc258126733a7a216c558fdbda87d34c4ea5a8c5c07469119eef5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5B01.exe

Filesize
15KB

MD5
83c9c1b97243cb1e3afce5ae2105b117

SHA1
5fbddf26f30894e00996fe45ea1dc240d554ce6c

SHA256
fa235d8dfa3e1107c7cce48dd7d7a80d20b1f60df744cbf7e78bd59bfae2d997

SHA512
57a3d5ac610e3cb7c64382801aa37e071f0557d8c57d7c438ba8a666a4a759c35ee95610fb523ec581f51b9a36ed2e960f78e6a78225a5c447a83a0aa4eba25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM63D6.exe

Filesize
15KB

MD5
0950bbc41f99160a8b62536dbd1d93c8

SHA1
ccbd693a5d9889c73adc86ad8118a2c8db12f52f

SHA256
9ce7e2d520fd2633c383e0da04796d62fcf5254d64700522232e75e5842249e8

SHA512
674213586bee21a9d0f1cb5a2a7480a7c9d3ca832591b28af7d227833d5b0d4a162a60e6a1ecf24364ddd0bb7f7ceae4f7f87599abfebb4a7e69a5a1e16045c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB3DF.exe

Filesize
15KB

MD5
1afffb005e82830e786a0d557dc1c039

SHA1
585cc124ca510ecdc12e68be51accaf0c78e9304

SHA256
e92a52bfa06ef58df5407ba73f1907fd9fef0b3ccebfaa51b859f1e226fbc416

SHA512
f3bfa2f1009493714dd71787b75763f887ab9c68ef693d6dbe7174be903d60d9803b0c219d76522dc6234836eed451f2125c76afa6093d8f7b50c006b7b0d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC27.exe

Filesize
15KB

MD5
3275e5ec2b25271e4ed47573b362d01a

SHA1
a05ec8b01a4791e0db2a397eab33469106502cc4

SHA256
959e9f09d71e3ca26b5c2b46d484cd54ffa1f61adfd03eea61998197dccb9d30

SHA512
26e0d1c76a7cdadd40b5ab5f1149f6939a88d5a9c1845aed19d094c9b0799b1d1a5d387ddb92cc037fc8981071621ad9d8e8b4e2d0fac3e8cba8d62953df7f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC3.exe

Filesize
15KB

MD5
aea8625b39a2352bbdc8c41e8e9db302

SHA1
bfca055e6f6aaa2c0f65b85576cbb436295d52b6

SHA256
b68fee8afaa1524ae575d653a982195aeb918ea8cf4b83e8514e07e496a05d04

SHA512
97b5a86dd6bc398ca2883e2818a320f3f27deeb5b472a7f0cd4b793bd9510b2ef07036e833ba0d5b9fdc6553b0be4f440fcd479557b7209a238c5a48c30dcd5a

Download Submit

Analysis

Sharing