ec8cd1967a5a50cd6930a516d77dbe40fa8c0324550d2e8838b02d6d0bf3994d

General

Target

13bf03822363f33495128c4b919327fd_JaffaCakes118.exe
Size

15KB
MD5

13bf03822363f33495128c4b919327fd
SHA1

a35abf96f1a965b9b790ffbd8b9dc4ce06428a55
SHA256

ec8cd1967a5a50cd6930a516d77dbe40fa8c0324550d2e8838b02d6d0bf3994d
SHA512

7c91a57b8d1a935c3d090cc5a80050e1f4f4803c8595ee5efac315bfe1c2ae2f54414c80763db289acc7fa7252563d2fb42d0ed9fd6b4cfeba7f4ab94949b7c5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4l+LQ:hDXWipuE+K3/SSHgxmo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMDC22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	13bf03822363f33495128c4b919327fd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM7B79.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMD4C5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM2D06.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM841F.exe

Executes dropped EXE 6 IoCs

pid	Process
1116	DEM7B79.exe
3220	DEMD4C5.exe
2576	DEM2D06.exe
4216	DEM841F.exe
2932	DEMDC22.exe
4040	DEM3426.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1116	1320	13bf03822363f33495128c4b919327fd_JaffaCakes118.exe	106
PID 1320 wrote to memory of 1116	1320	13bf03822363f33495128c4b919327fd_JaffaCakes118.exe	106
PID 1320 wrote to memory of 1116	1320	13bf03822363f33495128c4b919327fd_JaffaCakes118.exe	106
PID 1116 wrote to memory of 3220	1116	DEM7B79.exe	111
PID 1116 wrote to memory of 3220	1116	DEM7B79.exe	111
PID 1116 wrote to memory of 3220	1116	DEM7B79.exe	111
PID 3220 wrote to memory of 2576	3220	DEMD4C5.exe	115
PID 3220 wrote to memory of 2576	3220	DEMD4C5.exe	115
PID 3220 wrote to memory of 2576	3220	DEMD4C5.exe	115
PID 2576 wrote to memory of 4216	2576	DEM2D06.exe	117
PID 2576 wrote to memory of 4216	2576	DEM2D06.exe	117
PID 2576 wrote to memory of 4216	2576	DEM2D06.exe	117
PID 4216 wrote to memory of 2932	4216	DEM841F.exe	126
PID 4216 wrote to memory of 2932	4216	DEM841F.exe	126
PID 4216 wrote to memory of 2932	4216	DEM841F.exe	126
PID 2932 wrote to memory of 4040	2932	DEMDC22.exe	128
PID 2932 wrote to memory of 4040	2932	DEMDC22.exe	128
PID 2932 wrote to memory of 4040	2932	DEMDC22.exe	128

C:\Users\Admin\AppData\Local\Temp\13bf03822363f33495128c4b919327fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13bf03822363f33495128c4b919327fd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\DEM7B79.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7B79.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\DEMD4C5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD4C5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\DEM2D06.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2D06.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Users\Admin\AppData\Local\Temp\DEM841F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM841F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Users\Admin\AppData\Local\Temp\DEMDC22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC22.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\DEM3426.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3426.exe"
        7⤵
        Executes dropped EXE
        
        PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3504 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:8
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2D06.exe

Filesize
15KB

MD5
99a865d1080688e205a6a30e934d72f2

SHA1
0bf9e90bd1e1f02b0d6d3905bb2055c1d709605e

SHA256
49988871057c72b704c145234ba84503e04e6de0e03f0c867cd5a4a28e5d1f5f

SHA512
55b4f5e01843afc4652073a18903a821dae583b91d1b445eef552f065917540d8821dfc7c1997b3be1e494127f28826b3a44c3af416b6445f87f3309b7259ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3426.exe

Filesize
15KB

MD5
de9dda3bfa4bb4c08a4826ad28cb34b6

SHA1
a18802d714efe56d593590a00c36326103127847

SHA256
6a6c5de1c3b32f97acb24fe2514686864984524ef06042c77c4488d0a6d9d358

SHA512
080335fe4f67da889cd14cb1d256f95ed5784a2d324d3e1d17ba23381dfdec0344c8c1348739da4cf659d3447be8425891206922a43ff02f03bb40698c71d578

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B79.exe

Filesize
15KB

MD5
7f1ff8dfa8cda7b5366189b6eb077344

SHA1
ba27aed5c903c147a6e7850ada80ec205b18b560

SHA256
b630a19c952353729810baa3b3bbfecd01a7fcd62fded2b94ab2818f67ed4dde

SHA512
3d1aa325bd39bcaa6a284a27c86820f3a123025f66f9643b118f3929024acd4687b6874cc1ca8bd6f664ed4cb310eb569f39e1bee45f088855a2c6861d7eddaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM841F.exe

Filesize
15KB

MD5
fe9732b3bd0a53d08c040424fe7aa8f1

SHA1
6818e66b9151cc4f81569c4385f731ae209e0dfc

SHA256
7a44ce82997e6817bf587d0bd122fe8fcd1d266521820ce4f3bc442d76fe3d11

SHA512
6002c5d7a238c6f031f77e889358d9b135bbd47f4206ae61dc4660596a3cc63f3c77426bf88f0cdab7dc3001f84261afb5a3a018830ce05b6786f5462b81d136

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD4C5.exe

Filesize
15KB

MD5
6ee12be4c74a7da4c2b34b7057bbb112

SHA1
9d3a961b9a66f0b4f7b9f5fd58fbea6dd809d3bc

SHA256
c2ad1ae11c7dda813f898a98352634d416706a8f23db7f2515891777555bd732

SHA512
f76e4b17e8b065fac3a2f60c4eed53879c7be35ad33c03a1e01babd6d5a437276cce33e914c6b43813fe2e04359850b9507a64cca57afe85e0a7ea24183be26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC22.exe

Filesize
15KB

MD5
1a390448b82c263b2eddfe68ed26764e

SHA1
693cc7d36fc81c17a606b9a5e6537e3f782c5d2f

SHA256
624b3d21477629015e91395af00376a4c8a462f4e208644af70d051f63014c49

SHA512
9db3a3e0d225bc2ad42d07109fabcfdf083d3535db6c4168e3619524b411c223d475e8b95a554ff03f9e2b37fcc25fe7e760049d8cbcd77c0b94e0f5665efc7d

Download Submit

Analysis

Sharing