4518b0fbd154e48997f7893d76ac91556ec762268095863348235333801e7264

General

Target

156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe
Size

16KB
MD5

156859d274545c043c3e7a8e201d9c99
SHA1

c5c66160478520b06eac1071ae2ce4852dc34075
SHA256

4518b0fbd154e48997f7893d76ac91556ec762268095863348235333801e7264
SHA512

58f404b0e630b34fe53ae022a7c369c2674777a3d840fb0ef52bcba71911a026dea9215374f5916cb49775cdbfbe40928b947521ba7ff542c058862ee0472689
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlh:hDXWipuE+K3/SSHgxmlh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMC6F5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM67B3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMC0EE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM1846.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM6EB3.exe

Executes dropped EXE 6 IoCs

pid	Process
1576	DEM67B3.exe
2876	DEMC0EE.exe
4376	DEM1846.exe
3008	DEM6EB3.exe
4000	DEMC6F5.exe
4360	DEM1E4C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 1576	64	156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe	109
PID 64 wrote to memory of 1576	64	156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe	109
PID 64 wrote to memory of 1576	64	156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe	109
PID 1576 wrote to memory of 2876	1576	DEM67B3.exe	114
PID 1576 wrote to memory of 2876	1576	DEM67B3.exe	114
PID 1576 wrote to memory of 2876	1576	DEM67B3.exe	114
PID 2876 wrote to memory of 4376	2876	DEMC0EE.exe	118
PID 2876 wrote to memory of 4376	2876	DEMC0EE.exe	118
PID 2876 wrote to memory of 4376	2876	DEMC0EE.exe	118
PID 4376 wrote to memory of 3008	4376	DEM1846.exe	120
PID 4376 wrote to memory of 3008	4376	DEM1846.exe	120
PID 4376 wrote to memory of 3008	4376	DEM1846.exe	120
PID 3008 wrote to memory of 4000	3008	DEM6EB3.exe	129
PID 3008 wrote to memory of 4000	3008	DEM6EB3.exe	129
PID 3008 wrote to memory of 4000	3008	DEM6EB3.exe	129
PID 4000 wrote to memory of 4360	4000	DEMC6F5.exe	131
PID 4000 wrote to memory of 4360	4000	DEMC6F5.exe	131
PID 4000 wrote to memory of 4360	4000	DEMC6F5.exe	131

C:\Users\Admin\AppData\Local\Temp\156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\156859d274545c043c3e7a8e201d9c99_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\DEM67B3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM67B3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\DEMC0EE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC0EE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\DEM1846.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1846.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\DEM6EB3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6EB3.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\DEMC6F5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC6F5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\DEM1E4C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1E4C.exe"
        7⤵
        Executes dropped EXE
        
        PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
1⤵
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1846.exe

Filesize
16KB

MD5
258d67f8105115ce9edc6aa9a2c72bfb

SHA1
0d4f6f1c4e1fb0e55a6a037ee74a32036dae1492

SHA256
22bef3fbbb3fc5ead888db8d3ac72a67c80895f1a5dd2001b9da70d384dfb91b

SHA512
a94fab9dd1c7280e6188d96af73a9a5cbbe9b1a5a347802fed041c4ae067f3aace5971c1a47675da77edeb70091ae0efddc0f03a556162715d29d2083b926752

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1E4C.exe

Filesize
16KB

MD5
bdbd7194dfba4a250b4b82ef500e8b42

SHA1
1d827fdf2e6c5d8f2a0d89c327c1eec0962a172b

SHA256
9bc764d91c3de63f1078ddb7ef60ab513acf36366c3967bf7271a624d8000fd9

SHA512
2a03e05e773f5435a098f3ef6920ffab1186341946a243dd2e410184a4e1f966228dd86f2c5d03e6106788fe49733e0b5074efc9d789ae0cb717e9a5cfc03850

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM67B3.exe

Filesize
16KB

MD5
125ecac1c4e62953d25ba8b8f50fcdf1

SHA1
83cb0565dd47ecd7dc09a1c5e99e943485fc5b03

SHA256
310fd5d87d68a002e53938836437a33b1540bdd6d9c563b6106afe017eeb17a5

SHA512
99a216a948910e4b09b560894cff99832203fc30094e1b4644d0ccb9241c01415ec71933fa08c1816edc57821d1d4e6582e263615794e023a4430d3d6c817abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6EB3.exe

Filesize
16KB

MD5
d5540d720263e1151445b3471965c4a7

SHA1
e6207d7ab625541231775dd7336f8161c2092196

SHA256
5f2e5d1de49f42860857f1bd421ea59ae912f4a64298dfd5cc9651fa98bceccc

SHA512
08ae35dc60c875968acaea588196ca5618acf5d67f9ef6ad89ccff0f599bcf5a3c0b3c084b6bb1ee7244c63d093dd606ccf2c1788e50197d97802e93c1fa9d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC0EE.exe

Filesize
16KB

MD5
125808fe67af08e495b19a1cf0579b02

SHA1
624d1539eaaaa2f420d769e60ca0d429ef837288

SHA256
21d5da3acff08ba5534cefd5192c56d5b5881a2c33d825f6e18590b137a2b76e

SHA512
a63e645c51a689d6ed8de721653af1e90631061d01fff10355f1c42f8b62b6a9264b5f65b13b7cfe6fe5c9ec19c542356c7fa58002df8dc252b7bc092b7e19d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC6F5.exe

Filesize
16KB

MD5
10bb2b11408b20aeb09c9349d29b47d4

SHA1
95ef552f8e86f1bf6544e349af7cf40028458f94

SHA256
5df6c9d53f6abf2236de7e356e8541cc897ac7ef19bea40675b30ba182d3b647

SHA512
0d8b5611698212ee4576226dc3f5a451881b48cc0d14e813324dfb9919afbc9d2f675f4ad485b9b2f76da95a8a075440497772ee9552e082c07a60c8985efdfc

Download Submit

Analysis

Sharing