26c40d8c8cc49cb7e02d499bc2f56db9fcb306d4a0000f70ebb965ac39b9983b

General

Target

17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe
Size

14KB
MD5

17db07e7cbcc9e18cffcb8e7d7980700
SHA1

4e4e85dbe6b3db5911eb6428e35e73652e34f0df
SHA256

26c40d8c8cc49cb7e02d499bc2f56db9fcb306d4a0000f70ebb965ac39b9983b
SHA512

615ac4927d0a516e00f071a6e8e1fc103144f34a721a2bf487fe64319e03e7c80751c198016a2d0d5c07ec5e74508cde18f9542c1edbb292068854bb85d2de65
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYRAI:hDXWipuE+K3/SSHgxmj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM6428.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMD532.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM2C4B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM8354.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMDAEA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
2068	DEM6428.exe
4312	DEMD532.exe
1280	DEM2C4B.exe
1892	DEM8354.exe
4580	DEMDAEA.exe
3412	DEM3212.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2068	2400	17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe	102
PID 2400 wrote to memory of 2068	2400	17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe	102
PID 2400 wrote to memory of 2068	2400	17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe	102
PID 2068 wrote to memory of 4312	2068	DEM6428.exe	106
PID 2068 wrote to memory of 4312	2068	DEM6428.exe	106
PID 2068 wrote to memory of 4312	2068	DEM6428.exe	106
PID 4312 wrote to memory of 1280	4312	DEMD532.exe	108
PID 4312 wrote to memory of 1280	4312	DEMD532.exe	108
PID 4312 wrote to memory of 1280	4312	DEMD532.exe	108
PID 1280 wrote to memory of 1892	1280	DEM2C4B.exe	110
PID 1280 wrote to memory of 1892	1280	DEM2C4B.exe	110
PID 1280 wrote to memory of 1892	1280	DEM2C4B.exe	110
PID 1892 wrote to memory of 4580	1892	DEM8354.exe	112
PID 1892 wrote to memory of 4580	1892	DEM8354.exe	112
PID 1892 wrote to memory of 4580	1892	DEM8354.exe	112
PID 4580 wrote to memory of 3412	4580	DEMDAEA.exe	114
PID 4580 wrote to memory of 3412	4580	DEMDAEA.exe	114
PID 4580 wrote to memory of 3412	4580	DEMDAEA.exe	114

C:\Users\Admin\AppData\Local\Temp\17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\DEM6428.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6428.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\DEMD532.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD532.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\DEM2C4B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2C4B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\DEM8354.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8354.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Users\Admin\AppData\Local\Temp\DEMDAEA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDAEA.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\DEM3212.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3212.exe"
        7⤵
        Executes dropped EXE
        
        PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8
1⤵
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C4B.exe

Filesize
15KB

MD5
174a31608a51c2ea8c3e6292ce50b2e5

SHA1
82b19a09c50bad2bdb34a190838f839a25b87aca

SHA256
cffcf983acc0cc614c682b82b95c7312cdaf70f3fc3939d5fceb636ad0e6abcd

SHA512
8c04973432c190c7ff1a4c3ec8f6647abb94336e12efa25aa85733acf5945b876c8fe9a8c4247f401657b314679b2d483b19ea91e1657c674fae8ca3433e5c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3212.exe

Filesize
15KB

MD5
ad8a367e3c3e7099508484fa17d64d57

SHA1
ba7b2965c320a333ef8d188667feab18e239e231

SHA256
5f2795e94cf55a434fd1f9f1e0c43af619fbd15d8eafece53e5c007282a2d57b

SHA512
05402af2631c407102d6e1fa156dee40b75036e86bb824bafe918e51960fd9c227d4c26cada34afbf55e58aab514f4eb70006371815406fb211d679ea3706587

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6428.exe

Filesize
14KB

MD5
a9110c1f84442611d80619fd78adfa3a

SHA1
3481b90aec738cf9e24382104d7b7c1052fca15d

SHA256
a6c56d4b5e0f57ed41d7b9c82ca343a9d986d1ebab1d41ce07c6051e165ddb5b

SHA512
6d00c9739a5c6f05971acdeaf1651b1610c020899e95ed20ffcd369365856ed372c5c50bad2b1b41d7c14788701b53915e1adc136fb7d23bc25aedf05e82a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8354.exe

Filesize
15KB

MD5
494cf1862ed9470701ec712ad89752e9

SHA1
56b28b60b14521d4646a970c65352de3239b5211

SHA256
4ebc1a9b8ec2384b75928d2f6480e4ef019b55715d5f44aef5676dd90b4930e8

SHA512
f70ea824c6206bd15af550a398c7a95b467a453647047790e3280c464550a8981979edbd3610f6bcc3e78c73965a34d21f6cfa1ab7f80803bfd7cecdbb28f126

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD532.exe

Filesize
15KB

MD5
1e6badf582ddf1adf3b476ff153cf7d3

SHA1
2ee3b85db3ac2b7cb50862b3293daf59e9ccaf90

SHA256
327587d217d8a481f59ca27599775be12fb66ceee62e495005957cc59484f076

SHA512
42b0d0e8bf8d9b3891b39b3eef2e750af6cae0455a443b1619ee482b10763b818fb62421a612521386f332f8702e666c218a5307df609583971f8d50afa1058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDAEA.exe

Filesize
15KB

MD5
467ce5e3654f2ab0cd66ffdf0e49cd15

SHA1
8ecc91a678a03db2b827b2989c87bc9a8e2eb87a

SHA256
e38491741084566a49a0eb6503f6ee47fccb015adea38da3a3e511b4307ba4e2

SHA512
daf835e3a8fcfc491621b0924f6f4ecca3437c3e5be505543b00d13b8a9225ec3711e2b29c53677c915829b098aa5430500e7cc0403f9d76dd278dbdbae064f6

Download Submit

Analysis

Sharing