Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 04:01
Static task
static1
Behavioral task
behavioral1
Sample
17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe
-
Size
14KB
-
MD5
17db07e7cbcc9e18cffcb8e7d7980700
-
SHA1
4e4e85dbe6b3db5911eb6428e35e73652e34f0df
-
SHA256
26c40d8c8cc49cb7e02d499bc2f56db9fcb306d4a0000f70ebb965ac39b9983b
-
SHA512
615ac4927d0a516e00f071a6e8e1fc103144f34a721a2bf487fe64319e03e7c80751c198016a2d0d5c07ec5e74508cde18f9542c1edbb292068854bb85d2de65
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYRAI:hDXWipuE+K3/SSHgxmj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEM6428.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEMD532.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEM2C4B.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEM8354.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEMDAEA.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe -
Executes dropped EXE 6 IoCs
pid Process 2068 DEM6428.exe 4312 DEMD532.exe 1280 DEM2C4B.exe 1892 DEM8354.exe 4580 DEMDAEA.exe 3412 DEM3212.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2068 2400 17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe 102 PID 2400 wrote to memory of 2068 2400 17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe 102 PID 2400 wrote to memory of 2068 2400 17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe 102 PID 2068 wrote to memory of 4312 2068 DEM6428.exe 106 PID 2068 wrote to memory of 4312 2068 DEM6428.exe 106 PID 2068 wrote to memory of 4312 2068 DEM6428.exe 106 PID 4312 wrote to memory of 1280 4312 DEMD532.exe 108 PID 4312 wrote to memory of 1280 4312 DEMD532.exe 108 PID 4312 wrote to memory of 1280 4312 DEMD532.exe 108 PID 1280 wrote to memory of 1892 1280 DEM2C4B.exe 110 PID 1280 wrote to memory of 1892 1280 DEM2C4B.exe 110 PID 1280 wrote to memory of 1892 1280 DEM2C4B.exe 110 PID 1892 wrote to memory of 4580 1892 DEM8354.exe 112 PID 1892 wrote to memory of 4580 1892 DEM8354.exe 112 PID 1892 wrote to memory of 4580 1892 DEM8354.exe 112 PID 4580 wrote to memory of 3412 4580 DEMDAEA.exe 114 PID 4580 wrote to memory of 3412 4580 DEMDAEA.exe 114 PID 4580 wrote to memory of 3412 4580 DEMDAEA.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17db07e7cbcc9e18cffcb8e7d7980700_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\DEM6428.exe"C:\Users\Admin\AppData\Local\Temp\DEM6428.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\DEMD532.exe"C:\Users\Admin\AppData\Local\Temp\DEMD532.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\DEM2C4B.exe"C:\Users\Admin\AppData\Local\Temp\DEM2C4B.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\DEM8354.exe"C:\Users\Admin\AppData\Local\Temp\DEM8354.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\DEMDAEA.exe"C:\Users\Admin\AppData\Local\Temp\DEMDAEA.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\DEM3212.exe"C:\Users\Admin\AppData\Local\Temp\DEM3212.exe"7⤵
- Executes dropped EXE
PID:3412
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:81⤵PID:1252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5174a31608a51c2ea8c3e6292ce50b2e5
SHA182b19a09c50bad2bdb34a190838f839a25b87aca
SHA256cffcf983acc0cc614c682b82b95c7312cdaf70f3fc3939d5fceb636ad0e6abcd
SHA5128c04973432c190c7ff1a4c3ec8f6647abb94336e12efa25aa85733acf5945b876c8fe9a8c4247f401657b314679b2d483b19ea91e1657c674fae8ca3433e5c66
-
Filesize
15KB
MD5ad8a367e3c3e7099508484fa17d64d57
SHA1ba7b2965c320a333ef8d188667feab18e239e231
SHA2565f2795e94cf55a434fd1f9f1e0c43af619fbd15d8eafece53e5c007282a2d57b
SHA51205402af2631c407102d6e1fa156dee40b75036e86bb824bafe918e51960fd9c227d4c26cada34afbf55e58aab514f4eb70006371815406fb211d679ea3706587
-
Filesize
14KB
MD5a9110c1f84442611d80619fd78adfa3a
SHA13481b90aec738cf9e24382104d7b7c1052fca15d
SHA256a6c56d4b5e0f57ed41d7b9c82ca343a9d986d1ebab1d41ce07c6051e165ddb5b
SHA5126d00c9739a5c6f05971acdeaf1651b1610c020899e95ed20ffcd369365856ed372c5c50bad2b1b41d7c14788701b53915e1adc136fb7d23bc25aedf05e82a00e
-
Filesize
15KB
MD5494cf1862ed9470701ec712ad89752e9
SHA156b28b60b14521d4646a970c65352de3239b5211
SHA2564ebc1a9b8ec2384b75928d2f6480e4ef019b55715d5f44aef5676dd90b4930e8
SHA512f70ea824c6206bd15af550a398c7a95b467a453647047790e3280c464550a8981979edbd3610f6bcc3e78c73965a34d21f6cfa1ab7f80803bfd7cecdbb28f126
-
Filesize
15KB
MD51e6badf582ddf1adf3b476ff153cf7d3
SHA12ee3b85db3ac2b7cb50862b3293daf59e9ccaf90
SHA256327587d217d8a481f59ca27599775be12fb66ceee62e495005957cc59484f076
SHA51242b0d0e8bf8d9b3891b39b3eef2e750af6cae0455a443b1619ee482b10763b818fb62421a612521386f332f8702e666c218a5307df609583971f8d50afa1058e
-
Filesize
15KB
MD5467ce5e3654f2ab0cd66ffdf0e49cd15
SHA18ecc91a678a03db2b827b2989c87bc9a8e2eb87a
SHA256e38491741084566a49a0eb6503f6ee47fccb015adea38da3a3e511b4307ba4e2
SHA512daf835e3a8fcfc491621b0924f6f4ecca3437c3e5be505543b00d13b8a9225ec3711e2b29c53677c915829b098aa5430500e7cc0403f9d76dd278dbdbae064f6