dabdc10d4cb05ca35950fd529b3a08dfe9e19621e12437795268b8615202377c

General

Target

19ca53e94f4c60813da5ccf75eb14f33_JaffaCakes118.exe
Size

15KB
MD5

19ca53e94f4c60813da5ccf75eb14f33
SHA1

c3007a4f24814409eb60f32dafc4ccb1aef77d03
SHA256

dabdc10d4cb05ca35950fd529b3a08dfe9e19621e12437795268b8615202377c
SHA512

2c6fb4615cc09db3ce18002384ef2757f09e9ad2d50e3d33ebd8a53e51607d6da8a1ccdb6908b5fdeb14620a27003f1bb335c18148b420629796148c26b59f3a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/wrS:hDXWipuE+K3/SSHgxm/1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1C6C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7F5C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMD7EC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM309B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM8989.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	19ca53e94f4c60813da5ccf75eb14f33_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
4548	DEM1C6C.exe
2744	DEM7F5C.exe
1160	DEMD7EC.exe
620	DEM309B.exe
3100	DEM8989.exe
3960	DEME371.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 4548	1204	19ca53e94f4c60813da5ccf75eb14f33_JaffaCakes118.exe	104
PID 1204 wrote to memory of 4548	1204	19ca53e94f4c60813da5ccf75eb14f33_JaffaCakes118.exe	104
PID 1204 wrote to memory of 4548	1204	19ca53e94f4c60813da5ccf75eb14f33_JaffaCakes118.exe	104
PID 4548 wrote to memory of 2744	4548	DEM1C6C.exe	107
PID 4548 wrote to memory of 2744	4548	DEM1C6C.exe	107
PID 4548 wrote to memory of 2744	4548	DEM1C6C.exe	107
PID 2744 wrote to memory of 1160	2744	DEM7F5C.exe	109
PID 2744 wrote to memory of 1160	2744	DEM7F5C.exe	109
PID 2744 wrote to memory of 1160	2744	DEM7F5C.exe	109
PID 1160 wrote to memory of 620	1160	DEMD7EC.exe	111
PID 1160 wrote to memory of 620	1160	DEMD7EC.exe	111
PID 1160 wrote to memory of 620	1160	DEMD7EC.exe	111
PID 620 wrote to memory of 3100	620	DEM309B.exe	113
PID 620 wrote to memory of 3100	620	DEM309B.exe	113
PID 620 wrote to memory of 3100	620	DEM309B.exe	113
PID 3100 wrote to memory of 3960	3100	DEM8989.exe	115
PID 3100 wrote to memory of 3960	3100	DEM8989.exe	115
PID 3100 wrote to memory of 3960	3100	DEM8989.exe	115

C:\Users\Admin\AppData\Local\Temp\19ca53e94f4c60813da5ccf75eb14f33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19ca53e94f4c60813da5ccf75eb14f33_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\DEM1C6C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1C6C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\DEM7F5C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7F5C.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\DEMD7EC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD7EC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\DEM309B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM309B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:620
      - C:\Users\Admin\AppData\Local\Temp\DEM8989.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8989.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\DEME371.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME371.exe"
        7⤵
        Executes dropped EXE
        
        PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1C6C.exe

Filesize
15KB

MD5
5acc5e82331020788c884221ad631d2f

SHA1
e11a6c5ca6fe38853880f8f11cf2d5c114062aff

SHA256
91f549cf2291ea8ab6fcd8d8d15e974b94a374897522c2d8b90c6d80ca26e150

SHA512
6d3fd92cf6adb6fc2825e1142ef0ea6d7ba0737490fcdb898eeb16105e8f489c2d2f26b12969c8d3e6f0f7833f23ecfc87c6d2999f5ff79c5fbebe80c768b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM309B.exe

Filesize
15KB

MD5
4c47f7c3ab47a31a37308af813a743ed

SHA1
833336e0acad5bb1f91ddf0313ab8832ff7f7f0b

SHA256
37fdda760fbe695b2acb320c0bf6f048bb30c0c75c8903b3fd4e40d84dce90a7

SHA512
2405a8c31751a5c722d8b8dceef108d92005cb5068d3b083a8df97d30da489bec38aed10e7ec2c99281f9f129aa8aeaaca02ca0ae233697d7765e099446add30

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F5C.exe

Filesize
15KB

MD5
784c42c7c4079e94123e3fe0e81ac35a

SHA1
fc01d4ce75830cbd2b3d8b7543e8500030c055e5

SHA256
e7d1f6c48f1f805bc930ddc14da9ff58d6923bfea5a01eadb66626e7eb1d5cc8

SHA512
96033fa64b48af64874a647a7e5d95740b2f5ba83d7a8b90d3fd73e00acb460fcb7c3bcc264fa649578b8b89a59f6d8a95e5f1b0d1457156dfc9ff7d37a275a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8989.exe

Filesize
15KB

MD5
d05439e736e115ad3197dada47931c73

SHA1
4005d801da973d66a9eef2cc256a69f03716cc2a

SHA256
b5330554e218f7426ab63ad3b6af3e6290ff1a028d91aefcd9f798d7108597ea

SHA512
fcf782f0f79f43b5b814410fa5d142126a3a488b8566959b3efefccc007f4ccea6443144641ece8c0abaea51e0c62916eafd61409311a1d55f639b450a3d84f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD7EC.exe

Filesize
15KB

MD5
ee7bc1406530a65f3359a956ecc8d23a

SHA1
570b27ac9be074ee0c7f759ab8574fc3251babdc

SHA256
81cfd4919b3df50413b7e692bae50627ad4f063bd04f19fd0edcf8ce47c1eb36

SHA512
a62b1429c4cd4b5a3d293e5878a9b30fc8fec0d66ac39d12118bee8b7da7038189ed3b6b4571b1ac7ad6a46356a0113980c6ff8268516e44efdf25e5c6a54435

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME371.exe

Filesize
15KB

MD5
135925f7c8d51e174091ba7cce961f3e

SHA1
f7fae386c45044f3a6ed4214696341901c42db1e

SHA256
72f673e7287a7c957b401913159d8c2df1eb072cb5c0292681f771d3511341e9

SHA512
2c6003ed5fc0b36d546725a9f0ee90d438031b1e8e020866cf215dbf9699d8a50e9b3ddb3c9ed781af076b3df78b7dea724172395d85daf23d380db70db09494

Download Submit

Analysis

Sharing