e539f0b9c616afd160e0388e3741c14d507ca116f2216661244d93fea0cc3503

General

Target

1c50ed2b0b2b65c87f81c6292e4ba98b_JaffaCakes118.exe
Size

14KB
MD5

1c50ed2b0b2b65c87f81c6292e4ba98b
SHA1

9055163334c953b74882c4b2f5ad43769fd920e3
SHA256

e539f0b9c616afd160e0388e3741c14d507ca116f2216661244d93fea0cc3503
SHA512

c0c1844a0a55d836e03c6467ac27338e7cf8dfea08e170bc11520f3c8ce350831168168bca758727e519d3c675accdc703566822272cbbebd9b9a4689feebf40
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh7Ik:hDXWipuE+K3/SSHgxz8k

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMB987.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM11D8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM6BA1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1c50ed2b0b2b65c87f81c6292e4ba98b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM470.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM6126.exe

Executes dropped EXE 6 IoCs

pid	Process
4256	DEM470.exe
1588	DEM6126.exe
2500	DEMB987.exe
1612	DEM11D8.exe
2364	DEM6BA1.exe
2380	DEMC460.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 4256	680	1c50ed2b0b2b65c87f81c6292e4ba98b_JaffaCakes118.exe	104
PID 680 wrote to memory of 4256	680	1c50ed2b0b2b65c87f81c6292e4ba98b_JaffaCakes118.exe	104
PID 680 wrote to memory of 4256	680	1c50ed2b0b2b65c87f81c6292e4ba98b_JaffaCakes118.exe	104
PID 4256 wrote to memory of 1588	4256	DEM470.exe	108
PID 4256 wrote to memory of 1588	4256	DEM470.exe	108
PID 4256 wrote to memory of 1588	4256	DEM470.exe	108
PID 1588 wrote to memory of 2500	1588	DEM6126.exe	110
PID 1588 wrote to memory of 2500	1588	DEM6126.exe	110
PID 1588 wrote to memory of 2500	1588	DEM6126.exe	110
PID 2500 wrote to memory of 1612	2500	DEMB987.exe	112
PID 2500 wrote to memory of 1612	2500	DEMB987.exe	112
PID 2500 wrote to memory of 1612	2500	DEMB987.exe	112
PID 1612 wrote to memory of 2364	1612	DEM11D8.exe	114
PID 1612 wrote to memory of 2364	1612	DEM11D8.exe	114
PID 1612 wrote to memory of 2364	1612	DEM11D8.exe	114
PID 2364 wrote to memory of 2380	2364	DEM6BA1.exe	116
PID 2364 wrote to memory of 2380	2364	DEM6BA1.exe	116
PID 2364 wrote to memory of 2380	2364	DEM6BA1.exe	116

C:\Users\Admin\AppData\Local\Temp\1c50ed2b0b2b65c87f81c6292e4ba98b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c50ed2b0b2b65c87f81c6292e4ba98b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\DEM470.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM470.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\DEM6126.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6126.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\DEMB987.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB987.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\DEM11D8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM11D8.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\DEM6BA1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6BA1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\DEMC460.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC460.exe"
        7⤵
        Executes dropped EXE
        
        PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM11D8.exe

Filesize
14KB

MD5
2318df6149470aa09d73d749ad8eb6a5

SHA1
43c7351b19ffbf899725dcc18f19f24238ceb3c0

SHA256
622bfc1ff77a8ac41aa1a15272c5427d64975a8f35881b555f4c68cc8845f897

SHA512
ad6d25c5a389c762d797ed6a2fd1abf824899d6a0bf001d9767faad5b14a5f3aa99161882f007e73eeac884ffddecf569d53141d6e7e99703067a0c7df4e51a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM470.exe

Filesize
14KB

MD5
40d8cd346ffb88a09e6051713622a5db

SHA1
a837e7dd07cc5520ce5a773ea128f80944dce3f3

SHA256
6130004cceb7891fffd7069f6c918f3c448ad58e897e4605db69f711b2c14b7a

SHA512
609a664b02a1bf08bdd7c77b8291e14ebcde57df2d5688fd3b5bfd3e27373e3899d6aee8468718c9f92f776594cc3307f4c63948cfbffc71eb5c2362b89658d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6126.exe

Filesize
14KB

MD5
49d799057d3b91507df5df560fed12c5

SHA1
cd81b2fab18998fdd386f31c6a7c0173c7943632

SHA256
51bfdf9d52b03888f54e66db10dac2b52a52fe7789caecb352e0bc44c3b8daf7

SHA512
cfda652bc33595583db04c1a59c05c92f8604ace4a45382b89ad0630a5e6bf18cdd52bd28b2332d58b1d0468c53efda1567055fd58fc0da6ec46b7022edca2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6BA1.exe

Filesize
14KB

MD5
129d2c755fda6e972fa1c643d79cb5ce

SHA1
8797f0e01b061f2082e1f650e1f2811abf0cb0ac

SHA256
b0c235b04ba8f09e1e0027b3e9a7c0d62a429fdef78767697a2350be94cf7b4f

SHA512
a1c0419db893a176ea6a3122cdc4ebbe91893054d6c48756a891f9d18aa4a0d4dae736afef611a06856178f85b35480f60e436e09c3db70f88c7c8527c9ee256

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB987.exe

Filesize
14KB

MD5
ebb3572ee3b0efc2565f4ee78612bb53

SHA1
d8266c96ae64ed1a9ab77a70ef27f6ad01b57703

SHA256
ba9624b3f7373ce3bf28372f02d9599008fe78d71df88d218ab936dd99b1558a

SHA512
4648d15f1d093ae56e21975057554e133e1f943425cee7de35059f6b4cda3a0afb91388bd488f38f2f6daecfc62efb029966326cc97f95a77d679e7fef421b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC460.exe

Filesize
14KB

MD5
d4103772e7f25c984b672062683e1aff

SHA1
161e272d8f0f95a50eb6ad5a4c8f4af061f399ab

SHA256
cfb097aa8c6f92eb036b39b4c593138200380f41c1ece769513cbd4cc560093a

SHA512
98069b178f45c75dbfb8edd9b6a9aa185b7684a5909f668d0f657a97f3f27008fe9c34d7755185642251ee96dc915fa47a4880b44ee5b8a1241a953abcbe056f

Download Submit

Analysis

Sharing