Analysis

  • max time kernel
    150s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 14:02

General

  • Target

    23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    23eb3df84269b7dece78a7777523e300

  • SHA1

    f4ff028d2196d28baefab4c58c266afe25138ce8

  • SHA256

    1f7da0bd7f0a915575c9bc9da281022fc63982644c2dec2f24494864b112b9ed

  • SHA512

    844d0251a35e5a25e1554f505772a4c6713111b81ef91eb46a54ed812c511d2f5ad02b59e150ec6280e4c0fff3f7cff581a1faddb758a9bb7e4c87b24c831bde

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4X:hDXWipuE+K3/SSHgxmW

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Users\Admin\AppData\Local\Temp\DEMA807.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA807.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Users\Admin\AppData\Local\Temp\DEMA7.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMA7.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3356
        • C:\Users\Admin\AppData\Local\Temp\DEM57DF.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM57DF.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4436
          • C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1116
            • C:\Users\Admin\AppData\Local\Temp\DEM797.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM797.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3300
              • C:\Users\Admin\AppData\Local\Temp\DEM5EA1.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM5EA1.exe"
                7⤵
                • Executes dropped EXE
                PID:4192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM57DF.exe

    Filesize

    15KB

    MD5

    9db3ffbce7876730ab8872fbeb53ac88

    SHA1

    9f292d0d886058da632d45ae41225f902a855f70

    SHA256

    307416b160175299c4a48440bac820f725f1dd52f2a030af613defeeb668e501

    SHA512

    b5a7db5a7bbaf1c41e95f4cdced1e5758ded61f9187364287ada5d90b670cf3c0328002e38c3b01ed3599521cfbd33cc0826795ea8d3bffa6c03ae08e058f82b

  • C:\Users\Admin\AppData\Local\Temp\DEM5EA1.exe

    Filesize

    15KB

    MD5

    071eac8d54b3aa7433893d9bc5efbd0f

    SHA1

    d8d580243703ca5364d07d8ab842e035be8a0d89

    SHA256

    eecafe5c1009628dd95ad703c25e502a1eb9a33a333146805abc05d888aa22b7

    SHA512

    ad43d23c3c4dc2c2b209603808db225be34724ceaa9fbbcfa1a71cb56c5cf1b034e36b48144ee5a36821d12f7e4a41f7673cf69a76ea299ca7fc7bd27fcde7d8

  • C:\Users\Admin\AppData\Local\Temp\DEM797.exe

    Filesize

    15KB

    MD5

    2dbe80535d30c8546089ac09a9cb1d53

    SHA1

    01f4d2d76cd92a3b6a43de2482d73773ebf13607

    SHA256

    e7da201280dd9b97d1be16507784eb4aaa69cad3e809bc5f31b17ed0b8cf70a9

    SHA512

    ab3009dbc730716872f1cb1188a5dc9f956aebf87b9581217b9a300dd8b2cd489c8c01619ce457888f924f359ec551dd4cbba02299c20741b11282dc2310926f

  • C:\Users\Admin\AppData\Local\Temp\DEMA7.exe

    Filesize

    15KB

    MD5

    a172fa8b849eac4531180432e629dae7

    SHA1

    80d4497c2637f2d2ee6909b10ad8f5f5efcfb0d9

    SHA256

    28ead92a5315fa19591f45730894e4f2f09bfa06fd2e39c92fd7cab082bdcda5

    SHA512

    ea06213af46f6b8aa485f1a5b8f6164591333df7f4c70d6202ef1d90a82806dabb400a7a92e8e61eb16bf93cffdd6228be968fafc38fc75cd3d243f7654405a6

  • C:\Users\Admin\AppData\Local\Temp\DEMA807.exe

    Filesize

    15KB

    MD5

    83ab55e03cf4e5e5a120664b93c682ef

    SHA1

    8c0a42e839a26f842581ce7b2384a2bf151aab46

    SHA256

    695d0ac26f5093b5ff09eb871fa20421bac67441c17ef6770fcd5487bc530be8

    SHA512

    7f0a9ca063080eb71fad79c53831729d9026df44fca54cbb98718d867d3c24a94a0b4d25cb4a020a789df42446f855eac333b4d0de4ec0ff081a123a14fcfae1

  • C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe

    Filesize

    15KB

    MD5

    b2b8fb918c9f4b820496870c3f7bdaac

    SHA1

    eaa638133e9173dc2f8989c5692efb340c3acb58

    SHA256

    4e91984f8c3fd4e5d8529201fd8f09131068df28ded5a5cc8fc15ddbaabacf6f

    SHA512

    27ba83bfce9b988a3cd4197dd3828d132de739f43afaed7ebf90dc84cd38b04dbba917a7742c34a1403025614c864434bab75610b977b38a4d18c07ead4674ad