Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 15:27

General

  • Target

    2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    2594a18b5f5379cf2af07c2071c50b5f

  • SHA1

    24cc16ab3c325f4fbf0598855b39c3bafae932d2

  • SHA256

    32c1bef8e982f91e5a91ba6cad8603148e5d6d2308e14cfc7eae2798dee47dde

  • SHA512

    52d85feb78d8eb84b44549b629ef01c8987d27e61096085112dad6acf61db285cf65b18201da33e3219dcb8df306de07bf6b410ef19d003c0a11d54473a1bd03

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4l+Lv:hDXWipuE+K3/SSHgxmH

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\DEM4602.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4602.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5012
        • C:\Users\Admin\AppData\Local\Temp\DEMF29D.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMF29D.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3756
          • C:\Users\Admin\AppData\Local\Temp\DEM48CC.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM48CC.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1692
            • C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3208
              • C:\Users\Admin\AppData\Local\Temp\DEMF509.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMF509.exe"
                7⤵
                • Executes dropped EXE
                PID:1196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM4602.exe

    Filesize

    15KB

    MD5

    6e02c66dddb4965c7898e1a984388c0d

    SHA1

    22afb21cf5e01ce4e579fd37d5abace5e91a012c

    SHA256

    6d0a55f03d6fb52089b75de77a521bdaa1c894a6489e09620ffcf91d94a63f6e

    SHA512

    d42ed48b11bbc13dd44d0d32d15749a5d0e51e7da7317ec36f5436506fe817d7cba00be03636206c4687135a8564268a3afbbff95f82726f97f722a23dc8a04c

  • C:\Users\Admin\AppData\Local\Temp\DEM48CC.exe

    Filesize

    15KB

    MD5

    bdc74199faa113155c6bf4a4098f33ad

    SHA1

    d34761e800aae3495c7937544b5c0079b6b5efbf

    SHA256

    193ad07818016dab4c51855619ae353d0a047b82f1da8f18438448a8afe7a876

    SHA512

    8b47f608eac5ebcc4eb78b8bf49366e36d1e44cc227486d58622c49010aee2ca734150b89b170e45d0939d7e439a0a5b1e65fe1e645a669a671322d8734301f3

  • C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe

    Filesize

    15KB

    MD5

    a9fa36e59c8526cef9ff11603a34e09e

    SHA1

    a935b91d93515be3da3236a038a1fd1e0f734f8d

    SHA256

    14344954ffef3811b61c7fd453334d1299328081a92c059412134fea5d8dace1

    SHA512

    a808f716aae8823a100b5d03bd0756bc68d12719edbbb1d430a3883e64cc179335ffde7f475d2efe96637385425e2917cd6ad01a6dd9cd83b6df90655027ebec

  • C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe

    Filesize

    15KB

    MD5

    9bd9ffcb3c28d81efe2343b701dc69e1

    SHA1

    ee0586b6eee3294da0ce5c7a86e4b1170678d2bc

    SHA256

    7bb2f30bcbfbc2fdbf080b1310721a57a2b7711cf4d41a290f893edb71fc8352

    SHA512

    049f36d49c25818b535d1c1aa2129fc27522a20d791253dcc72d7feab50fb3c960ecb08f68baab3812a2baee6bcb018b4080b3e62d7f501e68404f1100545403

  • C:\Users\Admin\AppData\Local\Temp\DEMF29D.exe

    Filesize

    15KB

    MD5

    8bb12714ca920917b7ef8348293a9336

    SHA1

    ab2ce3671783a16bfaa57e22a5018b0d450a0240

    SHA256

    af6d20126c7776c03fa0ad02a316388bfc1c440bc0b6f1601abc00ed8ca28426

    SHA512

    a5a242f91e414bd2f4c086809bf6b5c04718c380ebff403ce68e59d810cfddab79cbf4598842d42f6bfa14a1e29ccfc08483f83d3271fcf3ae0f20067534e8f2

  • C:\Users\Admin\AppData\Local\Temp\DEMF509.exe

    Filesize

    15KB

    MD5

    2b8f63f34749476fc9c067967f3b2035

    SHA1

    fdcc1b9262c268a01808e90514686b2e9f8a9111

    SHA256

    c751b953f8c6ed7516301ab819cdb2360f8c74955c42006358287e3957eb0a1d

    SHA512

    80a4023d6e4828724258d50f1f51724b24dc1357f746edd4348f18323804d5f0f55b9be64aab0e07c325eb728aa142292504edd56380c1386eac8bd20bb443c4