fb45b34d1b6fc671871b7004e38f6fca4de51a8877e489bec4a660ba22a59e84

General

Target

26db64a8e68fc360850a9edc612ecc6f_JaffaCakes118.exe
Size

16KB
MD5

26db64a8e68fc360850a9edc612ecc6f
SHA1

30d9f9bef485f82b95f135993d5be6213fb90496
SHA256

fb45b34d1b6fc671871b7004e38f6fca4de51a8877e489bec4a660ba22a59e84
SHA512

ab76e66c36b11240e9b4c878807ce6ab188b7c76918bb0d9c7c5d27c320abd5cd6371cc5bbb47e03520a963dd8dd0de3eaac718c80a4bc1d7d6087a8012e6829
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRzI:hDXWipuE+K3/SSHgx3I

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM2EF6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM8860.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	26db64a8e68fc360850a9edc612ecc6f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM191.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7D97.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMD6E3.exe

Executes dropped EXE 6 IoCs

pid	Process
3524	DEM191.exe
216	DEM7D97.exe
2912	DEMD6E3.exe
4044	DEM2EF6.exe
4984	DEM8860.exe
4820	DEME0F0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3524	3100	26db64a8e68fc360850a9edc612ecc6f_JaffaCakes118.exe	104
PID 3100 wrote to memory of 3524	3100	26db64a8e68fc360850a9edc612ecc6f_JaffaCakes118.exe	104
PID 3100 wrote to memory of 3524	3100	26db64a8e68fc360850a9edc612ecc6f_JaffaCakes118.exe	104
PID 3524 wrote to memory of 216	3524	DEM191.exe	107
PID 3524 wrote to memory of 216	3524	DEM191.exe	107
PID 3524 wrote to memory of 216	3524	DEM191.exe	107
PID 216 wrote to memory of 2912	216	DEM7D97.exe	109
PID 216 wrote to memory of 2912	216	DEM7D97.exe	109
PID 216 wrote to memory of 2912	216	DEM7D97.exe	109
PID 2912 wrote to memory of 4044	2912	DEMD6E3.exe	111
PID 2912 wrote to memory of 4044	2912	DEMD6E3.exe	111
PID 2912 wrote to memory of 4044	2912	DEMD6E3.exe	111
PID 4044 wrote to memory of 4984	4044	DEM2EF6.exe	113
PID 4044 wrote to memory of 4984	4044	DEM2EF6.exe	113
PID 4044 wrote to memory of 4984	4044	DEM2EF6.exe	113
PID 4984 wrote to memory of 4820	4984	DEM8860.exe	115
PID 4984 wrote to memory of 4820	4984	DEM8860.exe	115
PID 4984 wrote to memory of 4820	4984	DEM8860.exe	115

C:\Users\Admin\AppData\Local\Temp\26db64a8e68fc360850a9edc612ecc6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26db64a8e68fc360850a9edc612ecc6f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Users\Admin\AppData\Local\Temp\DEM191.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM191.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\DEM7D97.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7D97.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\DEMD6E3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD6E3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\DEM2EF6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2EF6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Users\Admin\AppData\Local\Temp\DEM8860.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8860.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\DEME0F0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME0F0.exe"
        7⤵
        Executes dropped EXE
        
        PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2524 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM191.exe

Filesize
16KB

MD5
6642d425548f75ca655d24b9010229da

SHA1
38a17da1752d98fc13672b4e9a4d2fe1696a5b4f

SHA256
47726ea6e86a54c9bcf092d8938a7b16818443a44ac8cf65d521117669c62c8c

SHA512
0a2d8904bb53eb453330a28e23fbc5e4dcdde8a3fb93d3ccd77d96541f534f6544f17a8d66ff168753f59437cdc169c472562eeb597a0f6b0a188086186f2ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2EF6.exe

Filesize
16KB

MD5
9dd0a464f4325c7b03d3ead4202c4b91

SHA1
46e596b3c25d2aa92da18b6067225e19c17a6e80

SHA256
82ff825bba061c94b296c62c8656b4315f2f621ed5f31d2d7d1adfc5af03313b

SHA512
a36de3431316968b6a614d170f472f6398b5a7062c2bed75a290d799253bbd12a45f531cc40db93ea91583141ecc3f7ecd79b6019382742d94066e4d13ba0d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7D97.exe

Filesize
16KB

MD5
440b0346a9e0c9838042bcbbc596641b

SHA1
e7a0539c048ebeaa13ccb546ba4e1a7a50a30161

SHA256
1fcc53456828395c8f9a4c946c6dfaec14b63f3e72c4551322dc84e99155fb62

SHA512
3fe942bbbf4774ac4e60b2de4fe20b8aec79ee2e79edfaed76dfceb8c3f70c42fd91afb8796cf38f286660d42ba5ebbea9fda75fc442cb6a8c4082e346948c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8860.exe

Filesize
16KB

MD5
de4fa2eea8fdcca2e63f885498b54433

SHA1
58e6e1d9e79909ba6e583d459c5eb9892e56a3aa

SHA256
9720d27a08d8282e8fa7b12af3d23fb06fcaf03df00d6afac560f1d5edd9a3e2

SHA512
a907a455584cea3bc6f39832785af1ce4e70f36166c4b87baac41e080b77ab7fe9a85f7ed1411095b8fcf02c646a93b3619b5aa78e4df39853ed081f10f4e097

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD6E3.exe

Filesize
16KB

MD5
304bb68fdd882a4cbcde3e158dbce424

SHA1
8bd942c9cd5d5a1ef657db5cea261d8e55c762c9

SHA256
f9e266e65d5dae00d594c51a0e0e3986abb8cba38974deaf8fbc7bda3a254c9a

SHA512
6265513e731dcb089e27c1fe6312d952f07a79ebe0b60bb5e13395251065d7c68b34b9609b27f841dbd78f32d8f809d6b2675f364c33cd324bb4a442237a5001

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0F0.exe

Filesize
16KB

MD5
77ec08932e838597f233c57bd382bbc8

SHA1
9fb7dc523b30fd11ff9b2c422d3bfedc2bfd7de4

SHA256
cec14d4acd269e19e7ff1c624c7e3f4df6f28b2c87a798f5260e1242e7127792

SHA512
971cf80ac65f7322eb9b1125d90b55258dcaeb223b596a04dd5745186b9efd83a36e3bbc7f385df03906f041d3ffa91116a9d5cb4e38969e8fa0f77a49587e2c

Download Submit

Analysis

Sharing