bfa18cc1a3dffbaa117b2439ed75c3e3d8485942013a75cbe47407eebcad5c80

General

Target

28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe
Size

15KB
MD5

28423b49d4c68b00963b662c8128052d
SHA1

f7ce761cbcdf3204eafb854f30a8244ce3e8e642
SHA256

bfa18cc1a3dffbaa117b2439ed75c3e3d8485942013a75cbe47407eebcad5c80
SHA512

ef1be5661063f6ffd41d29169036e67cf793d3268028f415dfa2a8228894b5677cf3aa0badcdcf78fd58f07d516d32050391c07aa069da9dc6c6d95385724b9a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5X/EmD:hDXWipuE+K3/SSHgxm5s+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMF24F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM4E79.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1CB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM59FD.exe

Executes dropped EXE 5 IoCs

pid	Process
4972	DEMF24F.exe
2276	DEM4E79.exe
2032	DEM1CB.exe
4804	DEM59FD.exe
2612	DEMB2AC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4972	3196	28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe	102
PID 3196 wrote to memory of 4972	3196	28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe	102
PID 3196 wrote to memory of 4972	3196	28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe	102
PID 4972 wrote to memory of 2276	4972	DEMF24F.exe	105
PID 4972 wrote to memory of 2276	4972	DEMF24F.exe	105
PID 4972 wrote to memory of 2276	4972	DEMF24F.exe	105
PID 2368 wrote to memory of 2032	2368	DEMA7E3.exe	109
PID 2368 wrote to memory of 2032	2368	DEMA7E3.exe	109
PID 2368 wrote to memory of 2032	2368	DEMA7E3.exe	109
PID 2032 wrote to memory of 4804	2032	DEM1CB.exe	111
PID 2032 wrote to memory of 4804	2032	DEM1CB.exe	111
PID 2032 wrote to memory of 4804	2032	DEM1CB.exe	111
PID 4804 wrote to memory of 2612	4804	DEM59FD.exe	113
PID 4804 wrote to memory of 2612	4804	DEM59FD.exe	113
PID 4804 wrote to memory of 2612	4804	DEM59FD.exe	113

C:\Users\Admin\AppData\Local\Temp\28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28423b49d4c68b00963b662c8128052d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\DEMF24F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF24F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\DEM4E79.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4E79.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\DEMA7E3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA7E3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\DEM1CB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1CB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\DEM59FD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM59FD.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\DEMB2AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB2AC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1CB.exe

Filesize
15KB

MD5
db02f9ef8be8c741417226b064bf8291

SHA1
06404d61f98b53e45eb5384c2d721a01fd76f70a

SHA256
0b9e9a5eace845ad58650f0c8c88d0ad71fb53b3c5cbb7e346d5f04e4953a254

SHA512
2736b7d43e3cd3991a49c9c945d0cb38f742c5fed83f01bde6258d9bad2cdc1ffb681568ad34f8871055ce1de6c2a98fa369ec887e5580bb71140fb69dc44843

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4E79.exe

Filesize
15KB

MD5
aa6b53108b16cf276a5d4e5a5b614803

SHA1
848aab9afa7e505803ad47080c23030987212e08

SHA256
1a9f7bfa84b3f47d857ff2d40fe7f233897088bf799de5522b5e8d5701f13e27

SHA512
aa4359fe39af24303a0e2399f63046f947369cdfbc60f338cc4fd4664d5ebce60f4809bcf45534f3ae7f92097df0acdff079b7970a5cdcfa70f0a76023b40a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM59FD.exe

Filesize
15KB

MD5
2ae4c43742f3263e913efc861c997ff4

SHA1
2ca23456234605bed43f2820988599cf6f107c62

SHA256
2758c35309a296fbef7f6a0b7c6f8493ccd25e0df66dbbce180b646934982741

SHA512
175e4492149d42d74d560d9ef76b23d1b5bd87aea193efbe4775f4d2ff1169a1cd44b8d73a2184f22f174f3198d980a30533b2403ff8dc2e360b497dac0ba994

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB2AC.exe

Filesize
15KB

MD5
229b63131a5389f04c35720a969deb0f

SHA1
76c0e176a98cd9161d7d783b30f04b867aeea37e

SHA256
78fff9a4f426aaef15c9d615149a6f524587e139b620aded4c606f27913a9e40

SHA512
fedaa803225deb7423f8af09103325309a7e347ff2da8f580328b4d1e9dd9db33574d3e61c58e71bce15083a98204ea6277e75ee11557e6bb8416cf3c9c86110

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF24F.exe

Filesize
15KB

MD5
99d5c334891fa4eb230a397e0967e953

SHA1
1b209de7e2ed19d8bc396a5db9dfd0f2a096f31c

SHA256
e9983dc120ec0c52767548a747a6deb9ca9fd2b2a71df2cba7c23ec8063f2b62

SHA512
884c65401e1d37081feeb78be89e2ce0c539900741f4e1331942a4f4f0936b48ef1e55caed08becaf1ef49d851cf2adb9750704327224ac239ec9fc30bb4dcbd

Download Submit

Analysis

Sharing