6ec75d77b335d7d7543305e410c37bab28cbd65f27bd92e5869ab43a7172938a

General

Target

c5393e17b11841c1512a01f491d590a8_JaffaCakes118.exe
Size

16KB
MD5

c5393e17b11841c1512a01f491d590a8
SHA1

0443c1c51395b7c16900b8a9f20ae6ca90fd049d
SHA256

6ec75d77b335d7d7543305e410c37bab28cbd65f27bd92e5869ab43a7172938a
SHA512

7abcc50986ce719a03a1a02a2954d99db358cd95c2fb98d594b709b022e8d3063c32ca40b66ed365f78f8667df0d2fe08ff6ea097e559e1e8fd8a74caeb3240b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYTu:hDXWipuE+K3/SSHgxmi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMDDD8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM360A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM8F84.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c5393e17b11841c1512a01f491d590a8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1FB8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM8623.exe

Executes dropped EXE 6 IoCs

pid	Process
2172	DEM1FB8.exe
3964	DEM8623.exe
556	DEMDDD8.exe
372	DEM360A.exe
1096	DEM8F84.exe
3624	DEME7F5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2172	1896	c5393e17b11841c1512a01f491d590a8_JaffaCakes118.exe	100
PID 1896 wrote to memory of 2172	1896	c5393e17b11841c1512a01f491d590a8_JaffaCakes118.exe	100
PID 1896 wrote to memory of 2172	1896	c5393e17b11841c1512a01f491d590a8_JaffaCakes118.exe	100
PID 2172 wrote to memory of 3964	2172	DEM1FB8.exe	106
PID 2172 wrote to memory of 3964	2172	DEM1FB8.exe	106
PID 2172 wrote to memory of 3964	2172	DEM1FB8.exe	106
PID 3964 wrote to memory of 556	3964	DEM8623.exe	108
PID 3964 wrote to memory of 556	3964	DEM8623.exe	108
PID 3964 wrote to memory of 556	3964	DEM8623.exe	108
PID 556 wrote to memory of 372	556	DEMDDD8.exe	110
PID 556 wrote to memory of 372	556	DEMDDD8.exe	110
PID 556 wrote to memory of 372	556	DEMDDD8.exe	110
PID 372 wrote to memory of 1096	372	DEM360A.exe	112
PID 372 wrote to memory of 1096	372	DEM360A.exe	112
PID 372 wrote to memory of 1096	372	DEM360A.exe	112
PID 1096 wrote to memory of 3624	1096	DEM8F84.exe	114
PID 1096 wrote to memory of 3624	1096	DEM8F84.exe	114
PID 1096 wrote to memory of 3624	1096	DEM8F84.exe	114

C:\Users\Admin\AppData\Local\Temp\c5393e17b11841c1512a01f491d590a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c5393e17b11841c1512a01f491d590a8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\DEM1FB8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1FB8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\DEM8623.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8623.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\DEMDDD8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDDD8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Users\Admin\AppData\Local\Temp\DEM360A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM360A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
      - C:\Users\Admin\AppData\Local\Temp\DEM8F84.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8F84.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\DEME7F5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME7F5.exe"
        7⤵
        Executes dropped EXE
        
        PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4008 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1FB8.exe

Filesize
16KB

MD5
cfc0c46d2c16f775baf5e2b0866bace7

SHA1
d1d4106209e29fa19762ff3e810d808c50227806

SHA256
e43fb61325dbf1c526e51ac033bf6a03b228afb12d075fdea9f3a3902e10018d

SHA512
5f7fbc6545e1f4da6e209b5c2aa83e53ae288c4a4ff24046ddff7e9a06e9f712053d773d62f8729d3c9bab3c4e7fbf3ce1d2ed033275c20e6aa5a1b3253220ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM360A.exe

Filesize
16KB

MD5
931eb6045214d23f72f509b382fd79ea

SHA1
e834fafa2063f5f11962357f7f915d04d6c8c9db

SHA256
8e0306cf89df621b0c95510cdee9488381daf5348656ce183a10a97c4652ec7c

SHA512
0d363180bd085940a7b758d7d09ae8e5cf241b2b42e567d1535dd1564036c4ec08d8b836dad728eaa8d4be928f85f353ad8850c7daf0685fe13e359eb95ae9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8623.exe

Filesize
16KB

MD5
65a349abb6a28fefa3ec4e0fcaa4256d

SHA1
0969fe1c0468c488750bdcf510fab910d006ef01

SHA256
ccc364901b0b551fb76ed1723557ad72bdbecc79a53dc14006bd2e0a9ef78c8f

SHA512
bab527bc1672a5fc1a85815461a10e55440333c63246ad1be7888178c89869e48af6b2db881dfdd8f5b041edad405785c1001ff03aa764941625492222a2b010

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8F84.exe

Filesize
16KB

MD5
90589212753cd5b42ec8e6575d648df5

SHA1
d2b6baecaa53078c17c0f8cf64fa1f11e934e590

SHA256
81f0ad7dfd3b580af9f24ecd1818cd59c9e104d3f15036b0ad334c9742ae70d8

SHA512
77909857a60ba4030c2517772cd0f5e8c9b6e5701a359b1eaea5de27e177375fd77bd1356a9c36fc13d51cf1a3da14b6f85c074c40aabba3c0f81fd3ec5034ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDDD8.exe

Filesize
16KB

MD5
494235e56331131d20060105caf0a128

SHA1
ec40e8b97de342236da260f52411fb82dec3bdb9

SHA256
17fde727c134c03a6816a0811e2409812b9c51662bd3d3232a8401a9db6a66bf

SHA512
adb0da5cfee955c4c3f054e8ead92eeee7eee530cb197817ac1726cec1e3c02d22f743932cef7ddd887e529986fcf2ca047206a8d41a467f62585112296f9ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME7F5.exe

Filesize
16KB

MD5
fbac19e2753cbb35271ca890e7677a3c

SHA1
a4bf9de549e980a61113d3fa7939c04f67caf0e0

SHA256
ab6d4d6c952799b98bde21ad68fd85ebe6de77c0b0e867ab9c2af32ddeb458e1

SHA512
c40713017557d5055c1c56c38109926f83df889432fed5731a69daf478b274730bec5c36aed6bc3d49ebe3ca7ba90e31e307d999aa31c2361e59e63d733d388e

Download Submit

Analysis

Sharing