37002e302a6c3137c3423f776e8d758360844741322eabda884422a900c26a07

General

Target

bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe
Size

16KB
MD5

bd727d638ae580c236196eef293a61ae
SHA1

00a66c39462ec325521c9b6b1cbd62ace37497a7
SHA256

37002e302a6c3137c3423f776e8d758360844741322eabda884422a900c26a07
SHA512

2da0adaf85f0ba9cdfd58af52077a322c32dd91768b1e2cda906d69fb52edcf8e1ae1d5de7ed1e6e0f86f1ceedd0f7d9f042d6147001de8e44c0b71786dc1c07
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD8Sac:hDXWipuE+K3/SSHgxtph

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1410.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM773E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMCFFD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM28FA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM80EE.exe

Executes dropped EXE 6 IoCs

pid	Process
2560	DEM1410.exe
1388	DEM773E.exe
4544	DEMCFFD.exe
5020	DEM28FA.exe
2516	DEM80EE.exe
1328	DEMD94F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 2560	3688	bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe	105
PID 3688 wrote to memory of 2560	3688	bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe	105
PID 3688 wrote to memory of 2560	3688	bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe	105
PID 2560 wrote to memory of 1388	2560	DEM1410.exe	109
PID 2560 wrote to memory of 1388	2560	DEM1410.exe	109
PID 2560 wrote to memory of 1388	2560	DEM1410.exe	109
PID 1388 wrote to memory of 4544	1388	DEM773E.exe	111
PID 1388 wrote to memory of 4544	1388	DEM773E.exe	111
PID 1388 wrote to memory of 4544	1388	DEM773E.exe	111
PID 4544 wrote to memory of 5020	4544	DEMCFFD.exe	113
PID 4544 wrote to memory of 5020	4544	DEMCFFD.exe	113
PID 4544 wrote to memory of 5020	4544	DEMCFFD.exe	113
PID 5020 wrote to memory of 2516	5020	DEM28FA.exe	115
PID 5020 wrote to memory of 2516	5020	DEM28FA.exe	115
PID 5020 wrote to memory of 2516	5020	DEM28FA.exe	115
PID 2516 wrote to memory of 1328	2516	DEM80EE.exe	117
PID 2516 wrote to memory of 1328	2516	DEM80EE.exe	117
PID 2516 wrote to memory of 1328	2516	DEM80EE.exe	117

C:\Users\Admin\AppData\Local\Temp\bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd727d638ae580c236196eef293a61ae_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\DEM1410.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1410.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\DEM773E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM773E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\DEMCFFD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCFFD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\DEM28FA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM28FA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\DEM80EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM80EE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\DEMD94F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD94F.exe"
        7⤵
        Executes dropped EXE
        
        PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1410.exe

Filesize
16KB

MD5
1e380ced0ee63229a9697621700c0b98

SHA1
4638aa7442a7cc2b051e246629dfee7ebaa33d5b

SHA256
05148a43d74c7d4fba1e2a1676e29a8dc362d5d1fa82a221c2ccffb34ba1659b

SHA512
10b58322b925de966b0f07e1c1eaa7b046fdfda5375b1e57cb3a92eb39dc4264ef86287e041081daa6825e3746b33039a34e349ce75041b781c540cc10087d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM28FA.exe

Filesize
16KB

MD5
fd7dbbffca4dbf7651875b7b258699f9

SHA1
276d4ae649543d2e2ab0e70987b7dcd39d71936e

SHA256
08a3577d292144ba9a0ef937cf99e8dfa0996b0e0320b587c3188ab484fbc79d

SHA512
42ff134d633c9129fd6fce05199bb1dc5eb889e581b13a3f16bfcba079e390d762593d83fcd49b2f6592b0e79f17b6262d4913f6a1f43a4a729b65c3ae4d027e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM773E.exe

Filesize
16KB

MD5
1d629aec26f62af2dc2ed47dc4e94ab3

SHA1
734a6d15d13731db63770a7cebfd16acd0393cd9

SHA256
5d55f7901f3df38a68db4e3398fd4ec7b5d12f3a581a7c6b6b68bfef03a58ea9

SHA512
1d20e3f21c5f72fbe91011c6c9566b7c034bd8963031f48e002da6f4b40112352931670e19a745cbe777d47f0a375df8e50e2ec280f427a46b7ef75f764ffc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM80EE.exe

Filesize
16KB

MD5
74e7a36c1ea39114461dd827c711cbbb

SHA1
7e8150937222569984d1b13f5356dd515e03cd24

SHA256
d4517dc4de35087a59ffc8acb5bdecaf2cf7da782e5c133af38735b20b2c6eb9

SHA512
1fe70188eeb0b4d2cb2df45e2faf8daff8130e43bc2991423d00a1115e4fc15a6a9246f2b15f6a2542d20f4c8efac063936a8fbf0dfa20042570f9ba8cb183c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCFFD.exe

Filesize
16KB

MD5
276f7ee9ba7ffd336ef29552e0f5179b

SHA1
7238924d2f838103f4c6be1643ec97cef81142e6

SHA256
3b576bffb47627a9276bd6c51e104c32f0ac1fb19eb14c35afc5e61adf72b33a

SHA512
8c557b8d11a98b3d9e902e56af7c5d43c763afca5ac828b5f5cd36a7ce2e3443b91cadea7b1cf9478e46420f456af2958b870cb80992af7500bfdf8600445371

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD94F.exe

Filesize
16KB

MD5
2ed3ed0c65d0ab8b6efad08d1f0b00ba

SHA1
fcaffda0b5cf19c29eba11316b9dc23f71257853

SHA256
732a8c6e50663414ce8831c72354a00b88f851bc92a590c7c975932ba17ad662

SHA512
33415fb6bdbf5e704937fc154f655cdd6de6ae9d6fe568fb10cfe85357497168d73c124e0dcb51b042483d18e80ca7132e84946f84b4fc4e21ad110639ebebf3

Download Submit

Analysis

Sharing