Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-04-2024 17:10

General

  • Target

    bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe

  • Size

    16KB

  • MD5

    bdfefb4a83c40bda12abfbee188cdb3d

  • SHA1

    15f782c7121ff7dfab4ce0a54a80ab57e951849e

  • SHA256

    8699dd14342ed93107d9afacf46da3f6520b6f51179fc868cb7dbb7998a657fa

  • SHA512

    3d7ab41ae3241d1efed307bcf56e9eaab4dbc490ec6a79a4484e48783e011c0cea3f41213cb89ed35afcea34956f6e3af8cd16a3d76728472fded683a55c8e12

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx9J:hDXWipuE+K3/SSHgxmH7J

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Local\Temp\DEM38A4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM38A4.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Users\Admin\AppData\Local\Temp\DEM8F01.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM8F01.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3428
        • C:\Users\Admin\AppData\Local\Temp\DEME520.exe
          "C:\Users\Admin\AppData\Local\Temp\DEME520.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Users\Admin\AppData\Local\Temp\DEM3B3F.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM3B3F.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4300
            • C:\Users\Admin\AppData\Local\Temp\DEM913F.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM913F.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1480
              • C:\Users\Admin\AppData\Local\Temp\DEME73E.exe
                "C:\Users\Admin\AppData\Local\Temp\DEME73E.exe"
                7⤵
                • Executes dropped EXE
                PID:1384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM38A4.exe

    Filesize

    16KB

    MD5

    c2f6c84ecdd612e8f4d4b254ad0c516e

    SHA1

    f4f5ce2a1b7a5c9abd743a88c3d9da8b848465c5

    SHA256

    ce5f3a30689649a93f11704406fc2d226b57a479aa8eca65035a0e2f694a6a32

    SHA512

    9d6365c7b6b80f96a1777f4859707533ac35ec70069126202071dc25ee33e7b79d983c41e613b87ddee5d4a961e0df76f3cafc0e79d751a832cb584c2a16533c

  • C:\Users\Admin\AppData\Local\Temp\DEM3B3F.exe

    Filesize

    16KB

    MD5

    c57bc18754830f8e553d52c7a9daec73

    SHA1

    21f8b2e605e451a5f24037ba3ffd4ea58dd75429

    SHA256

    316a876940096c26ed3f695bebb0387f2bdfc039a5a868cc42bc1669015a4a38

    SHA512

    bab8e09fd675db789d6bf0bcef64e4cc53650b74c72f11a7512f2587c0cb495038f8dfe5c0158bf97ec2e1bd5f24508a6bd463025fb08f6e8d861e7938db9757

  • C:\Users\Admin\AppData\Local\Temp\DEM8F01.exe

    Filesize

    16KB

    MD5

    c9806cb04cb066c6d62efe5035ed83a7

    SHA1

    d546754fc7927350fd1f4401caa1c11e5e6fd4d2

    SHA256

    a918cc52a2c8b5237950a225bbeadbaf3a7157f975caa2f305ba1fffec752062

    SHA512

    9bfc32541bf312b228ccdede12316e735ea6f26bb926b20d7ef5da8b25d9610695f7c82ad1ac76062c0c1b2220cc9a78b3878a6e36288d682a79f3001012ce7d

  • C:\Users\Admin\AppData\Local\Temp\DEM913F.exe

    Filesize

    16KB

    MD5

    81d7abe59b1cee2d6b9be860080c1662

    SHA1

    a71cf9cd72de2aa045d83a9ea315d3123dc4088e

    SHA256

    04294179956a3c45aa035f3b7bd994d623c82fd1c2f57d626e9b367fbce14062

    SHA512

    f415d71c24d2f8bc2327b01553d56f442b88db37821f5ace509adb80bd7f058cd83a642fe1dab75c1b632906c1bdc01f36dce3c9879bd04bc045382e4cfd4873

  • C:\Users\Admin\AppData\Local\Temp\DEME520.exe

    Filesize

    16KB

    MD5

    a9c330057ac698578934b8d6e5a7f01e

    SHA1

    223c43d8988f696160b3b8a3ad24498dfd328e0e

    SHA256

    e468523face9fca4a1a1f9477e8d65ca5082c5b22ef4df93148fd257d2ddad7c

    SHA512

    c450562b4049485a09065415741f6ed82dc70b046f044d0d7990566971f663af290509167509d3dcebdf059aebc65c1f5917ddbf579222c77b12c4d7c585bd4e

  • C:\Users\Admin\AppData\Local\Temp\DEME73E.exe

    Filesize

    16KB

    MD5

    016fb8d9a4700f9d358c10f34fe9338d

    SHA1

    47c79cc87b87748009b9b797dc1efd20ac570d6f

    SHA256

    bddda141a0ddaa104a30d7babdf6bbb877c897ebfed8002cc30c38bef994f69f

    SHA512

    ff327172e407ffa5b3d1b16360da35523af0a67432864cf8e838f29c91fb1aa71714f67e6cc50dfb80a8ab5c7852b9de06fd4d6df9c1f7e8c7adbb6a29972ce5