Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe
-
Size
16KB
-
MD5
bdfefb4a83c40bda12abfbee188cdb3d
-
SHA1
15f782c7121ff7dfab4ce0a54a80ab57e951849e
-
SHA256
8699dd14342ed93107d9afacf46da3f6520b6f51179fc868cb7dbb7998a657fa
-
SHA512
3d7ab41ae3241d1efed307bcf56e9eaab4dbc490ec6a79a4484e48783e011c0cea3f41213cb89ed35afcea34956f6e3af8cd16a3d76728472fded683a55c8e12
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx9J:hDXWipuE+K3/SSHgxmH7J
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DEME520.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DEM3B3F.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DEM913F.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DEM38A4.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DEM8F01.exe -
Executes dropped EXE 6 IoCs
pid Process 1868 DEM38A4.exe 3428 DEM8F01.exe 1700 DEME520.exe 4300 DEM3B3F.exe 1480 DEM913F.exe 1384 DEME73E.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2336 wrote to memory of 1868 2336 bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe 97 PID 2336 wrote to memory of 1868 2336 bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe 97 PID 2336 wrote to memory of 1868 2336 bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe 97 PID 1868 wrote to memory of 3428 1868 DEM38A4.exe 100 PID 1868 wrote to memory of 3428 1868 DEM38A4.exe 100 PID 1868 wrote to memory of 3428 1868 DEM38A4.exe 100 PID 3428 wrote to memory of 1700 3428 DEM8F01.exe 102 PID 3428 wrote to memory of 1700 3428 DEM8F01.exe 102 PID 3428 wrote to memory of 1700 3428 DEM8F01.exe 102 PID 1700 wrote to memory of 4300 1700 DEME520.exe 104 PID 1700 wrote to memory of 4300 1700 DEME520.exe 104 PID 1700 wrote to memory of 4300 1700 DEME520.exe 104 PID 4300 wrote to memory of 1480 4300 DEM3B3F.exe 106 PID 4300 wrote to memory of 1480 4300 DEM3B3F.exe 106 PID 4300 wrote to memory of 1480 4300 DEM3B3F.exe 106 PID 1480 wrote to memory of 1384 1480 DEM913F.exe 108 PID 1480 wrote to memory of 1384 1480 DEM913F.exe 108 PID 1480 wrote to memory of 1384 1480 DEM913F.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bdfefb4a83c40bda12abfbee188cdb3d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\DEM38A4.exe"C:\Users\Admin\AppData\Local\Temp\DEM38A4.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\DEM8F01.exe"C:\Users\Admin\AppData\Local\Temp\DEM8F01.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\DEME520.exe"C:\Users\Admin\AppData\Local\Temp\DEME520.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\DEM3B3F.exe"C:\Users\Admin\AppData\Local\Temp\DEM3B3F.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\DEM913F.exe"C:\Users\Admin\AppData\Local\Temp\DEM913F.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\DEME73E.exe"C:\Users\Admin\AppData\Local\Temp\DEME73E.exe"7⤵
- Executes dropped EXE
PID:1384
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5c2f6c84ecdd612e8f4d4b254ad0c516e
SHA1f4f5ce2a1b7a5c9abd743a88c3d9da8b848465c5
SHA256ce5f3a30689649a93f11704406fc2d226b57a479aa8eca65035a0e2f694a6a32
SHA5129d6365c7b6b80f96a1777f4859707533ac35ec70069126202071dc25ee33e7b79d983c41e613b87ddee5d4a961e0df76f3cafc0e79d751a832cb584c2a16533c
-
Filesize
16KB
MD5c57bc18754830f8e553d52c7a9daec73
SHA121f8b2e605e451a5f24037ba3ffd4ea58dd75429
SHA256316a876940096c26ed3f695bebb0387f2bdfc039a5a868cc42bc1669015a4a38
SHA512bab8e09fd675db789d6bf0bcef64e4cc53650b74c72f11a7512f2587c0cb495038f8dfe5c0158bf97ec2e1bd5f24508a6bd463025fb08f6e8d861e7938db9757
-
Filesize
16KB
MD5c9806cb04cb066c6d62efe5035ed83a7
SHA1d546754fc7927350fd1f4401caa1c11e5e6fd4d2
SHA256a918cc52a2c8b5237950a225bbeadbaf3a7157f975caa2f305ba1fffec752062
SHA5129bfc32541bf312b228ccdede12316e735ea6f26bb926b20d7ef5da8b25d9610695f7c82ad1ac76062c0c1b2220cc9a78b3878a6e36288d682a79f3001012ce7d
-
Filesize
16KB
MD581d7abe59b1cee2d6b9be860080c1662
SHA1a71cf9cd72de2aa045d83a9ea315d3123dc4088e
SHA25604294179956a3c45aa035f3b7bd994d623c82fd1c2f57d626e9b367fbce14062
SHA512f415d71c24d2f8bc2327b01553d56f442b88db37821f5ace509adb80bd7f058cd83a642fe1dab75c1b632906c1bdc01f36dce3c9879bd04bc045382e4cfd4873
-
Filesize
16KB
MD5a9c330057ac698578934b8d6e5a7f01e
SHA1223c43d8988f696160b3b8a3ad24498dfd328e0e
SHA256e468523face9fca4a1a1f9477e8d65ca5082c5b22ef4df93148fd257d2ddad7c
SHA512c450562b4049485a09065415741f6ed82dc70b046f044d0d7990566971f663af290509167509d3dcebdf059aebc65c1f5917ddbf579222c77b12c4d7c585bd4e
-
Filesize
16KB
MD5016fb8d9a4700f9d358c10f34fe9338d
SHA147c79cc87b87748009b9b797dc1efd20ac570d6f
SHA256bddda141a0ddaa104a30d7babdf6bbb877c897ebfed8002cc30c38bef994f69f
SHA512ff327172e407ffa5b3d1b16360da35523af0a67432864cf8e838f29c91fb1aa71714f67e6cc50dfb80a8ab5c7852b9de06fd4d6df9c1f7e8c7adbb6a29972ce5