060d8d92ff5a5127139ce94d47775c7850a039f350443e644ae4b9051c80e8b6

General

Target

c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe
Size

16KB
MD5

c2a18284c8ac583ac2932e8babfa55fe
SHA1

d096bb1bcf17285164aa1d0fb65e760d5afea8cd
SHA256

060d8d92ff5a5127139ce94d47775c7850a039f350443e644ae4b9051c80e8b6
SHA512

b613e2f1446a79ae5cf49dd15064b33160e451a84e5a4ea2f2b077eda1dc26e593b55c8cfdc854c897a0c4609abcd0531bdf73847849a257774dc0c6f2eb0b43
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx4mZh:hDXWipuE+K3/SSHgxmHFz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM3FE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM5D2A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEME9A4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM5186.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMAAE1.exe

Executes dropped EXE 6 IoCs

pid	Process
4100	DEME9A4.exe
1200	DEM5186.exe
972	DEMAAE1.exe
3292	DEM3FE.exe
948	DEM5D2A.exe
4712	DEMB627.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 4100	1456	c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe	104
PID 1456 wrote to memory of 4100	1456	c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe	104
PID 1456 wrote to memory of 4100	1456	c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe	104
PID 4100 wrote to memory of 1200	4100	DEME9A4.exe	107
PID 4100 wrote to memory of 1200	4100	DEME9A4.exe	107
PID 4100 wrote to memory of 1200	4100	DEME9A4.exe	107
PID 1200 wrote to memory of 972	1200	DEM5186.exe	109
PID 1200 wrote to memory of 972	1200	DEM5186.exe	109
PID 1200 wrote to memory of 972	1200	DEM5186.exe	109
PID 972 wrote to memory of 3292	972	DEMAAE1.exe	111
PID 972 wrote to memory of 3292	972	DEMAAE1.exe	111
PID 972 wrote to memory of 3292	972	DEMAAE1.exe	111
PID 3292 wrote to memory of 948	3292	DEM3FE.exe	113
PID 3292 wrote to memory of 948	3292	DEM3FE.exe	113
PID 3292 wrote to memory of 948	3292	DEM3FE.exe	113
PID 948 wrote to memory of 4712	948	DEM5D2A.exe	115
PID 948 wrote to memory of 4712	948	DEM5D2A.exe	115
PID 948 wrote to memory of 4712	948	DEM5D2A.exe	115

C:\Users\Admin\AppData\Local\Temp\c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2a18284c8ac583ac2932e8babfa55fe_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\DEME9A4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME9A4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\DEM5186.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5186.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\DEMAAE1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAAE1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Users\Admin\AppData\Local\Temp\DEM3FE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3FE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\DEM5D2A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5D2A.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\DEMB627.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB627.exe"
        7⤵
        Executes dropped EXE
        
        PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3FE.exe

Filesize
16KB

MD5
0f3a7c5e83ce55c904c77ceb068f924c

SHA1
caa658131c3ae2f4eee45c53b7d9919395320c87

SHA256
f6df1b7ed1d252885c27124c2544bd2ff3ffd835e59e7d45feed2cfa996ef8bb

SHA512
68a747187053bc8b3484efb54e6621ac3336ea431607ee20e5da2f84a105250a7f063dfd17233263a6f674f038d40162c3630bf9277cc81cc17f7eefe5589706

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5186.exe

Filesize
16KB

MD5
5226bc7973da7819ef1180c16f7dc68f

SHA1
8af7433bafa49879db2ad75877ef73cd5202aef0

SHA256
88a83948ebf93f593c800d5f3526e618a5b82aeb2eafcce3260575a8ac873b18

SHA512
db5a296a6b804dcd2da619cc22aac004956ff3fec9b75245c4f31ef2aa4d1fc08aaf1798110604f9939a18f9c7c9972552b80a36936376bc3fc64708eef41d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5D2A.exe

Filesize
16KB

MD5
263241604f44a119de40bbc85d30d404

SHA1
0b8a0aaad3deb0d7ca1976629f792b2ef1bcbdeb

SHA256
ff2d31debb8e65fc816370bd2bdc83f9fe2bf61695ab2648951f37eebf513e89

SHA512
f5ba77aca8131f8a9bbf182302dcec479d93e9f37552dcd0d41f69392059b589569fae1306833d620e40b39a5c3057b86c9456450800beb05d4ba2cde3bcc95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAAE1.exe

Filesize
16KB

MD5
14023973fa50efa0179efc1bab4c2355

SHA1
8be4ebb748b6846fd514aafc4cc36b258d55b15d

SHA256
6f421421d36c67aa62bf0a9f0156a59cf78095555b1b1e92c8afc50ec6054085

SHA512
1b0216cb362abb40669c90d926fd2406d3c532381f00293bf2c447674fed88127817377d82a469b9d734418770f10e3bd649b44936970ecf9afbe40a4fc0875f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB627.exe

Filesize
16KB

MD5
51248e34b759ee5cdea0f20ae582b46f

SHA1
0cdb2d0ae90e48003b0b6e66f87c6cb9a2666083

SHA256
d7cc324ec2b9836bf10387d4d96dc6075bcdff4bb04af39743afce6542081a56

SHA512
3de2441160578268486579235e4c556191f349a788d556f0a47804ec641ba424d25225cbcf19db46e605dbeea390b8fc26e65c4a157cba8552f4d9875fd1240d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME9A4.exe

Filesize
16KB

MD5
321ef8bb9376e6f69182e9923904a166

SHA1
2be6b093a86c2e9c6c828d1316897392e20a9b1f

SHA256
2fd539b644621cf22a7b2fd4ef7571bedd59572049b8174d4963bb1fbdc9f393

SHA512
ba44a395a88ae1aa83c8ef7261800bc8149e0bfb8b88e7acf0994e74a6f09bae57141b2a24de2b0cd0e9567fcc0fb9eceb00db090df44cbc54cf99616196d7ee

Download Submit

Analysis

Sharing