17e8e159cb856eeb9a230b4556329bf29bccbc966319284a56e9560d0c6c5671

General

Target

c569aedfd18f23828c02e6359b5aae3e_JaffaCakes118.exe
Size

20KB
MD5

c569aedfd18f23828c02e6359b5aae3e
SHA1

911c60d981d904bff9418c272f9034e1d5310b7a
SHA256

17e8e159cb856eeb9a230b4556329bf29bccbc966319284a56e9560d0c6c5671
SHA512

e42ebfc57cf7779b13d9bc980fda0cc853688f32f80659b80348984f7ba85685ae010645e9adaacff1deb975ca85169c17813c9d443aac8cd8810e027cc6d2f3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4Pc:hDXWipuE+K3/SSHgxmHZPc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM84FF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMDF06.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM3767.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM8F3B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEME71F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	c569aedfd18f23828c02e6359b5aae3e_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
5080	DEM84FF.exe
3400	DEMDF06.exe
4452	DEM3767.exe
4956	DEM8F3B.exe
1796	DEME71F.exe
2596	DEM3FCE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 5080	1312	c569aedfd18f23828c02e6359b5aae3e_JaffaCakes118.exe	104
PID 1312 wrote to memory of 5080	1312	c569aedfd18f23828c02e6359b5aae3e_JaffaCakes118.exe	104
PID 1312 wrote to memory of 5080	1312	c569aedfd18f23828c02e6359b5aae3e_JaffaCakes118.exe	104
PID 5080 wrote to memory of 3400	5080	DEM84FF.exe	108
PID 5080 wrote to memory of 3400	5080	DEM84FF.exe	108
PID 5080 wrote to memory of 3400	5080	DEM84FF.exe	108
PID 3400 wrote to memory of 4452	3400	DEMDF06.exe	110
PID 3400 wrote to memory of 4452	3400	DEMDF06.exe	110
PID 3400 wrote to memory of 4452	3400	DEMDF06.exe	110
PID 4452 wrote to memory of 4956	4452	DEM3767.exe	112
PID 4452 wrote to memory of 4956	4452	DEM3767.exe	112
PID 4452 wrote to memory of 4956	4452	DEM3767.exe	112
PID 4956 wrote to memory of 1796	4956	DEM8F3B.exe	114
PID 4956 wrote to memory of 1796	4956	DEM8F3B.exe	114
PID 4956 wrote to memory of 1796	4956	DEM8F3B.exe	114
PID 1796 wrote to memory of 2596	1796	DEME71F.exe	116
PID 1796 wrote to memory of 2596	1796	DEME71F.exe	116
PID 1796 wrote to memory of 2596	1796	DEME71F.exe	116

C:\Users\Admin\AppData\Local\Temp\c569aedfd18f23828c02e6359b5aae3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c569aedfd18f23828c02e6359b5aae3e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\DEM84FF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM84FF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\DEMDF06.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDF06.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Users\Admin\AppData\Local\Temp\DEM3767.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3767.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Users\Admin\AppData\Local\Temp\DEM8F3B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8F3B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Users\Admin\AppData\Local\Temp\DEME71F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME71F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\DEM3FCE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3FCE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3767.exe

Filesize
20KB

MD5
fa8930efea1d8842a454f961e41d6b85

SHA1
a40d88e87db22a178dc8483b6884fca0c2066511

SHA256
a58cdf723e495ea72bfe0bf3830a9f26ef37369d3b695d83ee6ade8c5e994e4d

SHA512
3b0216ff9780c2109216e37bc98e9256705a3c5e7220b65fc3b7c0d60d2bc4b621798e1724fbcd7662e346ccf1b1a8ed2b7138618891fadde1d2b5de0eda1383

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3FCE.exe

Filesize
20KB

MD5
da5cc9f2fa41f12289a7e22db5fd27bc

SHA1
d949d0ce6010945dca183d9a7587bbb5e73d6886

SHA256
930e11e5bf7e51df44000f2352e985477a893e3f3ccc2ac55eeff4f47d82514e

SHA512
3e86a7c671c7f6ee4e9791a850afc1d28277a4235893e49b3fb4d55487026b7ddee23176a12ad2f59fa4a1f012d8c21857a12d7f1b6fa3532a688c28bcf4218f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM84FF.exe

Filesize
20KB

MD5
cdd78fdf060b9fda6d12a6d6f9fd9dbb

SHA1
6f770f458a5e5d0e36d73c87de2a3c2e8b2d68e7

SHA256
01fd2cf13544a357404d8be303dabcc017337cf2d4ca24aad4879b92d985cca4

SHA512
0b4ebf7c5a954405f4e066b3c79b4aca9da9895f19f91c15f4945f33247730f134ba72ae18c2a92f13e9899298eea37556fdab5f79b9611fd4b06ed612777e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8F3B.exe

Filesize
20KB

MD5
930567c3dad3bb929f415ce508ac47d7

SHA1
1f70bb1869eb805dd4cee9a4eebbe2e66c82340b

SHA256
c00b4a0fb2c6855afed086a90164aa18a6084e137cdeebda75a73945baa0558f

SHA512
defdda2c0357b78cb8d0e9dfa5eb379723fccef315ec086e9e04c5e82b85c101679ca3940e09effe8a41b53ea42ff482d7512a125f10febc3c118ebba5aaa39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF06.exe

Filesize
20KB

MD5
19a5d836406ff3562033b18bc6de7e80

SHA1
3adf6bbb97ab5e179d9f63088440ef34548f8c44

SHA256
2e8c071025902748da998dbe3be0782137bec24109b80621b3e0f726fd4019fd

SHA512
31c8f5cbee2d62f53de9f54b3d8e9e397451e4c8e20d12f3abd983809d97e61ba4cc66670851cb3c14a4df03fa59d899d62bb74ecabbe305362f0b5f4e00c1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME71F.exe

Filesize
20KB

MD5
fc9d2e6c582f8f0ab4085a81834bc0bf

SHA1
374a245684582b88088b791aefac7efabb5ef801

SHA256
0e4fb0b75935500d2b1f19e8d0e7cbc97f7163c0b06232d1a989f04d6ee162e1

SHA512
ca46db9a8b33ce5c649ae1bc0a9d34a1b1c787fb4c202b9469aa9bbc89b66af87c48cc4e71e12c7a238b1128828452bec821fad23320e6b95a8bdc83bcede096

Download Submit

Analysis

Sharing