266ae15d7eb24bbeadae42e9a7ed31dd99c1ea954197a762547b6d85cc7be86d

General

Target

c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe
Size

14KB
MD5

c77589d49fba08a129ff3fa1012d2709
SHA1

30c5618c55d226880493435e823b1e01cf27b023
SHA256

266ae15d7eb24bbeadae42e9a7ed31dd99c1ea954197a762547b6d85cc7be86d
SHA512

f280c69eaadfdab581ef354067d182c77b114af823b335c99647281a1372a6aa5f2f90b6de4b3e0e1faa6a4fd2df6b60a2a17ee015f306478746b5bef3630d5c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5u:hDXWipuE+K3/SSHgxm8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM6A2F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMC2BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM1B10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMB7C7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM11FC.exe

Executes dropped EXE 6 IoCs

pid	Process
5012	DEMB7C7.exe
560	DEM11FC.exe
4744	DEM6A2F.exe
4192	DEMC2BE.exe
2344	DEM1B10.exe
4200	DEM73EE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 5012	4192	c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe	101
PID 4192 wrote to memory of 5012	4192	c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe	101
PID 4192 wrote to memory of 5012	4192	c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe	101
PID 5012 wrote to memory of 560	5012	DEMB7C7.exe	106
PID 5012 wrote to memory of 560	5012	DEMB7C7.exe	106
PID 5012 wrote to memory of 560	5012	DEMB7C7.exe	106
PID 560 wrote to memory of 4744	560	DEM11FC.exe	109
PID 560 wrote to memory of 4744	560	DEM11FC.exe	109
PID 560 wrote to memory of 4744	560	DEM11FC.exe	109
PID 4744 wrote to memory of 4192	4744	DEM6A2F.exe	111
PID 4744 wrote to memory of 4192	4744	DEM6A2F.exe	111
PID 4744 wrote to memory of 4192	4744	DEM6A2F.exe	111
PID 4192 wrote to memory of 2344	4192	DEMC2BE.exe	113
PID 4192 wrote to memory of 2344	4192	DEMC2BE.exe	113
PID 4192 wrote to memory of 2344	4192	DEMC2BE.exe	113
PID 2344 wrote to memory of 4200	2344	DEM1B10.exe	115
PID 2344 wrote to memory of 4200	2344	DEM1B10.exe	115
PID 2344 wrote to memory of 4200	2344	DEM1B10.exe	115

C:\Users\Admin\AppData\Local\Temp\c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\DEMB7C7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB7C7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\DEM11FC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM11FC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\DEM6A2F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6A2F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Users\Admin\AppData\Local\Temp\DEMC2BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC2BE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
      - C:\Users\Admin\AppData\Local\Temp\DEM1B10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1B10.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\DEM73EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM73EE.exe"
        7⤵
        Executes dropped EXE
        
        PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM11FC.exe

Filesize
15KB

MD5
4cd790145c719ad05ffda22262d16235

SHA1
8d81b5b9daec418d61cb082bed102273cb4d076b

SHA256
1fe45f36211141077e93d81770a5fffcf173034532794279decab227b6acf27b

SHA512
a58cffa737813201ac065544058465f21730e6abb71e33d1504822ed47a2951519705c52bf545746d11abce00e8b881c0e11e4fe7b2195374d335b6894afd339

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1B10.exe

Filesize
15KB

MD5
4d7a445b7796ef188e6873db13c8d6a5

SHA1
1fc66bfca89d122f8e32970ebc33aa87085af909

SHA256
3b1c2f449b2842556f2520286ede603c41d5c36dcd98ff9d2b0e889dd3c452a7

SHA512
cfad2cf9fc8fa3385ca9d30346cba8d33f71078c1a7e5fe661a3b81a81236a7a8d4c2f92f0b30b4c1b1ded59c1bca6eed0486b439b0a6bc0570602c777f58341

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6A2F.exe

Filesize
15KB

MD5
f94a81355ae4bd892986655122d89e89

SHA1
635265206a4124748a90bc84026162a1e51e2da2

SHA256
fada64afc3fbd912c7199ee37418b08a5590746452a3020111f3e9971ebf7e0e

SHA512
c6e6126036d79587ed9ba4f4f48db1b307a4f647a6ef05b2b5fdb13b100adba93b089a5e940894accca91eae196e59f4a5f9a34dad8313c3d8856e11fc202b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM73EE.exe

Filesize
15KB

MD5
61e5f09d91ef4c9f4cdf6e8d122e5079

SHA1
0f46e37319dbcd25f585218986cb6d93def2daac

SHA256
2617cf6fbd30d69c2dec128373fe6541f3baa98efc931340bf30f4f5a218ef5b

SHA512
05ff0d1f4a2aff063cbfee723d7ae041b23c2210beea8ed567386b08fd86d64ecff04ac64618efa29360a25e4533df6182f17d588ea597678f0a0ebf2f051e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB7C7.exe

Filesize
15KB

MD5
d52659c0779ee6f8b7d7e15e649d9cb1

SHA1
56005f856dfbb802206c72f37c8c4e964731cd1e

SHA256
dd46eb29bbffb5671c6c93d316ae8464d2b05cf2aab785884bbd91f4832b1616

SHA512
c36384d09556a205c6c4793f17715f84039b5a6ccecfe70ab7ff6ae0da51993767cdbdcf22076ae12edc7d4484c955f13f3bc4d8416044e361d0b69ecbb29671

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC2BE.exe

Filesize
15KB

MD5
75fa124ef691014b5e6c69b4ecfe26d2

SHA1
20c000f41e3e2679bb307fe3cece76b54e139666

SHA256
f8dd691324ade252d2c69d022fc5c44975cfe1eccf2218ebaa1a0bad0da2df09

SHA512
5c71137466e7af54cf54b3be091e8dbefb796f0e7ef86d471f6e09c981be1390315061f22405b38ef996f4acea2e3705b2f12bb6e984118eb369470dc050ebdf

Download Submit

Analysis

Sharing