9ffc3978c63c4f750a4b999d9f0ef69d4ce84194c47b7e2a4736cc1dc333f45d

General

Target

c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe
Size

16KB
MD5

c961b92bcd7d10f9e51d8729f98c6c23
SHA1

ee179558b02b5d3322f4119cf8161751d056b087
SHA256

9ffc3978c63c4f750a4b999d9f0ef69d4ce84194c47b7e2a4736cc1dc333f45d
SHA512

3752813d5ffcf014b63bc46b444c38d1d6f0bca05a75ef52d06f12ad4221ab5cdae842c7f01e2d02e2935801ded9e58a5039d1a258095826fe2edcaab306b083
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlOjZ:hDXWipuE+K3/SSHgxmlWZ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMB0A3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMCCC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM63F5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMBB3D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1207.exe

Executes dropped EXE 6 IoCs

pid	Process
4944	DEMB0A3.exe
4116	DEMCCC.exe
64	DEM63F5.exe
2772	DEMBB3D.exe
1264	DEM1207.exe
1320	DEM69DC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 4944	4448	c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe	103
PID 4448 wrote to memory of 4944	4448	c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe	103
PID 4448 wrote to memory of 4944	4448	c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe	103
PID 4944 wrote to memory of 4116	4944	DEMB0A3.exe	106
PID 4944 wrote to memory of 4116	4944	DEMB0A3.exe	106
PID 4944 wrote to memory of 4116	4944	DEMB0A3.exe	106
PID 4116 wrote to memory of 64	4116	DEMCCC.exe	109
PID 4116 wrote to memory of 64	4116	DEMCCC.exe	109
PID 4116 wrote to memory of 64	4116	DEMCCC.exe	109
PID 64 wrote to memory of 2772	64	DEM63F5.exe	111
PID 64 wrote to memory of 2772	64	DEM63F5.exe	111
PID 64 wrote to memory of 2772	64	DEM63F5.exe	111
PID 2772 wrote to memory of 1264	2772	DEMBB3D.exe	113
PID 2772 wrote to memory of 1264	2772	DEMBB3D.exe	113
PID 2772 wrote to memory of 1264	2772	DEMBB3D.exe	113
PID 1264 wrote to memory of 1320	1264	DEM1207.exe	115
PID 1264 wrote to memory of 1320	1264	DEM1207.exe	115
PID 1264 wrote to memory of 1320	1264	DEM1207.exe	115

C:\Users\Admin\AppData\Local\Temp\c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c961b92bcd7d10f9e51d8729f98c6c23_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\Temp\DEMB0A3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB0A3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\DEMCCC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCCC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\DEM63F5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM63F5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:64
    - - C:\Users\Admin\AppData\Local\Temp\DEMBB3D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB3D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Users\Admin\AppData\Local\Temp\DEM1207.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1207.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\DEM69DC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM69DC.exe"
        7⤵
        Executes dropped EXE
        
        PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1207.exe

Filesize
16KB

MD5
6bde287de81ef78a8ba5782429f96fe0

SHA1
7722a4f70f0599ef022633e300b9afff647b8de9

SHA256
56acc3f140cf1225fd5beed98565062aa502cdbd2f6f5744837ec9a01da19052

SHA512
bce31385270cb4d1aeb5e36a0595fbf7ef1e96446c8818cfe39e15d1b4b0eeffa34e9b6246facf9feb9df6b99df2fb6181d355ed4ae72164f32a13f02f4f683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM63F5.exe

Filesize
16KB

MD5
6d36d69c76760aae1e43530722dcf0da

SHA1
6b31afdfc6f8a968cc0e6304516cf37bf5fa996f

SHA256
3f8f1baaf4fff1a08948e7986180c6f3e947321ace8863c1426ed6360908ffc3

SHA512
a3f7282c90b4303e17390143a19043a5034c55d0a569d532e7205a063259422f0a190adc4f95782ea4e516a5bbe30aec1956f5e0753761691f9d1ef7d4b906cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM69DC.exe

Filesize
16KB

MD5
9c403a3dc5b1788866b908e0179d8d23

SHA1
feef656876fe6cd9966ebdbf77674a5a140008f1

SHA256
e9643a6cc4e604c56fb623da74bdeb2d6047f8cb38b8b90c8ac5a7e282115eda

SHA512
a36d187e448115c5063943dc86ceb3c8da07376938a75bc7c270ba9ecd487449fc8850850e1c1d0c575e6d98c96bb78ec69d795ad255bf55c53157dddecf0354

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB0A3.exe

Filesize
16KB

MD5
60b12a1dcf7a8e906b9d49cd772bfb2d

SHA1
5598a7358ace0bd5077a6ce0a9a99be0b00a6871

SHA256
475ccaebc739216abe9f9e0420a8d438c884e19779eb53286d0c8f9175d59d8e

SHA512
90832d35890f63939beead7bf315774f112939a76eeb49340796e8647b1ea6e81ccce6d36dacfa30fb280259a5a387b4376e0aa30c9886f59ade6c27a1a96e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB3D.exe

Filesize
16KB

MD5
89a2feb05f492c0dd1d847348b2e6eed

SHA1
9086f187bcf1e666655ff4d5dcea0b4061ef236b

SHA256
8661dae35d78f86761f4d85f7ce96ce218a64ee648c204b8c87372945f4f1c64

SHA512
28576244f83cd42623c45d8af05191127f42d9a6145cbea471984a1cd8829d3a886ccca4f54ef0d97680ba36f37f0a45915522743c60b3f85941b29930fbed91

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCCC.exe

Filesize
16KB

MD5
e39b4ba1e0f8a9cb1c77cca4389d0570

SHA1
5aa29311377bb7b7c08cfebb0e3a919d4cc52451

SHA256
72c8603b7d14dbd967370f0904d8ea4f1fffbc0c798e285a15e0eb97c8c0a6d0

SHA512
1133eb1c82beaccef909a2ba66af46da53a978b43dcd41b1a8ba5b64048c44ff0bb76bf8e2b5dc0eb18f1c2524c13f76d30096e90de8030dbb49c37efe8d31be

Download Submit

Analysis

Sharing