1ea94b1abd5c7d05b282a4011933b1f4e307c4f6c6c6591771e1682cb7cd9a4f

General

Target

c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe
Size

20KB
MD5

c9fb2233e4b7457127be9e20c8348a4f
SHA1

30179db78366170683dca9d0973ef44cad40799e
SHA256

1ea94b1abd5c7d05b282a4011933b1f4e307c4f6c6c6591771e1682cb7cd9a4f
SHA512

19012338290e87a036ec754ac24b014449bcc7aa2e7d85177b7fde5ad8bafca939feefe7615ad3997bdf43d0519ce5a80d2d9992c78daea081a8313b21c191ec
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4P8UzsRW:hDXWipuE+K3/SSHgxmHZP+w

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMA095.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMFA1F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM5222.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMA8DD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMC1.exe

Executes dropped EXE 6 IoCs

pid	Process
3700	DEMA095.exe
1956	DEMFA1F.exe
4336	DEM5222.exe
1792	DEMA8DD.exe
4640	DEMC1.exe
1092	DEM58D4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3700	2548	c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe	103
PID 2548 wrote to memory of 3700	2548	c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe	103
PID 2548 wrote to memory of 3700	2548	c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe	103
PID 3700 wrote to memory of 1956	3700	DEMA095.exe	107
PID 3700 wrote to memory of 1956	3700	DEMA095.exe	107
PID 3700 wrote to memory of 1956	3700	DEMA095.exe	107
PID 1956 wrote to memory of 4336	1956	DEMFA1F.exe	109
PID 1956 wrote to memory of 4336	1956	DEMFA1F.exe	109
PID 1956 wrote to memory of 4336	1956	DEMFA1F.exe	109
PID 4336 wrote to memory of 1792	4336	DEM5222.exe	111
PID 4336 wrote to memory of 1792	4336	DEM5222.exe	111
PID 4336 wrote to memory of 1792	4336	DEM5222.exe	111
PID 1792 wrote to memory of 4640	1792	DEMA8DD.exe	113
PID 1792 wrote to memory of 4640	1792	DEMA8DD.exe	113
PID 1792 wrote to memory of 4640	1792	DEMA8DD.exe	113
PID 4640 wrote to memory of 1092	4640	DEMC1.exe	115
PID 4640 wrote to memory of 1092	4640	DEMC1.exe	115
PID 4640 wrote to memory of 1092	4640	DEMC1.exe	115

C:\Users\Admin\AppData\Local\Temp\c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c9fb2233e4b7457127be9e20c8348a4f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\DEMA095.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA095.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\DEMFA1F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFA1F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\DEM5222.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5222.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Users\Admin\AppData\Local\Temp\DEMA8DD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA8DD.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
      - C:\Users\Admin\AppData\Local\Temp\DEMC1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\DEM58D4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM58D4.exe"
        7⤵
        Executes dropped EXE
        
        PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3548 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5222.exe

Filesize
20KB

MD5
dd09c8a56f4b53c8ebd41f3583b39a9a

SHA1
ba808776489e2ef5046b439051055aa613526a42

SHA256
248e7148a51d3459cc2e11274ccdd889eae33afe43dd7952da41949dd55a630c

SHA512
903c9c83abafe1bfa432a210f1df63f0d177bdf4e0549ac48964359558d4b9bccc2d7a1ae5d5367bd74a1907b6a305362564055e08346bd12d7e89aa652b0864

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM58D4.exe

Filesize
20KB

MD5
688fb68ca7f412c2cd47c9b1d805b29d

SHA1
fcca700bbf41d3bf73b2fbb8ada7fe482a4d3787

SHA256
41375eaba8c6e6df2c23d58c58f4a9ccb531e2bf8fe0c6af1ee74c517c34d412

SHA512
148bd89404cd47657aa6cabfbc20b82eb288a3af38f320e52996058b0ed9ae78329f2af526d83fae102d92eb4fbb97fad37f6952e435e39a0eaa7855769a7aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA095.exe

Filesize
20KB

MD5
9a96363b50f9498e42506dac1449dd14

SHA1
c32caa7cfaf2417cc1bb8dbc9e2978f3833a259f

SHA256
cfa9bdfd4e2b1ab5efef2c6675028f10263fd0c417dd4a61be2e98a0e6203135

SHA512
a30ba747b088aa7ad2bdec3950de5bf64ec8a07556e3aaa1fd1b3dc9ea67e3fa1556f08974827e4ad9a78b654d578df1e887ac7bd6e8f78668fc087d08cba938

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA8DD.exe

Filesize
20KB

MD5
f6f3ef91eca5e427c6386c7783d142b8

SHA1
8b83ca3cc40bb61f68606196d1a7a60e8e4cb04f

SHA256
c7671dba5f015223adc4547c2afb5e4e81ff7f9bf8ab6e84ba0ad2e91d250e7d

SHA512
b40f4e5291676b3ecb7662cacc77d28db3cfb18630ab5ef745988a80d2db15b1a1f241c6e440aec143f7fab15946d86dc0a441e64609a3eec9bdcf13c5141c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1.exe

Filesize
20KB

MD5
651729ef5c4057f4b51351ef41cc52c7

SHA1
1ec6fef1899efc69f5b60ce50bb7f506a39a8b53

SHA256
0e62e18405c0e3f9272315666779426b10f4a887504774f658bc76d42d73ae08

SHA512
26e0995e6f72ac3b2fc784d820e5563bfcd7fccef675b9f1b051eb2a72175832a8d3a390c3ffbc746bf017a500c46291cc25b820c709b0b6839dc34ac94c4c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA1F.exe

Filesize
20KB

MD5
758632e8f8fdddf70c9c8d0c3d2e5e95

SHA1
0c5fc9994f709e17d5be95cd8985a7ba107cc709

SHA256
abc2b519273472cb1f4b138c1debb0bdf3da6ede7ebec749c9789ca8ba9fcceb

SHA512
5b89f1de6cd7686b690a921c113152b680240132119e33961c3ca936f000f80fea160c52f78d8c391ea8d8b9707ceb7e83bfa4e5da9d9dcb8f76a1fcc8acdbb5

Download Submit

Analysis

Sharing