569809624b5b29543a9ddb864a7a1effd0e47b95b4c7976bf2fe16dda49023c2

General

Target

ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe
Size

15KB
MD5

ca1ebdcc3803d46b77ec92363220b789
SHA1

29d05fd0da57ad7cfde6ffb0933ae41c7f32294c
SHA256

569809624b5b29543a9ddb864a7a1effd0e47b95b4c7976bf2fe16dda49023c2
SHA512

21deaaa6a96266f60418df80b82f7168dae6a044e73b77e47bf48e8e83c20af5faa2a5091e6b8b7df4bb29cb5bdd51620338d8b6e97a7d5c4f693f53793ddceb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0mB:hDXWipuE+K3/SSHgxm0o

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM8DFE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM8325.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMDC32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM352F.exe

Executes dropped EXE 6 IoCs

pid	Process
488	DEM1671.exe
952	DEM8325.exe
2928	DEMDC32.exe
4352	DEM352F.exe
4908	DEM8DFE.exe
2984	DEME64F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 488	5064	ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe	103
PID 5064 wrote to memory of 488	5064	ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe	103
PID 5064 wrote to memory of 488	5064	ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe	103
PID 488 wrote to memory of 952	488	DEM1671.exe	106
PID 488 wrote to memory of 952	488	DEM1671.exe	106
PID 488 wrote to memory of 952	488	DEM1671.exe	106
PID 952 wrote to memory of 2928	952	DEM8325.exe	108
PID 952 wrote to memory of 2928	952	DEM8325.exe	108
PID 952 wrote to memory of 2928	952	DEM8325.exe	108
PID 2928 wrote to memory of 4352	2928	DEMDC32.exe	110
PID 2928 wrote to memory of 4352	2928	DEMDC32.exe	110
PID 2928 wrote to memory of 4352	2928	DEMDC32.exe	110
PID 4352 wrote to memory of 4908	4352	DEM352F.exe	112
PID 4352 wrote to memory of 4908	4352	DEM352F.exe	112
PID 4352 wrote to memory of 4908	4352	DEM352F.exe	112
PID 4908 wrote to memory of 2984	4908	DEM8DFE.exe	114
PID 4908 wrote to memory of 2984	4908	DEM8DFE.exe	114
PID 4908 wrote to memory of 2984	4908	DEM8DFE.exe	114

C:\Users\Admin\AppData\Local\Temp\ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca1ebdcc3803d46b77ec92363220b789_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\DEM1671.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1671.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\DEM8325.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8325.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\DEMDC32.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDC32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Users\Admin\AppData\Local\Temp\DEM352F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM352F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Users\Admin\AppData\Local\Temp\DEM8DFE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8DFE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\DEME64F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME64F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1671.exe

Filesize
15KB

MD5
00201a762c0215644be145437f79158d

SHA1
2e142568a887d1d57a995a3481186ff72344f333

SHA256
889fbf5a31cedff78e91949810919d867de7dbb9beb0076fed360f300623b97f

SHA512
c2a23cb3ff53d6e9387b9a75aeeb9b1035d93cfa04896cc55036c23941ab0eeb765f9025fcd2701c35014483a9f180b63fd607f8b2379fddf392270399be99ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM352F.exe

Filesize
15KB

MD5
4e92649b3af044d9d647fcfd6491f691

SHA1
1948fdd15152ccf02a3dfaaba48e3e92a6af5d87

SHA256
80f576a1e43b1f4abbaf59d09042220904fde074c132f74a38a2967b8b190996

SHA512
eadff9896567da8f2ab4dee12034a57a328a239ffc74f1a9fb8d6896596907a09f938dbdf5936dd72487761684db2773a4e66ca1867daf20ee52f594b7acdf42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8325.exe

Filesize
15KB

MD5
0cb9b5496910eca6cf47be79e878cedc

SHA1
3e6add7301698f9751d3b07f9cccb831c3fda49d

SHA256
8c4fedc33409b3f38c876be4d4e21f6927ae0a02821e99f0528eaaeebd386adc

SHA512
ffc4be6f61fbac34db65430173806e35893695c664782f071eadd0b801bbfdab300db85abc2c95daed3ed22f262976747ca3209c77eedfe1671724d47f8d796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8DFE.exe

Filesize
15KB

MD5
ffdbef243c842f566dce994b5cd2f5b1

SHA1
b694b9a76d53ccb45dad8c2eb691da960cebdc71

SHA256
81412be85cefdfd070575087fbb38830e052c15c59dec1f19f2c0ed4578d33fd

SHA512
5f015cf8c41cf2c30c7f913d1f59ab986b2d28c954e2177da5daef58187f85547739754ebf50409f680f0418c8aa502d963d0fe072b6106111cb37fd869f6e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC32.exe

Filesize
15KB

MD5
cb5cf38f7911daab892953a8e238441e

SHA1
fda7ba02eb6783d5cfddf9e170ac740e675d1e11

SHA256
52ec99ebf78e8431e0cb4947bd2ed838452782d50402b8039cd535527c72c269

SHA512
c988a716f1bc10b52e524769bccc9198d5afd835508f1c35b62a3c7211c6055201e4ef2a8a6b1492fe6d69b46af43382312124e31139f73cc90466cd43cd97be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME64F.exe

Filesize
15KB

MD5
1fadde2719e47a1e08c78e143677d73a

SHA1
8f8d20cef3b42feaee1608431d286d6fcc55b551

SHA256
39caad177756b37e71cd13f7d7cc1b7fccf9f49b165ea35e9bdbecdd4d8dfb37

SHA512
cf27302b25630ba2f4a3609b73bbdef108bbfc5f0aa299f13619db06961b70f2259e8a439f2fdd074358190fa535e8799579053f527e8e10f9fcb6a124662fea

Download Submit

Analysis

Sharing