1554b7cbb44e5305b1f9c59c97c2b2078b7cae0bc3b0e4e80d17471b62526c27

General

Target

cc9d895d9354fc01049f35ebd04ddf4a_JaffaCakes118.exe
Size

14KB
MD5

cc9d895d9354fc01049f35ebd04ddf4a
SHA1

119756994b27892ce56a01edb13007ffbe82d7e3
SHA256

1554b7cbb44e5305b1f9c59c97c2b2078b7cae0bc3b0e4e80d17471b62526c27
SHA512

328ef6f060d5eba287e89a958054f0ba1737b5c85927bb246df7b4b63b275ee38f92b3841d2cdfe3bf16ee1d762da4b6b2115403f5a93c9f356f3332b8b2955b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yha:hDXWipuE+K3/SSHgxg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMF453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM51D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMAAA3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM2C5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM5C4F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cc9d895d9354fc01049f35ebd04ddf4a_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3860	DEMF453.exe
5008	DEM51D4.exe
4196	DEMAAA3.exe
3996	DEM2C5.exe
1268	DEM5C4F.exe
1880	DEMB675.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 3860	2680	cc9d895d9354fc01049f35ebd04ddf4a_JaffaCakes118.exe	103
PID 2680 wrote to memory of 3860	2680	cc9d895d9354fc01049f35ebd04ddf4a_JaffaCakes118.exe	103
PID 2680 wrote to memory of 3860	2680	cc9d895d9354fc01049f35ebd04ddf4a_JaffaCakes118.exe	103
PID 3860 wrote to memory of 5008	3860	DEMF453.exe	107
PID 3860 wrote to memory of 5008	3860	DEMF453.exe	107
PID 3860 wrote to memory of 5008	3860	DEMF453.exe	107
PID 5008 wrote to memory of 4196	5008	DEM51D4.exe	109
PID 5008 wrote to memory of 4196	5008	DEM51D4.exe	109
PID 5008 wrote to memory of 4196	5008	DEM51D4.exe	109
PID 4196 wrote to memory of 3996	4196	DEMAAA3.exe	111
PID 4196 wrote to memory of 3996	4196	DEMAAA3.exe	111
PID 4196 wrote to memory of 3996	4196	DEMAAA3.exe	111
PID 3996 wrote to memory of 1268	3996	DEM2C5.exe	113
PID 3996 wrote to memory of 1268	3996	DEM2C5.exe	113
PID 3996 wrote to memory of 1268	3996	DEM2C5.exe	113
PID 1268 wrote to memory of 1880	1268	DEM5C4F.exe	115
PID 1268 wrote to memory of 1880	1268	DEM5C4F.exe	115
PID 1268 wrote to memory of 1880	1268	DEM5C4F.exe	115

C:\Users\Admin\AppData\Local\Temp\cc9d895d9354fc01049f35ebd04ddf4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc9d895d9354fc01049f35ebd04ddf4a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\DEMF453.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF453.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\DEM51D4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM51D4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\DEMAAA3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAAA3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Users\Admin\AppData\Local\Temp\DEM2C5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\DEM5C4F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5C4F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\DEMB675.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB675.exe"
        7⤵
        Executes dropped EXE
        
        PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C5.exe

Filesize
14KB

MD5
135c0eead206342464611a8aaf612a92

SHA1
76f0e04ab2ce26189905913a935a87c0d4935da3

SHA256
2945dd074dfb21933fcf20ba25595937ebbae7b2cc2bc16d55a003eed2f97a07

SHA512
686aaf8e4de25bd4dc8d2233bdaf9427de41292d53f5e175dc213ee98435678dff6c9aac23eff3efa0ae151d1c1a7641ccf8e3e081f12ddc9fc84231f2b1b502

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM51D4.exe

Filesize
14KB

MD5
5088afc151de4c2299dd0b5e4215f878

SHA1
e289adfa7896dd294773b1c27769e33a7898db86

SHA256
9aa8e782f86fe09d4863c51239a30c787b7fe48c7f1d84ef8c28c96cfe9227c5

SHA512
954928237cc8a28c500578ea6f8180121621a8a89b4f25396b6d982f48163c52df2029b79610f20f91af0d0ebe55783d9cdbb2332ad42d0d761648c59ba20015

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5C4F.exe

Filesize
14KB

MD5
04ac7874224086c939ab964f97f1fee9

SHA1
5d285c6066b88eaae20dad9a428a3446b544ce03

SHA256
938dcead54bcf5a7aae3446b42eb15a9606c95f0016bc19f6315e6e23a9b1469

SHA512
f1ee4cb559caedf3be1c74531e8b9be79cbbce2affc9b1434c9a8a42deadacf1f02cfdcbf78f6f2ed46063bb3143ce16bb63cb1e5769b017f6451282355e5cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAAA3.exe

Filesize
14KB

MD5
06b27e6b700adf5641617c3bd90eb8f4

SHA1
522b40d3b3fa8ec0fb14d0b690c1c1629820c4ca

SHA256
33fb5ebece9097a518d76e10d1c1e946dc58435fd2d11e92fbbe4bf8cc33f730

SHA512
bd0fa1353daa7a0d548d9516e1ddc31d0291ff3b8a655af37b2e3233597ec1aef3924c56f545d3bef84af1d2c019a44e4108fe35a6a4518111b962b0bd3938b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB675.exe

Filesize
14KB

MD5
0959ede15b069e36fe0004128f0f10a2

SHA1
5cc7c3889558ca700131a9de2ed84d1c0a0d0658

SHA256
8ab1f422a1718c32c80bfc7d98da5e556e34d60c8b38d82be786b0d9a03c94fd

SHA512
4ac90fd548c213b6e40962a8ec5eb6869a8cbde9c3fd0c054cbc1a8bbe1979b699acb1dbc52d866574768e1fc079c7a4ccd401809ad46d45dd42b0842a457995

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF453.exe

Filesize
14KB

MD5
e394ac00c23807c64d247cbc2401a33d

SHA1
7121b93c71439fc04ad313b4e21974da87b4e4fe

SHA256
002eeddc3be53150657e13b04b46efbcb8cfecebe3713f4bf2ba52d8dd211316

SHA512
4459309b918a5e9d42f757dcc9ba905aefbf61352d5120390d04d0bc7c0cf82cbc09cb1f6868b474b17304e3f72cf027bac86c3bb44bfad368b568f90d6f6b23

Download Submit

Analysis

Sharing