d3dbeb49f0b8670efcbc8acc6f22b6ea7bd92e975db578846381937e8a8f4bbd

General

Target

ce9081b49b95b1f03e06de44d8ee59e1_JaffaCakes118.exe
Size

15KB
MD5

ce9081b49b95b1f03e06de44d8ee59e1
SHA1

fff5c76e1d8c577cb17996a52aef2c1d255ae828
SHA256

d3dbeb49f0b8670efcbc8acc6f22b6ea7bd92e975db578846381937e8a8f4bbd
SHA512

0158b25f5c969657e5bed16262bc4c638caca00ef0e6affc4f4e7d3619c5e4b53fec99767ad87bbd3d2c1e618ab0f86db48c167b008a4f5049360630bc8739d4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnp:hDXWipuE+K3/SSHgx/p

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEME385.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ce9081b49b95b1f03e06de44d8ee59e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM6716.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMDC95.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM341B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM8BE0.exe

Executes dropped EXE 6 IoCs

pid	Process
4308	DEM6716.exe
2816	DEMDC95.exe
3028	DEM341B.exe
2624	DEM8BE0.exe
3280	DEME385.exe
4432	DEM3B3A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4308	5052	ce9081b49b95b1f03e06de44d8ee59e1_JaffaCakes118.exe	104
PID 5052 wrote to memory of 4308	5052	ce9081b49b95b1f03e06de44d8ee59e1_JaffaCakes118.exe	104
PID 5052 wrote to memory of 4308	5052	ce9081b49b95b1f03e06de44d8ee59e1_JaffaCakes118.exe	104
PID 4308 wrote to memory of 2816	4308	DEM6716.exe	107
PID 4308 wrote to memory of 2816	4308	DEM6716.exe	107
PID 4308 wrote to memory of 2816	4308	DEM6716.exe	107
PID 2816 wrote to memory of 3028	2816	DEMDC95.exe	109
PID 2816 wrote to memory of 3028	2816	DEMDC95.exe	109
PID 2816 wrote to memory of 3028	2816	DEMDC95.exe	109
PID 3028 wrote to memory of 2624	3028	DEM341B.exe	111
PID 3028 wrote to memory of 2624	3028	DEM341B.exe	111
PID 3028 wrote to memory of 2624	3028	DEM341B.exe	111
PID 2624 wrote to memory of 3280	2624	DEM8BE0.exe	113
PID 2624 wrote to memory of 3280	2624	DEM8BE0.exe	113
PID 2624 wrote to memory of 3280	2624	DEM8BE0.exe	113
PID 3280 wrote to memory of 4432	3280	DEME385.exe	115
PID 3280 wrote to memory of 4432	3280	DEME385.exe	115
PID 3280 wrote to memory of 4432	3280	DEME385.exe	115

C:\Users\Admin\AppData\Local\Temp\ce9081b49b95b1f03e06de44d8ee59e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce9081b49b95b1f03e06de44d8ee59e1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\DEM6716.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6716.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\DEMDC95.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDC95.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\DEM341B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM341B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\DEM8BE0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8BE0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Users\Admin\AppData\Local\Temp\DEME385.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME385.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\DEM3B3A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3B3A.exe"
        7⤵
        Executes dropped EXE
        
        PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:8
1⤵
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM341B.exe

Filesize
15KB

MD5
33672b40475acec46c47df5361e5db3b

SHA1
6b39f0659529a97d72b7cdf334f5c7b990b86956

SHA256
f79146e77a10ee233a0c35d21464406e1f722cdc6a96dc84480d44ab302db9b2

SHA512
4e2e12a1c3d84c820f94edabe3fb5eb98f1d52eb818702df6f1eeffea94ca965168bc5d561114014f2b11acfdb2eaf53dfd6ac917d33f044c575eebdf10909cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3B3A.exe

Filesize
15KB

MD5
079329119a14e120a25a823c2195f046

SHA1
672e0dfca3e74b4fc58f16eda1b0351585481836

SHA256
7a12720cc9734e97d9587f4547cbb307dd55c6cbb09003351e41ee70c5b354ba

SHA512
acbdf66c6d864615922d1abebfbdc1c16e1fdb13b165a902981eee9e9c79b648f0638561482f9ecb5db61deaba69f5f89c58ece92d75bd3c770f6bac72b57bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6716.exe

Filesize
15KB

MD5
1c5aeb2d517a22a04daef1f0d3c1a581

SHA1
e0846736f3adbedd0901a828fcbcf6c231ea40ec

SHA256
ad0aa553cf00a4008a2c51eaf628d550157ec35affbaae5e7d08bfdaf8930974

SHA512
7b784f8f95970c32f471491ae1019c2d63ef082f5dec13e544adb792122ae643fdde1f971bbce991c4a530f30490c10356ae709cd23b4c5f509a0958dc14676a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8BE0.exe

Filesize
15KB

MD5
d5e1a246d72895d4b2ed29888ea001ab

SHA1
761f6e6fb7c76d38b5beb6625edd7a8adec9ff94

SHA256
9384a713733db554ba6b281c88778db563b63b052c73b11e74af94687d98dfde

SHA512
fe3e62d7afe4a3f09a3a1109a305a88f5653050d5683c15c2d36db74ceb4d6573fe4b52e7a55e80c57f2d562d84db8d73f1e335f5fc915227eef1f96e78c48c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC95.exe

Filesize
15KB

MD5
80d2d7a53ab65eb1971762480f062427

SHA1
acf74db56e1c66367218d9ef699ca6a09aa9af95

SHA256
bafd4406988240886979271e5c011f4708c4d80b3b733b4731aba6e8dc3f66f2

SHA512
0177952c45a3a82fd90e56d76197a046c134f11d62415d97b8eb98e8e8b5a82b5c40750870f3fb287df5bff6cc9ffdf31b5b137ef0b766b17ba58af59935ca99

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME385.exe

Filesize
15KB

MD5
438449b8d0b06c132bfe74b3ba7a8d1f

SHA1
da6826e64bad33921677afb241eaee22fe4270f3

SHA256
8a56b35c34f9958af26212960ed29dd1489d50722ad970ee09ff5b7a59c9034b

SHA512
b4cd85531839cca36ed5e466d69a28507beab9f9045d27815f0d7a068e666225fe0565c4e14e6b2d9693d0a861b74ae758a00306fd361cc98d3bac54fcadffeb

Download Submit

Analysis

Sharing