2586711a9e0ca45fc0b18bfc0ff0e1d566860a289770464fd5c582a0f8626a9c

General

Target

d0a2e458a2726ff5a4a4e8d43954b1a2_JaffaCakes118.exe
Size

15KB
MD5

d0a2e458a2726ff5a4a4e8d43954b1a2
SHA1

8346de7fb8537a97de5818ae7d2e0bf5335fcda7
SHA256

2586711a9e0ca45fc0b18bfc0ff0e1d566860a289770464fd5c582a0f8626a9c
SHA512

8df190280f0d1eea4515f84bfae0fabdf2d458dbff14a6d592efaaf2fb68d1b633aebc11060ee2c29dbc53461301b0f8fe0bb240c5615b3c41de69d13cee0d14
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl04:hDXWipuE+K3/SSHgxmlr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMD040.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM27E6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM8008.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMD84A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	d0a2e458a2726ff5a4a4e8d43954b1a2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM76C6.exe

Executes dropped EXE 6 IoCs

pid	Process
3800	DEM76C6.exe
4812	DEMD040.exe
4452	DEM27E6.exe
864	DEM8008.exe
4756	DEMD84A.exe
2720	DEM30AB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 3800	3672	d0a2e458a2726ff5a4a4e8d43954b1a2_JaffaCakes118.exe	109
PID 3672 wrote to memory of 3800	3672	d0a2e458a2726ff5a4a4e8d43954b1a2_JaffaCakes118.exe	109
PID 3672 wrote to memory of 3800	3672	d0a2e458a2726ff5a4a4e8d43954b1a2_JaffaCakes118.exe	109
PID 3800 wrote to memory of 4812	3800	DEM76C6.exe	113
PID 3800 wrote to memory of 4812	3800	DEM76C6.exe	113
PID 3800 wrote to memory of 4812	3800	DEM76C6.exe	113
PID 4812 wrote to memory of 4452	4812	DEMD040.exe	116
PID 4812 wrote to memory of 4452	4812	DEMD040.exe	116
PID 4812 wrote to memory of 4452	4812	DEMD040.exe	116
PID 4452 wrote to memory of 864	4452	DEM27E6.exe	119
PID 4452 wrote to memory of 864	4452	DEM27E6.exe	119
PID 4452 wrote to memory of 864	4452	DEM27E6.exe	119
PID 864 wrote to memory of 4756	864	DEM8008.exe	128
PID 864 wrote to memory of 4756	864	DEM8008.exe	128
PID 864 wrote to memory of 4756	864	DEM8008.exe	128
PID 4756 wrote to memory of 2720	4756	DEMD84A.exe	130
PID 4756 wrote to memory of 2720	4756	DEMD84A.exe	130
PID 4756 wrote to memory of 2720	4756	DEMD84A.exe	130

C:\Users\Admin\AppData\Local\Temp\d0a2e458a2726ff5a4a4e8d43954b1a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0a2e458a2726ff5a4a4e8d43954b1a2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\DEM76C6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM76C6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\DEMD040.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD040.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\DEM27E6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM27E6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Users\Admin\AppData\Local\Temp\DEM8008.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8008.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Users\Admin\AppData\Local\Temp\DEMD84A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD84A.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\DEM30AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM30AB.exe"
        7⤵
        Executes dropped EXE
        
        PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4508 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM27E6.exe

Filesize
15KB

MD5
52b7b1f46c02fdc2db446cb32b4d6b89

SHA1
db3cadf1e33739b2d0b46adc4cb9fe719d0febf5

SHA256
d223d32c471586f64ce155b25575ec9c6766abc5498c09cf880f981474e55860

SHA512
4aac306cf4e63cc2bce13817f8ab5f66c27832a6b179a7fd710313adb4046e03c6fc0bf9b0570d7f8e654904ef52b3f181121144d1592bfe29c2c5cda6bd14e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM30AB.exe

Filesize
15KB

MD5
e5a1d356c3836d011f84b8de7e4bc383

SHA1
c6bcc239b32b8f097003045222e5124ac7f7e2db

SHA256
eaa8f101a802bf353366a7d2ff44cc8822e8b90a57ed5ceabbe0a80ab3c84e8d

SHA512
7f825a6c4e769f8ec509e0d0ba971cf09b1a1005033238f3b8faa46c72f87aadb31fa3e52a992ba78ec4e12a9d953b4497a1c47130102d2035e1330c1c95791a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM76C6.exe

Filesize
15KB

MD5
7c73d0bf1b06e18bbf9e080cc3eceb67

SHA1
7624fc02999158dacd920a2f0d42211cf016af93

SHA256
5e63ddc8013a634b3a13c3db6300ebeb7a5a089980bf7fd6a81ab4658637cb1a

SHA512
4a579a365d8e624098e7d8fa6d264c0e6f20260937f6bab8cd058d457de9496011b888bab6c09c56ed392c08b7d48c688fe515cdb35729bcae1241e5986ec5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8008.exe

Filesize
15KB

MD5
4745c466104f4ae2418b7d552a886d04

SHA1
d2aec5dccaa4067bd26f5400e9a6a1aacc4e6969

SHA256
0ebb8ec629d8fa032027e45f6789e8246b599abd311304b3eb41c9452907fc90

SHA512
7a5da6fba6dd4275f4260d7d909882465ab416ef0ce1eb912df34faf76e298e4774cb1db39b2f00158bb93c672389237205baf047f9ff9d890b10ddfab62d53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD040.exe

Filesize
15KB

MD5
c30a3162835eed89c201e1b91a3bfaf4

SHA1
c6b31574722479006a4b8d4172539c1c10e55b11

SHA256
b53283d06c0347c2ba783e55313b382b805b5f42c7b234fc717104c5f6937858

SHA512
563bf95aa271a308f0b7312401aff7b381f24a321e64f1f1e06c6176ce9907d926d7f9d8dfb589699bc546c548682f35c7ffa68923159b1654ab4304e777e999

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD84A.exe

Filesize
15KB

MD5
2ab7f3fee2d065f610d473504510bc15

SHA1
67b2eb88229c675b9e67cfa3a0c8e273f14914c6

SHA256
2b4f29dd9473c0039f04f60899573af57b3c3185cc94c03c51cb3b545818d206

SHA512
dd42c499d77c3a18484476809d43e60b82a98fa4cd97e957b17fae870ef1b58ce21c1418b18d68c3935617ecdc25530610f0ef4ba37937eea07391b3f60eb180

Download Submit

Analysis

Sharing