c025f72c59127f9244c4fe6c716e614d05c9ae2f765162064e0f2d5b25a5f311

General

Target

d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe
Size

14KB
MD5

d0cc8b51c66686d121141cea281f6867
SHA1

d131fe5aabe1a57b3e5acdbcfc9b823843157d78
SHA256

c025f72c59127f9244c4fe6c716e614d05c9ae2f765162064e0f2d5b25a5f311
SHA512

294807a3cd03ffae3dff8924cee5d6d724de524e273bff63c1e28a1420fcbb4322e990a185d44fdf4e657f6dd3d0319c687c90239f2dc3cca27d0cd1daaa5d1e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4YZUN:hDXWipuE+K3/SSHgxm4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMBE7D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1817.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7039.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMC743.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1FE2.exe

Executes dropped EXE 6 IoCs

pid	Process
3356	DEMBE7D.exe
4592	DEM1817.exe
944	DEM7039.exe
3660	DEMC743.exe
2648	DEM1FE2.exe
2080	DEM7843.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 3356	2832	d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe	104
PID 2832 wrote to memory of 3356	2832	d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe	104
PID 2832 wrote to memory of 3356	2832	d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe	104
PID 3356 wrote to memory of 4592	3356	DEMBE7D.exe	108
PID 3356 wrote to memory of 4592	3356	DEMBE7D.exe	108
PID 3356 wrote to memory of 4592	3356	DEMBE7D.exe	108
PID 4592 wrote to memory of 944	4592	DEM1817.exe	110
PID 4592 wrote to memory of 944	4592	DEM1817.exe	110
PID 4592 wrote to memory of 944	4592	DEM1817.exe	110
PID 944 wrote to memory of 3660	944	DEM7039.exe	112
PID 944 wrote to memory of 3660	944	DEM7039.exe	112
PID 944 wrote to memory of 3660	944	DEM7039.exe	112
PID 3660 wrote to memory of 2648	3660	DEMC743.exe	114
PID 3660 wrote to memory of 2648	3660	DEMC743.exe	114
PID 3660 wrote to memory of 2648	3660	DEMC743.exe	114
PID 2648 wrote to memory of 2080	2648	DEM1FE2.exe	116
PID 2648 wrote to memory of 2080	2648	DEM1FE2.exe	116
PID 2648 wrote to memory of 2080	2648	DEM1FE2.exe	116

C:\Users\Admin\AppData\Local\Temp\d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\DEMBE7D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBE7D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\DEM1817.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1817.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\DEM7039.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7039.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Users\Admin\AppData\Local\Temp\DEMC743.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC743.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Users\Admin\AppData\Local\Temp\DEM1FE2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1FE2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\DEM7843.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7843.exe"
        7⤵
        Executes dropped EXE
        
        PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3376 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1817.exe

Filesize
15KB

MD5
ac4375e983d48f34f26fffc73b4fedd4

SHA1
02629ec7d1464163ab39d86fe907dc660ce086f6

SHA256
f529879f1b65e76c775fef0e5c9f399ed84281d58916258879fcb4f44b7d7b5b

SHA512
f7e408b2f1d0ab10aa66cc415c8bdc0aa4a263024ca9cd59489648be54498ac46e7fbe7c708991dec31bc68582bde031e5df48296f51d8068c2b8312dab4687e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1FE2.exe

Filesize
15KB

MD5
181f8d52f8a15c6c0addb517397e8a71

SHA1
f9b66dbf2908f37abbe9e7dfa22b44680f56026a

SHA256
114ff9a55094d0f9c3aa15932d12f3612a3a5ee9bd5ec255e27ae66552f59925

SHA512
bb38b99cc6950e7869652da0cb927c9ebc6ad3d9e26a17139eaf934ea6e2e7bb11b39940e5e82e9fbebc04c2ff19bc2b5efb7767664f10dc09df0b37aeee1f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7039.exe

Filesize
15KB

MD5
06866c71e01e1526451b300f11789537

SHA1
ff7c71d232204b34981afcfd8daa69638a932605

SHA256
8202373802142f76ed7973665c912d5e5b260724589f7f721a6777a91c3f96b6

SHA512
8fb06022cbadc4e80b022b4b5d7cc51655d115d0044a87622d068bf99aa94e99d07727395390bb31cba4250561b67773b01d503b51074b1515d359c569cfb238

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7843.exe

Filesize
15KB

MD5
b9cf4fc1cf418ebdbfc46b8994dc51e5

SHA1
effb1b6fb1b553ca215b392a985b653509c890c5

SHA256
b8e7ee763dd5fa94a3504ae083540981b3ea80ffa1ffae19a34a5a2e5aeddd0c

SHA512
dc58096bcaca2deadf5456bbda6fa7935af09881ef2fe5df59b9911a5c285eb7e1bb6edffad4d3ccaa8445a7907527ac2b740fde509bb28dc442039e0017ca55

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE7D.exe

Filesize
14KB

MD5
8eeb4b152f29cdb0083f382a2b6b002d

SHA1
70bbe3996fdf776d4aa97e408ee08691696b3843

SHA256
4d49ec89d5c7ab78ff77e7071fcf7becf937fea1281135d037ef908800311a7c

SHA512
d36eef4e6d4f2a9843c24ce965e45b7be99d57ae2c277b65b0038e2c7a6116aafcab0bd0d54a6160e4811ac6279bc882370512a8d486ba8339fc02cc39f506f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC743.exe

Filesize
15KB

MD5
59bd7c328553ecd06733ddf0c5363cb9

SHA1
4d0f5d85e1eb2989394f80380dd7236f9c9186c5

SHA256
687d1ffa1fe297ff7c1f8dce6c2fdcfa73f140d8889a4a083bcd414be0e526f3

SHA512
cdb1ac5a001afb483fad575d96699ed60601f732e40bec3a87045543459cdb1d7f80008ba9f1deaad53ec0a599acc7d74b99e828a3d6875a26f1f43da2dcd9c5

Download Submit

Analysis

Sharing