99d030b6d50c846039217caf7a5cfc111838956b6a44f502f9442632cad01e15

General

Target

d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
Size

16KB
MD5

d017f92ffeb850bd8f82357e37ce7441
SHA1

967046b69b8b61d78fa9d9b1b993d85640f87a56
SHA256

99d030b6d50c846039217caf7a5cfc111838956b6a44f502f9442632cad01e15
SHA512

83212e71fbb53b3999a3f9646005efb4eec62da9fafb4dd2c26ef9251e8732b7549944f27a01c772cdba7519c0dc9a3740ff60137ef37b960dcf703c639b2d1b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJGJGdQ:hDXWipuE+K3/SSHgxmwJGdQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMDC9F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM79F3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMD419.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM2C7A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM8410.exe

Executes dropped EXE 6 IoCs

pid	Process
3312	DEM79F3.exe
3084	DEMD419.exe
4912	DEM2C7A.exe
4092	DEM8410.exe
4908	DEMDC9F.exe
2292	DEM3435.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 3312	4652	d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe	109
PID 4652 wrote to memory of 3312	4652	d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe	109
PID 4652 wrote to memory of 3312	4652	d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe	109
PID 3312 wrote to memory of 3084	3312	DEM79F3.exe	113
PID 3312 wrote to memory of 3084	3312	DEM79F3.exe	113
PID 3312 wrote to memory of 3084	3312	DEM79F3.exe	113
PID 3084 wrote to memory of 4912	3084	DEMD419.exe	117
PID 3084 wrote to memory of 4912	3084	DEMD419.exe	117
PID 3084 wrote to memory of 4912	3084	DEMD419.exe	117
PID 4912 wrote to memory of 4092	4912	DEM2C7A.exe	119
PID 4912 wrote to memory of 4092	4912	DEM2C7A.exe	119
PID 4912 wrote to memory of 4092	4912	DEM2C7A.exe	119
PID 4092 wrote to memory of 4908	4092	DEM8410.exe	128
PID 4092 wrote to memory of 4908	4092	DEM8410.exe	128
PID 4092 wrote to memory of 4908	4092	DEM8410.exe	128
PID 4908 wrote to memory of 2292	4908	DEMDC9F.exe	131
PID 4908 wrote to memory of 2292	4908	DEMDC9F.exe	131
PID 4908 wrote to memory of 2292	4908	DEMDC9F.exe	131

C:\Users\Admin\AppData\Local\Temp\d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Local\Temp\DEM79F3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM79F3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\DEMD419.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD419.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\DEM2C7A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2C7A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\DEM8410.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8410.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
      - C:\Users\Admin\AppData\Local\Temp\DEMDC9F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC9F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\DEM3435.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3435.exe"
        7⤵
        Executes dropped EXE
        
        PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4200 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:8
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C7A.exe

Filesize
16KB

MD5
57c05ac0926d61e6a905e549657cb85e

SHA1
12d7d2f95bf53cda5bf3df2921d2998618ebabd2

SHA256
a2a06bc48875c6b5d519c80f7742d9af6994c2b2c5c8f12668b3cd5f39133e99

SHA512
b28f408f440f8ba1107af7b099ef789b67f06bec83ad23ab98159611e2b1b5f41664bf5b80b6274de6f59b47e9ae4fae77dcfec47eae01c5c1184b3a2b83344b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3435.exe

Filesize
16KB

MD5
b588ed4224308fc23f03c6a72e31255f

SHA1
cd9acb6ee1df674359e9d07c327f54deb9f4be01

SHA256
3d330d2adbd73b66ad4268ec39f9443e5a1d1e784e784d30b3fdb5297c65d084

SHA512
2d061a1452bd362d5b6999763f867473ce88e47db48fa2394b73188bf43459d6facd9931507a520ab58752e3918aadc76b40aadab5a295e20314a4188d0f2e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM79F3.exe

Filesize
16KB

MD5
c7da5ad9324aa1d7a3166eccf5847369

SHA1
a6a8c9580137166731fe42e9114c19f948f55aa7

SHA256
3bc9e2271046f2671a079a35680b74d8b27620a66c75b84e4030776bbd349d1c

SHA512
9ab3d5473f7129a747068eae551e7a776b9b06dfa31811164b52efd26bdf83ddc996cf827b1e4d6499c0f7457a74c761b84309eafa89863df75a428b684b0578

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8410.exe

Filesize
16KB

MD5
3f4f8710fc824eec7f335e96962bec5f

SHA1
461de3fb1572dbb92e95172aa7bac0c4e2e3062a

SHA256
11ee69c3b2145b253c4b7396b9199584bdcf666ae7b2b02938e98ced16bb3d12

SHA512
ce34cb4f6de005f29150adce01c039a20700c704858700622677795ba35a6058a43610e88cbd8e5b91a7393e3032bcd9f53d755ee2da33ebb834b3551c69c72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD419.exe

Filesize
16KB

MD5
2df39e5fb5ba4a5bfafe3aff934cd2e3

SHA1
d2c6d996b09e3d3fd684872fabd14bb91e0feb55

SHA256
55b9a5ced2cdb7c62ffb17f78e515b9ecf1cfb8484169ccde58cb571663d0f14

SHA512
9ef97d0b925ae6b7df0e53f29c0c0bff6c0230abfd16b7afd7d932f55473b81b2e12904ec74ac463663414dd940b16a22d1be7ee266452bc0f20406177a85dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC9F.exe

Filesize
16KB

MD5
c903a5f6073db23ac12486f0b702c64e

SHA1
cfae23252c07ab76d443be968adce6a8a0345823

SHA256
403d990d7318b0d1d686e7fad194b23c9c00bf40b0cc878de42c4a46abadbb13

SHA512
c96dcc690724dd0f8d64e807f1dc73c21c64c1e7ac24ae764a71bfba71981e668be6c850e47914c3cfc97f5d8694d710112bf3e40906255ce9e70c5a9a3f4181

Download Submit

Analysis

Sharing