dcc1a2c289df3190fb94ba87c05d79178882c08b410d333b8e4c3d79745dbabd

General

Target

d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe
Size

20KB
MD5

d11f8a8b4687e40493fb9be94efb401f
SHA1

7523c6c53d85bc5714352a5445c53bf8102be324
SHA256

dcc1a2c289df3190fb94ba87c05d79178882c08b410d333b8e4c3d79745dbabd
SHA512

2c9a056aed15fc6c102014cb05e498bcf5d9a2f93d3aba85abf92cfaeb07ebc99f4072fe52b13905348fcb401cf23dd5b445e0b3cb88fb9d10cac61c0e81a221
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxX1pH:hDXWipuE+K3/SSHgxmH9v

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMBF34.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM5E1E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMB8E0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM1112.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM6879.exe

Executes dropped EXE 6 IoCs

pid	Process
3832	DEM5E1E.exe
3292	DEMB8E0.exe
4424	DEM1112.exe
732	DEM6879.exe
2120	DEMBF34.exe
4456	DEM16E9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 3832	732	d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe	104
PID 732 wrote to memory of 3832	732	d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe	104
PID 732 wrote to memory of 3832	732	d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe	104
PID 3832 wrote to memory of 3292	3832	DEM5E1E.exe	107
PID 3832 wrote to memory of 3292	3832	DEM5E1E.exe	107
PID 3832 wrote to memory of 3292	3832	DEM5E1E.exe	107
PID 3292 wrote to memory of 4424	3292	DEMB8E0.exe	110
PID 3292 wrote to memory of 4424	3292	DEMB8E0.exe	110
PID 3292 wrote to memory of 4424	3292	DEMB8E0.exe	110
PID 4424 wrote to memory of 732	4424	DEM1112.exe	112
PID 4424 wrote to memory of 732	4424	DEM1112.exe	112
PID 4424 wrote to memory of 732	4424	DEM1112.exe	112
PID 732 wrote to memory of 2120	732	DEM6879.exe	114
PID 732 wrote to memory of 2120	732	DEM6879.exe	114
PID 732 wrote to memory of 2120	732	DEM6879.exe	114
PID 2120 wrote to memory of 4456	2120	DEMBF34.exe	116
PID 2120 wrote to memory of 4456	2120	DEMBF34.exe	116
PID 2120 wrote to memory of 4456	2120	DEMBF34.exe	116

C:\Users\Admin\AppData\Local\Temp\d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d11f8a8b4687e40493fb9be94efb401f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Local\Temp\DEM5E1E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5E1E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\DEM1112.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1112.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\DEM6879.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6879.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:732
      - C:\Users\Admin\AppData\Local\Temp\DEMBF34.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBF34.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\DEM16E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM16E9.exe"
        7⤵
        Executes dropped EXE
        
        PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3136,i,3192284747741020952,1225278682167953346,262144 --variations-seed-version /prefetch:8
1⤵
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1112.exe

Filesize
20KB

MD5
6306c509463303a4b9277b1e5ef8c818

SHA1
4146e712735b651c65cbf29c63c519e634ed1fff

SHA256
65c1f5aedfacdd1b3b177e3ab270c61b6742774af9758eac9f73ba3fb57b0dd7

SHA512
50780cb1ead12c3a7f9be444fcfbd4992fac1da133d54f8d5308e4dcedfc627382d6925b21804071532a04fe7a98ec470e221f5b2738e15d5059a6506a8a5447

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM16E9.exe

Filesize
20KB

MD5
883fcb19e0f5038000c66f05855e89f2

SHA1
39d571f283fe1ba6dddce8f807805a1a00fa10f3

SHA256
f4de28c366e64b58a06515f302c4522de10b925f8db1efc0237f873c506e1359

SHA512
a72cbc29d9cdee59e6aef9c9cc042ca1a87834070ca3f243b23cbd2b6928bce4ed2461a7c9921b3a8ca09257b5f7f58def3fd2624c480329c2f81a17a62ffb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5E1E.exe

Filesize
20KB

MD5
3611c1ba7f8b676592bce7cf5d3aa055

SHA1
61a0b39c760a2c9523e2f9a9e65a7d14b5e6c59e

SHA256
0cfb26c531f7a065aa51583e519ed843824ace3f86b1dcf1c2b4944aee217fe9

SHA512
9c6c01fdb3d3f5929e546a0b7b92fb107732f259defa85aa84e446b44856d0f144049983b6c7fda2ef727ea6575293ee495a2dad299105623a3574f41b6c14b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6879.exe

Filesize
20KB

MD5
b870f77b3a9a5f98cc565549dcf1ba00

SHA1
61d015bc0fccaac87799e28248854eea630d9ca7

SHA256
5593d6b9105ab0be653a0635ac9fd6354cb265b7be8970d5e12f2fbb6e415d34

SHA512
e1e17264cf877a15396a5edc0d4db3596157a32841cf90803775b405cdbd47bb4b615611a6278218db00b41a13f2652ce9e520c0c9f9563842fb5e28a1bb28b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe

Filesize
20KB

MD5
f303eff97f31356bc2e8cc465563f554

SHA1
1e413ebe92cac1f76bbe9a20764578c165e06a2e

SHA256
f2ac7d3c5a8b71c96281a259b9e9db302a0c9dadf27ec4460ab695737d813ce9

SHA512
d32f22d02d265ed8ccc5e62397db1bfc1ba7465e7af4e71e64764779f4b2f276ac9ba378b46d27869f0efe7917ec94a07597e081747260c0e9b12cce6344a6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBF34.exe

Filesize
20KB

MD5
a5d0498678b85267d03863026ff1841d

SHA1
f4c9e7cb2c458dabb4492e7ea39bac96d491705a

SHA256
81f88303558ba3a1f553d8140a040e476dc7458c83e2e71331d3f14f5f0e12f4

SHA512
bca0f6d00260d7ed5aa7eb63ae4fc9b7352822768dcf80a702de3e5bc2cd458464575803e68f9afb174158ce574bfb3c872cba90955e00360e39d13a57af1bd7

Download Submit

Analysis

Sharing