fadad05d9a0b8ddb231b296fd0a13e22e4dd62b7eba40ce73e03eaec065ce82e

General

Target

d43d7238318a10ca0b3933f946507cba_JaffaCakes118.exe
Size

15KB
MD5

d43d7238318a10ca0b3933f946507cba
SHA1

49df53be4ed789c81506d4875352ed67c8d8e818
SHA256

fadad05d9a0b8ddb231b296fd0a13e22e4dd62b7eba40ce73e03eaec065ce82e
SHA512

b6bd1fa4eda16602822b6aa52a92ac7549fd2d15d613b3484fb18624f8769d7a8cfb40cbc219a6db441115dec36c8ca8ba7c64467504a1fc2e2018fbece23803
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cn/x:hDXWipuE+K3/SSHgx//x

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM4968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMA207.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMFA59.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM5375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d43d7238318a10ca0b3933f946507cba_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEME2DE.exe

Executes dropped EXE 6 IoCs

pid	Process
2556	DEME2DE.exe
3976	DEM4968.exe
4820	DEMA207.exe
3592	DEMFA59.exe
1056	DEM5375.exe
4684	DEMAB79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 2556	4572	d43d7238318a10ca0b3933f946507cba_JaffaCakes118.exe	104
PID 4572 wrote to memory of 2556	4572	d43d7238318a10ca0b3933f946507cba_JaffaCakes118.exe	104
PID 4572 wrote to memory of 2556	4572	d43d7238318a10ca0b3933f946507cba_JaffaCakes118.exe	104
PID 2556 wrote to memory of 3976	2556	DEME2DE.exe	107
PID 2556 wrote to memory of 3976	2556	DEME2DE.exe	107
PID 2556 wrote to memory of 3976	2556	DEME2DE.exe	107
PID 3976 wrote to memory of 4820	3976	DEM4968.exe	109
PID 3976 wrote to memory of 4820	3976	DEM4968.exe	109
PID 3976 wrote to memory of 4820	3976	DEM4968.exe	109
PID 4820 wrote to memory of 3592	4820	DEMA207.exe	111
PID 4820 wrote to memory of 3592	4820	DEMA207.exe	111
PID 4820 wrote to memory of 3592	4820	DEMA207.exe	111
PID 3592 wrote to memory of 1056	3592	DEMFA59.exe	113
PID 3592 wrote to memory of 1056	3592	DEMFA59.exe	113
PID 3592 wrote to memory of 1056	3592	DEMFA59.exe	113
PID 1056 wrote to memory of 4684	1056	DEM5375.exe	115
PID 1056 wrote to memory of 4684	1056	DEM5375.exe	115
PID 1056 wrote to memory of 4684	1056	DEM5375.exe	115

C:\Users\Admin\AppData\Local\Temp\d43d7238318a10ca0b3933f946507cba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d43d7238318a10ca0b3933f946507cba_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\DEME2DE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME2DE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\DEM4968.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4968.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\DEMA207.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA207.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\DEMFA59.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFA59.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3592
      - C:\Users\Admin\AppData\Local\Temp\DEM5375.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5375.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\DEMAB79.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAB79.exe"
        7⤵
        Executes dropped EXE
        
        PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4968.exe

Filesize
15KB

MD5
08d5cacddaf9ff0da06ba68a0ad20454

SHA1
a66b2d0dd0a3e42c339bb106746cc69657a78935

SHA256
e9eadd41bb1ed9aeae8806bbcca4dabc81c6decce69da15d07aea5f5ec810109

SHA512
2fbe0a774897dd3f827f8060ab2fb17d6492b2916950d4ae2253c19807dbf229be9b0ae2a08275ab41126ab963e6c5192fed7d80dfbd4437f0c7c7363673a2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5375.exe

Filesize
15KB

MD5
ee615c1acaad2321f039b07f5a392939

SHA1
7def323b17e1433f5e71ccef6a229d464e8bf856

SHA256
ba7d242a1e710bf7aad075a2b3474d265baf5d78b91d3de767a2cd8f6bfca70c

SHA512
2f4340164cae06b2dfc4b52e5e7283852cf5d71bffdc7b2ef6af0991ef79286eb3f548da2807f48c543c31dcb41ea628bd534477b4056483ee04bd14c5945cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA207.exe

Filesize
15KB

MD5
4d58787a91b001f5f6cd8ef793b620ae

SHA1
42a293c7bd589c9da9a945f7f664ff5e281b69c3

SHA256
a284a5997474756654cf50d2334027912ecf406b9ee89357307bc1480cdc7527

SHA512
227a5717ee20ca5fe46fa7d687390e3e7baeaafa4b723da76b0989d3ee589db951bb5b97b0a7606cd16889f32560e189177366170af31db17809332b01c8769c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAB79.exe

Filesize
15KB

MD5
742024e323535dcccaf353f92464c35d

SHA1
05fd9c32917caf0019617199d5e824d048e3fce1

SHA256
73136b2fd419c3abdc57c955036a2482991b0c8eb9f7ae4137c37e5b24671e33

SHA512
e4f20bc14f2caac44fdd8112c012c18cc51930560241d6921a489ec13463c5f3ce338bee5e46d7a0d7fcee4820f4963d8b7a44b2e12a82cd95c52fc7d32954bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME2DE.exe

Filesize
15KB

MD5
a6ef52a1c5bbc25f662f97c45ebee5af

SHA1
9f41cb52db3d7a3adb6f5be3c3c4073aa7393cce

SHA256
a4eabd5dbac1ab3b211fd5edeb172b02967b8653ee15c7ca8f52c8e5773deb72

SHA512
87ac653d009ab3915d296366c226e42f18d1c47baf665c11bfb74ac5268ed81b09d51ba58f22085d9ef7b8c50432ac77c73c75f0299b9d1212cb8807b7ff64c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA59.exe

Filesize
15KB

MD5
9eb6728924d18311071a725c4f242e03

SHA1
16d74536c257395f4518c3202a210250714c35b5

SHA256
e879e54ba870a7ca5675426ed3a610390d6f950b1585d1106d43713184d70039

SHA512
70e7e24e474af883277d1113e580e4085742c6fb2db74b2056ef45e32d2f9b8252220371088c058e80c9f8901892212aa7d2ca8f98c004d6a3ed5323d942bb91

Download Submit

Analysis

Sharing