fc3d8b2d3be457943649a6880c6bf11eb280bca9170510c3528d66d856695e8e

General

Target

d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe
Size

16KB
MD5

d4c7ed7a36abf914ebce6cbb4d4eea50
SHA1

d5c5bbdd00a1f6e92cc75125695b9079d43cd417
SHA256

fc3d8b2d3be457943649a6880c6bf11eb280bca9170510c3528d66d856695e8e
SHA512

2adce04e99636145ee0f8ea52315bef5ea6afab2625cf6c04d448b063a4b2647c74f900177bcadc2c4961da970b0f6f74b5058f1c28d915523f825d4c12c11ca
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5Jo:hDXWipuE+K3/SSHgxl5i

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMEDFA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM47D2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM9F96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMF7B9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM4DF7.exe

Executes dropped EXE 6 IoCs

pid	Process
1952	DEMEDFA.exe
4192	DEM47D2.exe
2836	DEM9F96.exe
3000	DEMF7B9.exe
2320	DEM4DF7.exe
1952	DEMA4E1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3720	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1952	4028	d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe	110
PID 4028 wrote to memory of 1952	4028	d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe	110
PID 4028 wrote to memory of 1952	4028	d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe	110
PID 1952 wrote to memory of 4192	1952	DEMEDFA.exe	114
PID 1952 wrote to memory of 4192	1952	DEMEDFA.exe	114
PID 1952 wrote to memory of 4192	1952	DEMEDFA.exe	114
PID 4192 wrote to memory of 2836	4192	DEM47D2.exe	117
PID 4192 wrote to memory of 2836	4192	DEM47D2.exe	117
PID 4192 wrote to memory of 2836	4192	DEM47D2.exe	117
PID 2836 wrote to memory of 3000	2836	DEM9F96.exe	120
PID 2836 wrote to memory of 3000	2836	DEM9F96.exe	120
PID 2836 wrote to memory of 3000	2836	DEM9F96.exe	120
PID 3000 wrote to memory of 2320	3000	DEMF7B9.exe	128
PID 3000 wrote to memory of 2320	3000	DEMF7B9.exe	128
PID 3000 wrote to memory of 2320	3000	DEMF7B9.exe	128
PID 2320 wrote to memory of 1952	2320	DEM4DF7.exe	136
PID 2320 wrote to memory of 1952	2320	DEM4DF7.exe	136
PID 2320 wrote to memory of 1952	2320	DEM4DF7.exe	136

C:\Users\Admin\AppData\Local\Temp\d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4c7ed7a36abf914ebce6cbb4d4eea50_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\DEMEDFA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEDFA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\DEM47D2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM47D2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\DEM9F96.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9F96.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\DEMF7B9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF7B9.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\DEM4DF7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4DF7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\DEMA4E1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA4E1.exe"
        7⤵
        Executes dropped EXE
        
        PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3640 --field-trial-handle=2132,i,4018525042804461719,1997165676266557055,262144 --variations-seed-version /prefetch:8
1⤵
PID:1952

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM47D2.exe

Filesize
16KB

MD5
aa7ccda30d3db70398cac7c11c1ea579

SHA1
2e2abfd6795268ca0e45450dfc16d667d67109af

SHA256
ba86e8d2270143186758a5556ae007602d8371097bf64883b4ecfe22446684b4

SHA512
12775e8faacf454de14fac84480e19809c7a52a65d386273fc8852c245d0676fe737a154964107321d3f8c5a28c7e2d9c48858989dc3c3e6677ae8f7957649ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4DF7.exe

Filesize
16KB

MD5
68438c091bf4ad159276baae13735361

SHA1
73f6eefc53c5023320d52e7f868b5271824e511a

SHA256
35593407b2872449872089448a75a87990a376bfe2e225cbe8b2786f7343d0ba

SHA512
eb4a5b9a7876f8a5d1dc7618d89605698877a795fead481a759ea6f246c28c2dae61ae11f9f225f854358b2af4538847a864c0472429ade56b1ccf282dda2596

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F96.exe

Filesize
16KB

MD5
bb07e67d8e4cf890c90e00f65e9b8cf2

SHA1
3c7cf52a1068f9e2c7bf7c0c8b09157fd4de46cc

SHA256
d2b225e6aa641b10cbd5c5da00d75555c1e5ea5bd406cf7b69f33b5b0cf7a9fb

SHA512
b661343096f362326398e04f733de9eb2428d14186babc02733b9bc502705de23dabfbda48fc6b96e1ee55b2ea98e12cb61580e6e9e1f6de92a386f708d86fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA4E1.exe

Filesize
16KB

MD5
cd07bbd0002643aeb6e91b1383ef3c1b

SHA1
567343670c5a25d7ad1a7aac191e1a87d7fd323a

SHA256
b967169eece0222a3488a6175391dfad91aaee16576ea00f1f96faa6068011c0

SHA512
5e4daabcd2075b03459229266ceeef551b902b68e156067413f16b2563983015b7d3ca5bd9dd5441f4299e90e78f60b277e5d6111c75b26553b26f5a8602e53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEDFA.exe

Filesize
16KB

MD5
e863095631709a5d7698956fda8e2c56

SHA1
358cabdf75b3d323c2b704ef8dd0a728f0cc1750

SHA256
a6176e1add72fc952ef52a96e451fb48229b5b038e2f9a1c02408101c38082b3

SHA512
9a37e80b7482f5b8087796a0c1cedebfa415281b4b006090829565387d619c770c4e6499ced80b8a5757501e5c36e953c09a68560719a60e386add945eb26603

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF7B9.exe

Filesize
16KB

MD5
cf86f3979d3d10be1d705eb0c0f922c8

SHA1
7bdf0765f8729ce28f4492a24a3f0fe696c82385

SHA256
3111e14dce00bd0012641ee0dc27366eddcee0647c6954ebb23bfc84e6f4c2d6

SHA512
2722865810e69b6e227af9d7b73823eb67c127c573f947c2aa51e98d67bfaaba867d9039485866c171a87e5801d6a207fff32cc2fd019c679a4032a8a5e3593e

Download Submit
memory/3720-41-0x000001C34C740000-0x000001C34C750000-memory.dmp

Filesize
64KB

Download
memory/3720-57-0x000001C34C840000-0x000001C34C850000-memory.dmp

Filesize
64KB

Download
memory/3720-73-0x000001C354B90000-0x000001C354B91000-memory.dmp

Filesize
4KB

Download
memory/3720-75-0x000001C354BC0000-0x000001C354BC1000-memory.dmp

Filesize
4KB

Download
memory/3720-76-0x000001C354BC0000-0x000001C354BC1000-memory.dmp

Filesize
4KB

Download
memory/3720-77-0x000001C354CD0000-0x000001C354CD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing