1a49ffd275da8d53f46b00f227a56a4a65f1bd72cb94f354dbed4b9922c20a50

General

Target

d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe
Size

15KB
MD5

d6821f0144fb2cc300d39173a2247b14
SHA1

636370ab5731df90a580c7e945def8a1d2fe577f
SHA256

1a49ffd275da8d53f46b00f227a56a4a65f1bd72cb94f354dbed4b9922c20a50
SHA512

0bca3159a377a505e67c74e207ce69987124a07b677ad10638a3f68127506d28e6a78a8bd0528b7c9ecff735d301d9e8de709680a580642198c98e688e8c4178
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5Xr:hDXWipuE+K3/SSHgxmF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM44CF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMD2A2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM39D8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM9239.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMEC5F.exe

Executes dropped EXE 6 IoCs

pid	Process
180	DEMD2A2.exe
384	DEM39D8.exe
4076	DEM9239.exe
4384	DEMEC5F.exe
3260	DEM44CF.exe
2844	DEM9DEC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 180	3956	d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe	103
PID 3956 wrote to memory of 180	3956	d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe	103
PID 3956 wrote to memory of 180	3956	d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe	103
PID 180 wrote to memory of 384	180	DEMD2A2.exe	107
PID 180 wrote to memory of 384	180	DEMD2A2.exe	107
PID 180 wrote to memory of 384	180	DEMD2A2.exe	107
PID 384 wrote to memory of 4076	384	DEM39D8.exe	109
PID 384 wrote to memory of 4076	384	DEM39D8.exe	109
PID 384 wrote to memory of 4076	384	DEM39D8.exe	109
PID 4076 wrote to memory of 4384	4076	DEM9239.exe	111
PID 4076 wrote to memory of 4384	4076	DEM9239.exe	111
PID 4076 wrote to memory of 4384	4076	DEM9239.exe	111
PID 4384 wrote to memory of 3260	4384	DEMEC5F.exe	113
PID 4384 wrote to memory of 3260	4384	DEMEC5F.exe	113
PID 4384 wrote to memory of 3260	4384	DEMEC5F.exe	113
PID 3260 wrote to memory of 2844	3260	DEM44CF.exe	115
PID 3260 wrote to memory of 2844	3260	DEM44CF.exe	115
PID 3260 wrote to memory of 2844	3260	DEM44CF.exe	115

C:\Users\Admin\AppData\Local\Temp\d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6821f0144fb2cc300d39173a2247b14_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\DEMD2A2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD2A2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:180
- - C:\Users\Admin\AppData\Local\Temp\DEM39D8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM39D8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\DEM9239.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9239.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Users\Admin\AppData\Local\Temp\DEMEC5F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEC5F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Users\Admin\AppData\Local\Temp\DEM44CF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM44CF.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\DEM9DEC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9DEC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM39D8.exe

Filesize
15KB

MD5
4286e16d21f1164acc75466c46846f74

SHA1
1a60e885ffc93128e59076e4f82274e7d403706a

SHA256
c96e4d8b92448af093c08db482ab97312ca415cb79351778ffa1a242a27948a2

SHA512
cd36f34bd613ec9cf21209ce361c494edfce9a32d5288972829396fa9fda98193a62e7999ff427c2fe6bcef3d273e66339a9639612c573456a9b07db35f6df85

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM44CF.exe

Filesize
15KB

MD5
ea624c5a4f66c63a2031bd5f392d57a2

SHA1
7793b03a14a40f0ea07fcfb6ce83e802eb477640

SHA256
852bb76bd3d75935b330a19295dcea42c30714fe0ec90f7d497ed409c407df66

SHA512
4977ce051b6a067f626026da0f8969a4a251eae919cc1e374911e7927291fcfd88c44c6554e60ed6be19a7554a18548b988deed57e4e0f96ac944bf63ccaba31

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9239.exe

Filesize
15KB

MD5
62e014b24faf8b32659679e5ac36968f

SHA1
d1c60e3d71223bfb771babece42c3d024d248c04

SHA256
f645326eebe6854f0976f0c27b20722adc02215b41c2de3d3f98b4bd8aa449df

SHA512
b1fe506dea4a881a010cd29f160766b650ad152742539f5e27dc6b0c6866064f12f99aef07ac8ade6c11139637c3bd2b8db013783e6e04a649f8c4260cad7e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9DEC.exe

Filesize
15KB

MD5
0da3af3c284540eed042c06d395e63e0

SHA1
3f9444fd9c263ab5b861dfe1a40ad3b36ca9a8bd

SHA256
21ac550d78fce2b57715267bafed140f726bdf7b5f5a7c873b24d62650906873

SHA512
67e474b9fd53820a56fc3b48e947353e5e54a219b0293126f012e2d0a08706813193d24ac968e69513be4326b052817eb1158c7d975aad02937c55d1943a8cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD2A2.exe

Filesize
15KB

MD5
240cc53387ba12c3df7b7211e3d04800

SHA1
7e0a70dc05e775eda125a03d26faa068771f5c39

SHA256
b7167640636060d0842dd1c3643ad83db9915010503904f4789eb3bd103d6d82

SHA512
bef978a3400dbab21e84011370f5cad96292ebdc265e391a91623d1d8c7073a1a61363407f3844289176fd0038bd92fbf525f4badf66d4c6eb3bd04a133a399a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEC5F.exe

Filesize
15KB

MD5
ff43f2f8165461c9a7fd749884cfa2b6

SHA1
41d6fa3ac98f9d7a79f381e48b35cf260c797018

SHA256
7b1e813f0e2f91c11138ebd8e7f8afbf867e384f771f79d2f4e17d96786564fd

SHA512
f1b9bb102db338f9905ed18bc6eae12b99b9718d50b30d7b27c18fea0c4b2c99b16facf9da2129c106f3b377a551f3014df692ccaa7a0980d67150d55d3afb8a

Download Submit

Analysis

Sharing