2b78280b77d00f17d0ad606906d18056b2a91f040e72e9bd40aba115b59f3959

General

Target

d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe
Size

14KB
MD5

d77c373cce8d458d876716a0c63ae82f
SHA1

ddbea85ae8e706b690f9c10229b4af9dd810ca9b
SHA256

2b78280b77d00f17d0ad606906d18056b2a91f040e72e9bd40aba115b59f3959
SHA512

c184b2803732d60097c79ed92981b15fe4266be878c7ec4b5347f73a94406abbd788d2ff8d69c1161030255cb3aa5d303bd33cc82654c2b800d2b61e0b1faf2b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYsZ:hDXWipuE+K3/SSHgxmq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM46D3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEME1C5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM3C58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM9584.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMEDB6.exe

Executes dropped EXE 6 IoCs

pid	Process
3148	DEME1C5.exe
4444	DEM3C58.exe
1236	DEM9584.exe
5064	DEMEDB6.exe
412	DEM46D3.exe
1464	DEM9F53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3148	5036	d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe	102
PID 5036 wrote to memory of 3148	5036	d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe	102
PID 5036 wrote to memory of 3148	5036	d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe	102
PID 3148 wrote to memory of 4444	3148	DEME1C5.exe	106
PID 3148 wrote to memory of 4444	3148	DEME1C5.exe	106
PID 3148 wrote to memory of 4444	3148	DEME1C5.exe	106
PID 4444 wrote to memory of 1236	4444	DEM3C58.exe	108
PID 4444 wrote to memory of 1236	4444	DEM3C58.exe	108
PID 4444 wrote to memory of 1236	4444	DEM3C58.exe	108
PID 1236 wrote to memory of 5064	1236	DEM9584.exe	110
PID 1236 wrote to memory of 5064	1236	DEM9584.exe	110
PID 1236 wrote to memory of 5064	1236	DEM9584.exe	110
PID 5064 wrote to memory of 412	5064	DEMEDB6.exe	112
PID 5064 wrote to memory of 412	5064	DEMEDB6.exe	112
PID 5064 wrote to memory of 412	5064	DEMEDB6.exe	112
PID 412 wrote to memory of 1464	412	DEM46D3.exe	114
PID 412 wrote to memory of 1464	412	DEM46D3.exe	114
PID 412 wrote to memory of 1464	412	DEM46D3.exe	114

C:\Users\Admin\AppData\Local\Temp\d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d77c373cce8d458d876716a0c63ae82f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\DEME1C5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME1C5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\DEM3C58.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3C58.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\DEM9584.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9584.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Users\Admin\AppData\Local\Temp\DEMEDB6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEDB6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\DEM46D3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM46D3.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\DEM9F53.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9F53.exe"
        7⤵
        Executes dropped EXE
        
        PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3C58.exe

Filesize
14KB

MD5
aa29b6deea9ee281d988b042d0b8f8af

SHA1
95fb05fa78cbd7bedf75f27105981189b4b54d0e

SHA256
705fc99a805757a81df46587754c7db388cb13767ad4f343d774bb2f08234f8d

SHA512
b3950568d571f0632e617c22edca2157d14da048af1b11bbc73e1091a4f621a43ad79085a0482ebc14643d33a57b9130ba822101deef840c1859609ff8ea9555

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM46D3.exe

Filesize
14KB

MD5
994b1d0cc1852f51986fc0fc4a07d512

SHA1
5a9093a56434ec1addc7780a606f9dfa8bd85a52

SHA256
00ead817c13119c3a042d336eee9a38bdba23a2ab61f0bb9de811e68b4025dac

SHA512
7d423817107f10fcd0e23a0b25017de19dd0590e8f8b47681441274706c9d3716c63e7402a0393690faecae4a166faa5205bb0d6ec4e25ca238be64781989f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9584.exe

Filesize
14KB

MD5
fe7acb35c65ce7ce74929153e99b6f3e

SHA1
20d4839f1ae9f6502b97d8fd086b9c8b3d97c1a7

SHA256
4a46d92e320e16bbec1217641869dcf6b7a4713605f63e3714a7b01d124762aa

SHA512
6bdaa84278e2a95dc44ff57976167b890b074e2ed931d52ba78f8e73a92522554e4237b19da8ac8ab00e1fa7d8422c95f28d2af95351b58dfd8100b44c91cc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F53.exe

Filesize
14KB

MD5
3aebc91254d265159f3d2bbf34c02d12

SHA1
80e91cf809bb658f3efe7e73ffeac88e618b6c58

SHA256
fd9ad4d29dfdbcdbf57803f606137059709837e051591831da6cde3e0590e765

SHA512
1a5604e63cfd889ae795a928be3c5a93cbfbd578d75175a9f3e8662caaa08f454d7f20dd34ded264a21b6993fc023994b352ecf055722de738215628a71b39e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME1C5.exe

Filesize
14KB

MD5
007bf811315ef80e875fd50f4f2b87c5

SHA1
7024edfa1e1cad17fec8b9367a1eb5145166659c

SHA256
2c19fb1745b066b582749a0f9cf220a70e720399e0ac985825eb11621efb448e

SHA512
11779d5fdcfbcd04e0513360b7f769eb0248863dcc9dbe27a30b6d4c6abd7a7a6a6f8bd5f7d44e78fc9f14ad3e6e4b6b07a6b2480916dd1fa0d194127c07d5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEDB6.exe

Filesize
14KB

MD5
485f5036e1fb526740e0e4c4a7dfe9d9

SHA1
10c09cd8dfcaaa0b5e8e6c0192ac7b1eb477f9fe

SHA256
b5b15014c791ba135b51ee2ac1bb71238a77965cfce794b080053f13b924102a

SHA512
565d2249127b0e044ad60d9ae9f2ae46d3ee9d680a4a28f40caaa57e38a5cd287659714ac0996504be9315a826104339d57b49fbf271864c7ea6f8488d4afd10

Download Submit

Analysis

Sharing