ecc8478f063d0c892b32f40356699e66a41c169469efbd88945df2ce4774e01b

General

Target

db6b893528627878e0c51be2097f35bf_JaffaCakes118.exe
Size

16KB
MD5

db6b893528627878e0c51be2097f35bf
SHA1

1ca0f4bebc44beeb6829d76be85fb359a58b5a8e
SHA256

ecc8478f063d0c892b32f40356699e66a41c169469efbd88945df2ce4774e01b
SHA512

3c405bc80f89b831c3e0cd7059c1d66ea5a8094671a0f7191ba400cacd2f602a25bc8bcb5737bd862800ff3d0244617937f9df579f5d3626795e74b91f49588c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl4y:hDXWipuE+K3/SSHgxmlX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM5148.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMA94B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMC1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	db6b893528627878e0c51be2097f35bf_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEM9D88.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DEMF964.exe

Executes dropped EXE 6 IoCs

pid	Process
1048	DEM9D88.exe
4512	DEMF964.exe
3464	DEM5148.exe
4600	DEMA94B.exe
5052	DEMC1.exe
3560	DEM572E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 1048	4016	db6b893528627878e0c51be2097f35bf_JaffaCakes118.exe	101
PID 4016 wrote to memory of 1048	4016	db6b893528627878e0c51be2097f35bf_JaffaCakes118.exe	101
PID 4016 wrote to memory of 1048	4016	db6b893528627878e0c51be2097f35bf_JaffaCakes118.exe	101
PID 1048 wrote to memory of 4512	1048	DEM9D88.exe	106
PID 1048 wrote to memory of 4512	1048	DEM9D88.exe	106
PID 1048 wrote to memory of 4512	1048	DEM9D88.exe	106
PID 4512 wrote to memory of 3464	4512	DEMF964.exe	108
PID 4512 wrote to memory of 3464	4512	DEMF964.exe	108
PID 4512 wrote to memory of 3464	4512	DEMF964.exe	108
PID 3464 wrote to memory of 4600	3464	DEM5148.exe	110
PID 3464 wrote to memory of 4600	3464	DEM5148.exe	110
PID 3464 wrote to memory of 4600	3464	DEM5148.exe	110
PID 4600 wrote to memory of 5052	4600	DEMA94B.exe	112
PID 4600 wrote to memory of 5052	4600	DEMA94B.exe	112
PID 4600 wrote to memory of 5052	4600	DEMA94B.exe	112
PID 5052 wrote to memory of 3560	5052	DEMC1.exe	114
PID 5052 wrote to memory of 3560	5052	DEMC1.exe	114
PID 5052 wrote to memory of 3560	5052	DEMC1.exe	114

C:\Users\Admin\AppData\Local\Temp\db6b893528627878e0c51be2097f35bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db6b893528627878e0c51be2097f35bf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\DEM9D88.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9D88.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\DEMF964.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF964.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\DEM5148.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5148.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Users\Admin\AppData\Local\Temp\DEMA94B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA94B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\DEMC1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\DEM572E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM572E.exe"
        7⤵
        Executes dropped EXE
        
        PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5148.exe

Filesize
16KB

MD5
ebadb353b12773200e20a39502bc1c44

SHA1
a7503feafabeab7040be2f8c11880f9415e4f416

SHA256
ecc28df08b0262823883dcfe08cbe525788114828da9a35e39627f123e95e90f

SHA512
73fdd5a00143f57e265584494bc9adfcf9dffb7ccb1d2c0bf914c634624007ea2dfd03dbba2f6a47d1fec52a0b73c63fc9c52bd312b740d1b6a955272763ba34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM572E.exe

Filesize
16KB

MD5
3e9afc4460210ea1181ce75d626a2899

SHA1
2e11754336c5664895fbcc2438793c5b515934ba

SHA256
fafae1dab3991f8d5bd55584680bea80abf202670302b1fa70931e08fdad7250

SHA512
62ce742816c912484dc15121816d9a2f6903985f553872f204f91fcedf607f2b58350baf4f4ae7f51f3b469a72aee9b8e73ffcce905a49e91daf58fe11e57249

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9D88.exe

Filesize
16KB

MD5
f447a7fc10ca361ddbb9d732d5c10e49

SHA1
037591132ec151730ac84b3fc1fd99930288d17c

SHA256
824203756d1320939cb8dda44e667fbb4a892cda4b604f70a453ffb896c60334

SHA512
aa449cb58b112e73a896a7b7e901c0cb4063a33ad56c8cdf01781390076d2bf6106b30d16b59c5e2a98529b80e38bb46ecee0c456636d6977818b12d354cc89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA94B.exe

Filesize
16KB

MD5
110adc42b9cc7bd815b0c31b6b63e43e

SHA1
96bfd16509e169a6c68ffeaac2af02fef575280d

SHA256
a3f9410dd7eee94b888fad25793617e7484f77afd54eb8350936ea7384c9e426

SHA512
74911c2184e1d332aa454d3b71e2c2eaad17c38ea0055416209bd7785b00d35fac6729bc3b5ba5546586f45dc3539dd4e777805e7baa8532ed4eeda3ab745d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1.exe

Filesize
16KB

MD5
26a79517157195c2e8f17019f85f2f60

SHA1
d81a0fcd0a93f3ad39ed7b43de4533fdd7107c31

SHA256
d10a98237f9b0781ee63bc4980e68785798a89cc8e8b64c8e9cd0f3276926306

SHA512
c98f2c2fdab6800c375458b575f18409eea1471753f1afda73375521e1a7d729bfd0f3829cdb51f5f5b4dfd8690aa322a884ea345b09f5f05c2d1760d4e61906

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF964.exe

Filesize
16KB

MD5
470454f51874a52fb19ac6d97fcb7698

SHA1
066031fc1afae606751516fcbda6e7c561a4a271

SHA256
fdda3ab570d017739ee8cdede7ca5e305cfec9ceda1a0dc7dd42ec83d7cc3ff1

SHA512
d9687611040176f599587c48f25dcd9bf9af9ec76e6e76c98c1e53b60cf78f1a5cf8086ed8ff4db69ccd0681f52e5999abb7b666a0f4a3156827a79b88adea47

Download Submit

Analysis

Sharing