1a87b6b5bd69cfa0ffadee1f307e781f3ef920666eb3471c52669959ebb9df3a

General

Target

da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe
Size

14KB
MD5

da817119a499aa5ac19a21f571a5476d
SHA1

63d869b0a630fe64e2f3ac257a73a480f3011221
SHA256

1a87b6b5bd69cfa0ffadee1f307e781f3ef920666eb3471c52669959ebb9df3a
SHA512

62c79461d4c68069bea229a2253a9a4508b52188c809768841afb42d4eb87cfffc8dae456ccc9ff2621546a828e32643748e9a6519b9130ea5b84b49ef19360f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0JU:hDXWipuE+K3/SSHgx46

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM3861.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM9064.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEME857.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM86E3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEME08C.exe

Executes dropped EXE 6 IoCs

pid	Process
1748	DEM86E3.exe
4620	DEME08C.exe
4356	DEM3861.exe
3940	DEM9064.exe
492	DEME857.exe
1964	DEM406A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1748	3432	da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe	107
PID 3432 wrote to memory of 1748	3432	da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe	107
PID 3432 wrote to memory of 1748	3432	da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe	107
PID 1748 wrote to memory of 4620	1748	DEM86E3.exe	111
PID 1748 wrote to memory of 4620	1748	DEM86E3.exe	111
PID 1748 wrote to memory of 4620	1748	DEM86E3.exe	111
PID 4620 wrote to memory of 4356	4620	DEME08C.exe	114
PID 4620 wrote to memory of 4356	4620	DEME08C.exe	114
PID 4620 wrote to memory of 4356	4620	DEME08C.exe	114
PID 4356 wrote to memory of 3940	4356	DEM3861.exe	118
PID 4356 wrote to memory of 3940	4356	DEM3861.exe	118
PID 4356 wrote to memory of 3940	4356	DEM3861.exe	118
PID 3940 wrote to memory of 492	3940	DEM9064.exe	127
PID 3940 wrote to memory of 492	3940	DEM9064.exe	127
PID 3940 wrote to memory of 492	3940	DEM9064.exe	127
PID 492 wrote to memory of 1964	492	DEME857.exe	129
PID 492 wrote to memory of 1964	492	DEME857.exe	129
PID 492 wrote to memory of 1964	492	DEME857.exe	129

C:\Users\Admin\AppData\Local\Temp\da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da817119a499aa5ac19a21f571a5476d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Local\Temp\DEM86E3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM86E3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\DEME08C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME08C.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\DEM3861.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3861.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\DEM9064.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9064.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3940
      - C:\Users\Admin\AppData\Local\Temp\DEME857.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME857.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\DEM406A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM406A.exe"
        7⤵
        Executes dropped EXE
        
        PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3861.exe

Filesize
14KB

MD5
78c74989348bb9da805e7d4e06c217cb

SHA1
793bc35ad511ea266fb024ade0ba250228cfdd3c

SHA256
9635c98a3c9125c6df778aede9beeb511ff8788a17580473fdd706120ae66840

SHA512
ad0217412b9dd5af0ee9d66624266bd8578b9fb6515f03feccabcbd0ea8d0f64bbdac6650971c960aa08a3b1ffe23bf3327e1c77381589864cf14cbd2857a1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM406A.exe

Filesize
14KB

MD5
29b7d385513477f3e347bebc99449557

SHA1
47683cc86c4ef79af03ba79fde637dffd29ddc52

SHA256
97a3dc900b46a5b8471fec93ddc873e796849bdd8bfb62cfd3011db1a2a9b20a

SHA512
b7d6b54cabb26b5c817b6ae057add01b6ebe0f1591927b1fb6ded37bb4e7f50bb63df3d2776eaee086764144a716737f6421eb4dd6e6685152c8e8a10d1feb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM86E3.exe

Filesize
14KB

MD5
67959980f10fdb5d0a89314e8c015bb4

SHA1
b14a25a56c2313588905f460064a08ae30a9c0ae

SHA256
d0a2a8cbdcf8f2f366259eda5c52d3d59c7742b881f1a0b9598b9ff4bb3f6660

SHA512
eb72f916285435e8bb672d5ebf7ac6fe637bb9e6c39cde60613f4af0e1acfc031a53e12be6d1d3e84e38efb924c3cd51d6af8c48a3aa4177e9cf49321612ceaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9064.exe

Filesize
14KB

MD5
387578d91c9d166d16f06ef496ac09f9

SHA1
f9e6c71932e255f89ad0766d119e231c46692619

SHA256
4e6cb3a79c8865be630b610695d9dd96776a9ae8417526b960db06cb4bfd1f8f

SHA512
b950cc8c848504cf14a8008abaa7ad634458a0588bbd77d7d3b49f00f543158cec63b9be9a1799c6494478a6951006b874375de8e73eeed91d6bc4b31b5da3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME08C.exe

Filesize
14KB

MD5
b5e0b1549bc4bd3379ea8b413f92ba58

SHA1
a0ec7da3e144e4ae32a85290dd5c296be94d8cfe

SHA256
9dd167accdfde5e69ad7af9d347a00b479ba763d69a7bc112da36870992759e6

SHA512
1324a1963261d9eb8df61eab5546a2eb424e23b84c646ac484888311cc792ccf0632fc97f7aaf86e73c212165923efe467959febaffce010e843e061b18a1a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME857.exe

Filesize
14KB

MD5
aa84e1b8a6b797f145a8f137845b2d2c

SHA1
c152abc4aa17f3a0698d2481a557788383c5ad74

SHA256
dc7c6491ee8f18fbd44793ffb4aa1c229ef1a61fb442debc047a8c1f9897a7d2

SHA512
ac63d4d2233367b9d710257090688a6cf114e2555e51e03a0bbc02a766603a16859d3c13bf67fea3cf51ff9ced2fcd9e2dae685a79b5129e74acab7d7deb5051

Download Submit

Analysis

Sharing