a1ed9a7f00adb679311f80ea29f3496af9e1982a7fc5215f1d905229ec773e82

General

Target

da850b7679920442ef3192c6f6874343_JaffaCakes118.exe
Size

14KB
MD5

da850b7679920442ef3192c6f6874343
SHA1

aca8750c681cee78f9be95b09892f5b169a32c02
SHA256

a1ed9a7f00adb679311f80ea29f3496af9e1982a7fc5215f1d905229ec773e82
SHA512

c9c8aad3d0163ab992ed4595e66b91e66b3b54580973e728301d783f52c226c1709368dd4d2b6c115a54560790668be543887816a789526dd696368769e424e5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0z:hDXWipuE+K3/SSHgx4z

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMD675.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	da850b7679920442ef3192c6f6874343_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM7697.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMD07F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM2892.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM7EEF.exe

Executes dropped EXE 6 IoCs

pid	Process
1516	DEM7697.exe
3152	DEMD07F.exe
4444	DEM2892.exe
3780	DEM7EEF.exe
4704	DEMD675.exe
4504	DEM2E59.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 1516	4084	da850b7679920442ef3192c6f6874343_JaffaCakes118.exe	109
PID 4084 wrote to memory of 1516	4084	da850b7679920442ef3192c6f6874343_JaffaCakes118.exe	109
PID 4084 wrote to memory of 1516	4084	da850b7679920442ef3192c6f6874343_JaffaCakes118.exe	109
PID 1516 wrote to memory of 3152	1516	DEM7697.exe	113
PID 1516 wrote to memory of 3152	1516	DEM7697.exe	113
PID 1516 wrote to memory of 3152	1516	DEM7697.exe	113
PID 3152 wrote to memory of 4444	3152	DEMD07F.exe	117
PID 3152 wrote to memory of 4444	3152	DEMD07F.exe	117
PID 3152 wrote to memory of 4444	3152	DEMD07F.exe	117
PID 4444 wrote to memory of 3780	4444	DEM2892.exe	119
PID 4444 wrote to memory of 3780	4444	DEM2892.exe	119
PID 4444 wrote to memory of 3780	4444	DEM2892.exe	119
PID 3780 wrote to memory of 4704	3780	DEM7EEF.exe	129
PID 3780 wrote to memory of 4704	3780	DEM7EEF.exe	129
PID 3780 wrote to memory of 4704	3780	DEM7EEF.exe	129
PID 4704 wrote to memory of 4504	4704	DEMD675.exe	131
PID 4704 wrote to memory of 4504	4704	DEMD675.exe	131
PID 4704 wrote to memory of 4504	4704	DEMD675.exe	131

C:\Users\Admin\AppData\Local\Temp\da850b7679920442ef3192c6f6874343_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da850b7679920442ef3192c6f6874343_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\DEM7697.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7697.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\DEMD07F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD07F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\DEM2892.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2892.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\DEM7EEF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7EEF.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Users\Admin\AppData\Local\Temp\DEMD675.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD675.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\DEM2E59.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2E59.exe"
        7⤵
        Executes dropped EXE
        
        PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2844,i,5640589924128028832,7963280732661142908,262144 --variations-seed-version /prefetch:8
1⤵
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2892.exe

Filesize
14KB

MD5
d8b4171a25671e0ced9c56fe2edbd995

SHA1
4bf8b250ad95d705d288821c75acee97ebd3291e

SHA256
321dbe2455f430991f90f8a640603a804b63f663fad6b8a15d09e2046c119fa8

SHA512
344e18325fc28e889b66b38c3fdc747c8eada90103746ef49d69d3ec2ecf39ce2ebf15455b7145651f667c3c605079d0f73f79a24dd233d57d75f39e5107f2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2E59.exe

Filesize
14KB

MD5
3017c53cee7dc88a8391e790d1bc3ee4

SHA1
e8e42cf5811988edcc07efa3cac1182d6b1d280f

SHA256
3b2c5693f4e50df358017089f21c9a10ce3f5c808c1a2d355a1352f3ca6f6421

SHA512
614cacba5fcfad03fb7f2ef65e1b17dc9f09a5e0a4b38723ee28e08015149f5b4dc8b984effbb4d3184c6070c0d08d973715dbad0e58ed3eb14d9f602fd302ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7697.exe

Filesize
14KB

MD5
c6e0202fa6a9d9546c6d727c63eeb9d2

SHA1
320eb2f93d6972056f1e94a7a6ed958680e1f35e

SHA256
6efd9c7dd549c22745c854e2563598ec89122d898f0353ca7cc88d5c4c640239

SHA512
0202f90a5267988c0e388aa6f8d3864a782e46626ddc5d36837388bd4e1b33b789d39294b7da7f380865b6f360b48ac9bd0bd123c6a48a9fff95fc9762c78cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7EEF.exe

Filesize
14KB

MD5
9e6938b415dad9a75bab60ffa1f4a3bf

SHA1
14a1d6fe14c6c0b1ef49961d6ff4c9afa7f581c1

SHA256
77d645e8bab871f25fd6fe442a6d62b436b156c9b91e9936847e6ad3261cadf3

SHA512
8804520f99bbb6c02b14cd1198a779eaefe84a4016c5dc56059b5fcaa86064d713a209c3dfa1551577b56e4fc1eeeb06697bea07bca08184e57e67cb38e96f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD07F.exe

Filesize
14KB

MD5
96a2760f7cf93485fdd8fd604fb3f857

SHA1
3e8a53e1e91598847eefbcfcac56f36d52b9dc3f

SHA256
3c9a4778f2be7a162030f20e61ba2d8796e31ed32a8675f3b215583733af1fba

SHA512
919cb7ada31baa8cafdb38e161ee796ad35a387b390f7d56bfb0c363266586e61a3e183c6b5d4a6c86f79a4c67af6b10165189e162c2ea0123eb7e46bab7b05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD675.exe

Filesize
14KB

MD5
70aaf74cf989289ff9f7109e3aa9bbb9

SHA1
bc2729c90c2aea5d1a53f57a8d1bb1f9001438fd

SHA256
75f181d80278d5b6f481a429a68a669fa0c930bc862feeba4d854b5805f05fbe

SHA512
bd4f26f089068bf03917727dbc16ab6ee8675adaaa78436414192d0b08f0ca0d68584746697e1f5febf11f46243218b1f43f9fe0dacf6a7dc9b56354c0e1d069

Download Submit

Analysis

Sharing