92d57cce68556ff0c86ba41d79c89ea323114c29ab42829d9220a37f99b26155

General

Target

dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe
Size

14KB
MD5

dbf46b68e7408b25f39c985259024fce
SHA1

87ff120dc67ccd7e86c404d1d16995890d008d55
SHA256

92d57cce68556ff0c86ba41d79c89ea323114c29ab42829d9220a37f99b26155
SHA512

3d90028976c894c673ad33c3d3aadfc2708fc7f72f234c207d7751afaf2e66d726fb1c4d3d84c5c466068cf998e7627d0a2dbec759cf7d205483bc8185f35aa7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5Rxf:hDXWipuE+K3/SSHgx3f

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMC88B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM67B3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMC0EE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM194F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM7097.exe

Executes dropped EXE 6 IoCs

pid	Process
3100	DEM67B3.exe
4944	DEMC0EE.exe
4976	DEM194F.exe
2368	DEM7097.exe
4868	DEMC88B.exe
2084	DEM208E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 3100	4156	dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe	108
PID 4156 wrote to memory of 3100	4156	dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe	108
PID 4156 wrote to memory of 3100	4156	dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe	108
PID 3100 wrote to memory of 4944	3100	DEM67B3.exe	112
PID 3100 wrote to memory of 4944	3100	DEM67B3.exe	112
PID 3100 wrote to memory of 4944	3100	DEM67B3.exe	112
PID 4944 wrote to memory of 4976	4944	DEMC0EE.exe	115
PID 4944 wrote to memory of 4976	4944	DEMC0EE.exe	115
PID 4944 wrote to memory of 4976	4944	DEMC0EE.exe	115
PID 4976 wrote to memory of 2368	4976	DEM194F.exe	118
PID 4976 wrote to memory of 2368	4976	DEM194F.exe	118
PID 4976 wrote to memory of 2368	4976	DEM194F.exe	118
PID 2368 wrote to memory of 4868	2368	DEM7097.exe	127
PID 2368 wrote to memory of 4868	2368	DEM7097.exe	127
PID 2368 wrote to memory of 4868	2368	DEM7097.exe	127
PID 4868 wrote to memory of 2084	4868	DEMC88B.exe	129
PID 4868 wrote to memory of 2084	4868	DEMC88B.exe	129
PID 4868 wrote to memory of 2084	4868	DEMC88B.exe	129

C:\Users\Admin\AppData\Local\Temp\dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbf46b68e7408b25f39c985259024fce_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\DEM67B3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM67B3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\DEMC0EE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC0EE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\DEM194F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM194F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\DEM7097.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7097.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Users\Admin\AppData\Local\Temp\DEMC88B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC88B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\DEM208E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM208E.exe"
        7⤵
        Executes dropped EXE
        
        PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:8
1⤵
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM194F.exe

Filesize
14KB

MD5
692fc756696ae91d6fcf30ff27418403

SHA1
9a2fed6c8bda01982e8acab0e9c2790c26c89d69

SHA256
b872501f4f8f494003248fad095575fcbebfd5a12f6fb6d8b123a778ab773db8

SHA512
a923506c134536f20f5a557eb553dc65bc62ddee5ba4a31311cdc2ddfa19835004f2a74ed6ea5a13ad5566ee23488addcfb4fb1488f3bc0aa58d283591114df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM208E.exe

Filesize
14KB

MD5
0efc9e501910f7303a1d078a1067f79f

SHA1
9d1fe726f6aeb97c05d07e5ccb1ff2fb4fed55a8

SHA256
1849488c8eb31f0703152ff13f130e775dd4dd69ff515fe5dfe09faeffb64d66

SHA512
d377f9b6f1e0db8ed30bcaa877a6559c46d644e239e957e06e5b38b296097241584f91e48f5b90c15ef80668aab6e4b7d37159a258760a3899aa00944179b775

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM67B3.exe

Filesize
14KB

MD5
5ed84397d3e7be038e0a1f59a3ac259f

SHA1
4df092cce5984e98a58e759a31fdf79ea946184a

SHA256
fbe43b67445ec83de850f247b855170fdc9b840f5bd0021718e7a6b6a4cc1199

SHA512
32dcd48e293fc7c27f3d43941db68c9fb51551e1e75840a234b2398f002e2951c6c3220e218b75aae24426fa213801a48cbd8d999ff941ae22a6d7781259ebad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7097.exe

Filesize
14KB

MD5
f34b7c7a09f2995b42ae37853e946036

SHA1
813859ed8d821903e8f4f33e2b8d3866cf840530

SHA256
4a69358b5c0525a79954d01ff364a95ed9230ffa9fd7d74817be43f44045e1c2

SHA512
7274e65b1d6a60e55d4e54115a6a8b7a0929ef845c1f9c71c06c8108b313716a8561388a9a64598ed409e479f4f15b314e0979502a03a1e916c08a9ddb4bfdee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC0EE.exe

Filesize
14KB

MD5
33a0d89bda94207cb87ade03284890d5

SHA1
4be37a07cf92eed7ac6ddd0a983fd73c10015522

SHA256
c310a986cbe4c5facb652adf72e9ef86284086605f9cbf0c9a960298f742f09a

SHA512
088e21f1a7c5135baf9da06f0faccaf0429bbe241624bd518da29f49302cad2bb1338d5d0b2d23188559202febdf5e33e52899d6237e7f7ebfe7d17efbd52b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC88B.exe

Filesize
14KB

MD5
c3255155ac77f663f2955d174993ceb8

SHA1
094a233b2898a440602da6ebed4dfc874b8355ef

SHA256
821fca03b82450217fed9f352547b5145046ce89553b98525969bc3d73f5c979

SHA512
4077dad8f80b13185ada7b6a8f418702f8d1d90f76f534658ae69f3a16c00f5a68126c52c4a6b6d8314a9cacd5107dc3a3d79f4d87004868f06bbc650bb25e17

Download Submit

Analysis

Sharing