f81f075f9115e6fd16668589aa9a9d95acaf19019d7e99e01aea0693bf2d2108

General

Target

dfb9cd03a484e5936af5b0dfb008f557_JaffaCakes118.exe
Size

20KB
MD5

dfb9cd03a484e5936af5b0dfb008f557
SHA1

d908a146c23bf3d4e7370adc508cbea6713399af
SHA256

f81f075f9115e6fd16668589aa9a9d95acaf19019d7e99e01aea0693bf2d2108
SHA512

a4bfcb0adcb5158ccfe6969bb54939b907a99a419ecb8342eb7d1ff101dacad17b159e7d1b1416ade63798ae1607b951d24f3304a3307aff29d48c71f629bc18
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4Rc:hDXWipuE+K3/SSHgxmHZRc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	dfb9cd03a484e5936af5b0dfb008f557_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM7251.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMCB7E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM2371.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM7A1D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMD230.exe

Executes dropped EXE 6 IoCs

pid	Process
4788	DEM7251.exe
2420	DEMCB7E.exe
3140	DEM2371.exe
3988	DEM7A1D.exe
4788	DEMD230.exe
4372	DEM2A33.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 4788	3744	dfb9cd03a484e5936af5b0dfb008f557_JaffaCakes118.exe	108
PID 3744 wrote to memory of 4788	3744	dfb9cd03a484e5936af5b0dfb008f557_JaffaCakes118.exe	108
PID 3744 wrote to memory of 4788	3744	dfb9cd03a484e5936af5b0dfb008f557_JaffaCakes118.exe	108
PID 4788 wrote to memory of 2420	4788	DEM7251.exe	112
PID 4788 wrote to memory of 2420	4788	DEM7251.exe	112
PID 4788 wrote to memory of 2420	4788	DEM7251.exe	112
PID 2420 wrote to memory of 3140	2420	DEMCB7E.exe	115
PID 2420 wrote to memory of 3140	2420	DEMCB7E.exe	115
PID 2420 wrote to memory of 3140	2420	DEMCB7E.exe	115
PID 3140 wrote to memory of 3988	3140	DEM2371.exe	118
PID 3140 wrote to memory of 3988	3140	DEM2371.exe	118
PID 3140 wrote to memory of 3988	3140	DEM2371.exe	118
PID 3988 wrote to memory of 4788	3988	DEM7A1D.exe	127
PID 3988 wrote to memory of 4788	3988	DEM7A1D.exe	127
PID 3988 wrote to memory of 4788	3988	DEM7A1D.exe	127
PID 4788 wrote to memory of 4372	4788	DEMD230.exe	129
PID 4788 wrote to memory of 4372	4788	DEMD230.exe	129
PID 4788 wrote to memory of 4372	4788	DEMD230.exe	129

C:\Users\Admin\AppData\Local\Temp\dfb9cd03a484e5936af5b0dfb008f557_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfb9cd03a484e5936af5b0dfb008f557_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\DEM7251.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7251.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\DEMCB7E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCB7E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\DEM2371.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2371.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\DEM7A1D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A1D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Users\Admin\AppData\Local\Temp\DEMD230.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD230.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\DEM2A33.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2A33.exe"
        7⤵
        Executes dropped EXE
        
        PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:8
1⤵
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2371.exe

Filesize
20KB

MD5
da1a0c9dfb3fc15bf17c5d5cafcd427b

SHA1
8655a51f11c5bb05b8d3672df38ee90d131d3e89

SHA256
590b8048f59cc1686834913566394d8bf1ec900b674310e56e12c52e780c8c0c

SHA512
f30292a3deb730e8c46af4b8248a50a3d7ce3f33b8871541b8b4bbd36a870eef2f48f485ce99ec6bac7e8669be98c003e1d7d5ee8d224434a6d626922b2ab672

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2A33.exe

Filesize
20KB

MD5
5f674a6d8474eac857afc9c6ac819774

SHA1
e39ba65dfe0e617de4e59827820aa57ede29a252

SHA256
f5a7be163a418a3427f9c5a837e5e3d7aa219247aed484b9ed67bb06c44e737e

SHA512
a0c2afcabc082311210c60af80806094250b1ae0430f48550a738636b561072728f906a806cffddff132ccd842c46957f63a80af28c3c61cf00145cf65bce76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7251.exe

Filesize
20KB

MD5
cfeae9a46e87f4551806f821a07b3b87

SHA1
b968b4b8427ca86b273da3efb635ebb5c2b9188a

SHA256
2b00f1dcd82a93a88e01dfbf07ee8c0cdcecf9e27f445388bac5e23d5492943f

SHA512
4bd97be9ff003919c0e191e9111e9330b76d37a9dd92f825e02a85c1d80a3e0bd849c248edf2715c5792d749270cbbd4523105a1387dd9d48bd57dfc5e12e75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A1D.exe

Filesize
20KB

MD5
ee768b5c08f351df3051e6e5cb3f597e

SHA1
fcfa2a5bab875d7c5dd7467835aaa9fd2d7f2cc7

SHA256
cca76450abdf621aef614a97abb35be685acd700c7a8e9dd6ee9ac3cdc5595a6

SHA512
80f9f2ffefd19c01784b159531a115e96c7e8311bb639638e1455d52f3ce9ee5d7eabcf3567bceb4f478c882b6125b105e061f0bff939a21918c3a8e331b41c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB7E.exe

Filesize
20KB

MD5
bda523c7635a33db427cc56821076742

SHA1
c9f464751e647382498e1c8ccde8f8b4db100857

SHA256
4038d5a4e6f20ef4632e10255fd31c1d2fa64a074e933db3fe977826e021e8df

SHA512
2d493427ab4d39c8ed65d44ad03ed552562ca25f1e807cb2c422a4cd0e9bd8fb604839b58f2fe8c83c39efcbb2f94fcd508dcf9137f6b168b43128fe2cbf04b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD230.exe

Filesize
20KB

MD5
55e864a84aed829543533e2bf0f3586f

SHA1
918a2cc1684b9bcdd61bb3ff9df1d6e32a823d04

SHA256
047410afd22da5242527be95ec459707a8cb560f7e143cb79c2a439ad1913098

SHA512
6d43e7fa2affeff8cfc57aa02d1f677a9615374ee2bfd59f1952fd3cd8ca7ec6fc7e6ff7197a16df9ee233c4ab4edc66e8b098ff85d99d10ed97b49a1794d0e0

Download Submit

Analysis

Sharing