7449b9e4a92e80d1c7065ddb5e17eeb89fbc70763ca71d8b1e9c53276d6c6f36

General

Target

e7b97e6849e1cd0b65ebd04cd942aa4d_JaffaCakes118.exe
Size

15KB
MD5

e7b97e6849e1cd0b65ebd04cd942aa4d
SHA1

f1099238a5f5c20d63dd8ea7f877ae08abf25e56
SHA256

7449b9e4a92e80d1c7065ddb5e17eeb89fbc70763ca71d8b1e9c53276d6c6f36
SHA512

b17dc23ea9c7b9dc1efc5ede9891e89b68aad582e3eae3813956feecf48e1f3e2e9858e5f3a1fcb4f8f53a46cae42b509aab9887a82273d06493b42856ebbbdd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnUOO:hDXWipuE+K3/SSHgx/hO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	e7b97e6849e1cd0b65ebd04cd942aa4d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM7129.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMC8ED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM2083.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM774E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMCE67.exe

Executes dropped EXE 6 IoCs

pid	Process
1936	DEM7129.exe
4784	DEMC8ED.exe
1604	DEM2083.exe
4408	DEM774E.exe
1136	DEMCE67.exe
2128	DEM24E3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4992	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 1936	4584	e7b97e6849e1cd0b65ebd04cd942aa4d_JaffaCakes118.exe	110
PID 4584 wrote to memory of 1936	4584	e7b97e6849e1cd0b65ebd04cd942aa4d_JaffaCakes118.exe	110
PID 4584 wrote to memory of 1936	4584	e7b97e6849e1cd0b65ebd04cd942aa4d_JaffaCakes118.exe	110
PID 1936 wrote to memory of 4784	1936	DEM7129.exe	114
PID 1936 wrote to memory of 4784	1936	DEM7129.exe	114
PID 1936 wrote to memory of 4784	1936	DEM7129.exe	114
PID 4784 wrote to memory of 1604	4784	DEMC8ED.exe	117
PID 4784 wrote to memory of 1604	4784	DEMC8ED.exe	117
PID 4784 wrote to memory of 1604	4784	DEMC8ED.exe	117
PID 1604 wrote to memory of 4408	1604	DEM2083.exe	120
PID 1604 wrote to memory of 4408	1604	DEM2083.exe	120
PID 1604 wrote to memory of 4408	1604	DEM2083.exe	120
PID 4408 wrote to memory of 1136	4408	DEM774E.exe	129
PID 4408 wrote to memory of 1136	4408	DEM774E.exe	129
PID 4408 wrote to memory of 1136	4408	DEM774E.exe	129
PID 1136 wrote to memory of 2128	1136	DEMCE67.exe	131
PID 1136 wrote to memory of 2128	1136	DEMCE67.exe	131
PID 1136 wrote to memory of 2128	1136	DEMCE67.exe	131

C:\Users\Admin\AppData\Local\Temp\e7b97e6849e1cd0b65ebd04cd942aa4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7b97e6849e1cd0b65ebd04cd942aa4d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\DEM7129.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7129.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\DEMC8ED.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC8ED.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\DEM2083.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2083.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\DEM774E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM774E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Users\Admin\AppData\Local\Temp\DEMCE67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE67.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\DEM24E3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM24E3.exe"
        7⤵
        Executes dropped EXE
        
        PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3776 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:8
1⤵
PID:2652

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2083.exe

Filesize
15KB

MD5
5183ff193c536dcb49362e56ffed05ac

SHA1
d3bcfe388a9651be77c81341967f4967ca64d046

SHA256
695fd87431746b8f04963e114c843eb009b03c9c59c30bfad223d620f14fc455

SHA512
77e490e83c730487bb8a2c1429cdbaacf1945f6d435b06de6a67532e11dc365239057b27aa368ea4bd1f237ffdaf9a71eb25f28c205c7d22135c26f5cfbc9293

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM24E3.exe

Filesize
15KB

MD5
754a2c912ea028723da5cde7e05f37f1

SHA1
da96468621c9f0d0a5e2ce39e6ea3914d60105cb

SHA256
011e4a1cbabb5c9676d93793cd6e35cb56a23b34b309f1c4bbf792112ea53ae6

SHA512
376b65f10c21d97f4cde12692a6c5b45b6327959c520fea2f0b60196547ede4c26c3ee63aa5858a3529e9724e97faf59e47a265caf591e56eafaffc056e0fbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7129.exe

Filesize
15KB

MD5
4298d5faed6da4ed0fa16717d906e41d

SHA1
98acbb8266ab6887658e8ffea970a539ab58f4d9

SHA256
5458a31093b1a0621a84c2f2a476e1b87e5ad1085e44738a51e6b6029414b608

SHA512
f66f9799651a5ea37914d07031a9f015f65c8a8f9c165f6e4ef7c6705b9e294ead6ee79db70232e98c041876df052c5c3d64fe7d46795b189df986b2fb5b4248

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM774E.exe

Filesize
15KB

MD5
b6a2bb035d76c7d977353a6e183d1491

SHA1
f0497f23afec331f888ee3fd987b8a1b7dac0dc8

SHA256
70f3f5ce14c0bfa35a0579b3f7b5c2fe2e7a5fe653e83c1bba2c00c40d524a3b

SHA512
2ab87b77613cc8cf20ec90554cef090042d8de6f2bde40f713b941c07122cde230f18c59f29523d06ce3f5e11421ca2a69c17221ae956d76088e86f62742988e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC8ED.exe

Filesize
15KB

MD5
faece2f1468c225135f346c5ca70af32

SHA1
c74527fbd806eb9031f0a40e895652beb4a02bbd

SHA256
30cee2cca19259e39489cbdd49915d95914a10886548ecb8497df17f009e6ad7

SHA512
62997d21572b8d8dd262c4bca957015c7aaa8199dd4467f18b1d20363f7a7465b6cff4be18972522eef4e9715a3f9c2f8e630469e6f6719f838faf73f0b01850

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE67.exe

Filesize
15KB

MD5
6b0d92ef00233340c4bb86d580c9048d

SHA1
90c7d6c95f9559a9df95bf51855fadee0deca954

SHA256
904f62a49ecf1776414148e3e938d9ef7feb44d6dab1311fb7623ced827bce98

SHA512
0b75293975496bfe6d24a844d0e5b1779b6a148088bca7fae0a93a7e4862b26e2e1938b3ef8ed6f9809e18cd7323114e1048196b8ebbfca5435402953a8a24d4

Download Submit
memory/4992-49-0x0000021364050000-0x0000021364060000-memory.dmp

Filesize
64KB

Download
memory/4992-65-0x0000021364150000-0x0000021364160000-memory.dmp

Filesize
64KB

Download
memory/4992-81-0x000002136C4C0000-0x000002136C4C1000-memory.dmp

Filesize
4KB

Download
memory/4992-83-0x000002136C4E0000-0x000002136C4E1000-memory.dmp

Filesize
4KB

Download
memory/4992-84-0x000002136C4E0000-0x000002136C4E1000-memory.dmp

Filesize
4KB

Download
memory/4992-85-0x000002136C4F0000-0x000002136C4F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing