a8b5f70af7c99dd506c3b77a1c7495ef24d3c8e7946ce2aa1288bd6902e024c0

General

Target

e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe
Size

16KB
MD5

e84bd538bedd4c96b5e4de5ff94066bb
SHA1

18596dd0d77102c339cbd7e8a9df76420025f4fb
SHA256

a8b5f70af7c99dd506c3b77a1c7495ef24d3c8e7946ce2aa1288bd6902e024c0
SHA512

859d06d22cdc44a79c656a4c91aa87a68d0196d0c4ef32314a1a20adfe2d34ce80a3d64f4441f21f41eeaeaca68ba52d94cd083911da170febfa922187a17048
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzP:hDXWipuE+K3/SSHgxmHz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMCA21.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM6D41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEMC62E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM1C4D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	DEM72D9.exe

Executes dropped EXE 6 IoCs

pid	Process
2480	DEM6D41.exe
4660	DEMC62E.exe
4148	DEM1C4D.exe
840	DEM72D9.exe
2684	DEMCA21.exe
5036	DEM212A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2480	1928	e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe	106
PID 1928 wrote to memory of 2480	1928	e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe	106
PID 1928 wrote to memory of 2480	1928	e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe	106
PID 2480 wrote to memory of 4660	2480	DEM6D41.exe	110
PID 2480 wrote to memory of 4660	2480	DEM6D41.exe	110
PID 2480 wrote to memory of 4660	2480	DEM6D41.exe	110
PID 4660 wrote to memory of 4148	4660	DEMC62E.exe	113
PID 4660 wrote to memory of 4148	4660	DEMC62E.exe	113
PID 4660 wrote to memory of 4148	4660	DEMC62E.exe	113
PID 4148 wrote to memory of 840	4148	DEM1C4D.exe	116
PID 4148 wrote to memory of 840	4148	DEM1C4D.exe	116
PID 4148 wrote to memory of 840	4148	DEM1C4D.exe	116
PID 840 wrote to memory of 2684	840	DEM72D9.exe	125
PID 840 wrote to memory of 2684	840	DEM72D9.exe	125
PID 840 wrote to memory of 2684	840	DEM72D9.exe	125
PID 2684 wrote to memory of 5036	2684	DEMCA21.exe	127
PID 2684 wrote to memory of 5036	2684	DEMCA21.exe	127
PID 2684 wrote to memory of 5036	2684	DEMCA21.exe	127

C:\Users\Admin\AppData\Local\Temp\e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e84bd538bedd4c96b5e4de5ff94066bb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\DEM6D41.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6D41.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\DEMC62E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC62E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\DEM1C4D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1C4D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Users\Admin\AppData\Local\Temp\DEM72D9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM72D9.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\DEMCA21.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCA21.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\DEM212A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM212A.exe"
        7⤵
        Executes dropped EXE
        
        PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:8
1⤵
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1C4D.exe

Filesize
16KB

MD5
be37603b18ed8613861d6413461d8f62

SHA1
cb4d84817c7d9e37475471447e5b05017565a1cf

SHA256
786573d03173e3c5e173ba190fb551140606c52708e7d285e917389e7ecdf487

SHA512
2231baf6b3df1076ddc19209fdb741da28e68bca0d0b1fdd7cfe3c4e13360d760d0ddb9ed89a5719427eed7582a82ba4096bdff025983403a85279d5e9899126

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM212A.exe

Filesize
16KB

MD5
cead066450cb4434c891042b5703dab8

SHA1
82550d34e40e32ae1abea4668e12ddcc0481fcdb

SHA256
dfbc387ad168d74d52db7d0efb110240acbd14aa7ac72a96b8fe3c7376c51c06

SHA512
d8fde9161d2e1a0f5704787ab585fc5b52d3e24a4cfc7a98bd90bf22a914c2c0a8806aa05c93b94d5ddbb78da48a13a9a2f4cdf839e20239c73648daa23c469a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6D41.exe

Filesize
16KB

MD5
d345d2ac4a48921ee37531dbe253fac2

SHA1
3239ca950f3cc5fc416caf67df2bc9a914a9af76

SHA256
d1afaf3afa009e7500fe7b70bab3da12789c16d144d68763cf3a98bc9f95984c

SHA512
c41ba46d89bfa7f1d1ee26712b6497e419912889d8cd48b71943d4b9a260700108a8b82d8a6411fc5f1b35752c96c0f719474dae540f48bc7a3f901095c12a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM72D9.exe

Filesize
16KB

MD5
0d931987c018b3204cd1099274606bac

SHA1
47fbf1eefcbe4ec7c1b80dca692bff8ac0485ae6

SHA256
ad011db8c91b6be0ccc1a1eceb7c29203440287d45da7c410195e1fc90aa8fd5

SHA512
25e06c3f1653f0fe1ce49ece4cdc8c304b4c0a1e2706161c4216f7aabd9e7a742916acbb6a8c99206fa177931d66a0c7f1552f6b98f9bcbb49640db4d2be6793

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC62E.exe

Filesize
16KB

MD5
5568a673d53bbd9aaf61e254358f58ae

SHA1
bad266b02249995b32aacd601af78b0041b3539e

SHA256
009e27812758cec2b58f2985c0d7d2006823ea67468b03c0586e5d6c55fcd66f

SHA512
262ebfdab752fe6a0593d8a393be65b3a1c18b913b131428f92afcf07bf0f7306f49f6314a236c69f5108e3d3ad4715b7d2c9c96b56fc5185b00641571ec6cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA21.exe

Filesize
16KB

MD5
7a0f90ecfe1f932c42f7d55c8e6276a7

SHA1
01444f4a3a78e493e3cc7904ddf1d8459a095570

SHA256
ac65a874476958b31c798628654286eba4a81b4ebfd6b65fa36d3eede2aff3b3

SHA512
f34cca7a6b72c6996b9ab2040e8759faf1278ac9f792506b3ca8dcae7d92c335b48c0839dcbfe6a8505abd111203fed1d43536a31588d87efab428a41deb308d

Download Submit

Analysis

Sharing