eae7d51154ab442a59dfe4fd65bbdcadbebed9daeb2ae60f34bd105aea5e8bf4

General

Target

ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe
Size

14KB
MD5

ea4023b76c3c97c7417069f20fcce905
SHA1

2f1a3164ba37e77c2bc64f4e4b5eecd428b0cdbb
SHA256

eae7d51154ab442a59dfe4fd65bbdcadbebed9daeb2ae60f34bd105aea5e8bf4
SHA512

c26c01c9c58bed30b24787518f51941e6c8e34d390e7f87cc511347c2a9ada7aa86705e62c7c4570e402ef2dcee7bf4134d246137a7e768102569fa7f8036559
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYEH:hDXWipuE+K3/SSHgxmc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMCE7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM64FA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMFF11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM5DDA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMB4A5.exe

Executes dropped EXE 6 IoCs

pid	Process
3684	DEMFF11.exe
1460	DEM5DDA.exe
1432	DEMB4A5.exe
1176	DEMCE7.exe
944	DEM64FA.exe
1900	DEMBD0D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3684	4688	ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe	104
PID 4688 wrote to memory of 3684	4688	ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe	104
PID 4688 wrote to memory of 3684	4688	ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe	104
PID 3684 wrote to memory of 1460	3684	DEMFF11.exe	107
PID 3684 wrote to memory of 1460	3684	DEMFF11.exe	107
PID 3684 wrote to memory of 1460	3684	DEMFF11.exe	107
PID 1460 wrote to memory of 1432	1460	DEM5DDA.exe	109
PID 1460 wrote to memory of 1432	1460	DEM5DDA.exe	109
PID 1460 wrote to memory of 1432	1460	DEM5DDA.exe	109
PID 1432 wrote to memory of 1176	1432	DEMB4A5.exe	111
PID 1432 wrote to memory of 1176	1432	DEMB4A5.exe	111
PID 1432 wrote to memory of 1176	1432	DEMB4A5.exe	111
PID 1176 wrote to memory of 944	1176	DEMCE7.exe	113
PID 1176 wrote to memory of 944	1176	DEMCE7.exe	113
PID 1176 wrote to memory of 944	1176	DEMCE7.exe	113
PID 944 wrote to memory of 1900	944	DEM64FA.exe	115
PID 944 wrote to memory of 1900	944	DEM64FA.exe	115
PID 944 wrote to memory of 1900	944	DEM64FA.exe	115

C:\Users\Admin\AppData\Local\Temp\ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\DEM5DDA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5DDA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\DEMB4A5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB4A5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Users\Admin\AppData\Local\Temp\DEMCE7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Users\Admin\AppData\Local\Temp\DEM64FA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM64FA.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\DEMBD0D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD0D.exe"
        7⤵
        Executes dropped EXE
        
        PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5DDA.exe

Filesize
14KB

MD5
a08679c3ff9dd861f0333c8aa507a630

SHA1
8a6033b0e32a5b8aaae282d28020474146e4041d

SHA256
1f6fc54d4c23e7a7c8f37df6b160783d6273a4b374dff2ffd68242c243f5fade

SHA512
89b8c744c5c31422fe6862ae16f58cbef87ec34cddc5f7e9bce3f7d309e7d7c96b9ff80db1f3d8d4d2b9349b65142a9bd8f54eaafcaa3434b24232908ffa4939

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM64FA.exe

Filesize
14KB

MD5
dde23040498be5f96e7675fedbeede82

SHA1
099c21cfe08f7cc5cccf2624ce7900e0cf022c70

SHA256
e8644191611c2f75e52b003afd3db700fad44ff2694c7916c23bfb871246b8c9

SHA512
724c7927f9a1993cbf25cfcb3e396b0df81c3c4248dbc500dc6ddb2d7f5fc2802779e28ebbc6b14f4c78eb33a676b08a3481727ed85076137dcf7f4c5a7425d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB4A5.exe

Filesize
14KB

MD5
4dcd3c1308f4ed73a20be16a0739c2e3

SHA1
5f072352538b87a14729e0cd6c9ebf41723c478a

SHA256
c4db725ef1543c9e323ae1c4a1815087deea240d6582599ee48e504febc869db

SHA512
de715db76662ed512f77f5eedb97174392f3eac3bcbd88ae9adc2f348e5ee66debb14a4bcdc1d62be23ba907f3ce1d58d518a74830001018893f8c75c3010783

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD0D.exe

Filesize
14KB

MD5
3fdd15909c63f3671596310378f7a64e

SHA1
69657708d62f8ee52bc8c440a2c2760ea9866e6f

SHA256
3e4151d56180780d54b840280c465f4bce9c37fe66d511f7fa820952b016361b

SHA512
28c0ed83b4eccc52c9f3a65e625883117b3227e2cf044019e7d01f42147b4fe9be217b0625057f311a65b49a2e4417ebb9439f7f4d124a11c2b98c5fcb9e12a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE7.exe

Filesize
14KB

MD5
44a2b892fc47c0be4006a039d136ab65

SHA1
fac786e48f5c8159e734d22e8f27fce27ca052d5

SHA256
901664213b997c5614b574974011ee668f06db5a70dfbe59387180561e8d487b

SHA512
2de8a09292d5bcf27645b7b84fd01435f821d090666b63b76138914a253ae536f437d4bcb14af7d6b62cc18f662a3522b779dae08f39132a4ff1c28e690cc3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe

Filesize
14KB

MD5
a7846974c23ac97cd7b518a8374447d1

SHA1
e6f61d4c0022826cfdaa2e7442170b192e4c1df3

SHA256
606bd059e2666eae1a639d5db19508cd119e9468e50271b1818973d7d4c2c76f

SHA512
1b624c59ad4d4424b54cf48f0027f95cb711c708c60dece4f1743c79afd471ed0905b9ede1cf9069569077a61ef8e91b7f6c0490c7da47e47bf12a9bb4406003

Download Submit

Analysis

Sharing