Analysis
-
max time kernel
146s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 14:59
Static task
static1
Behavioral task
behavioral1
Sample
ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe
-
Size
14KB
-
MD5
ea4023b76c3c97c7417069f20fcce905
-
SHA1
2f1a3164ba37e77c2bc64f4e4b5eecd428b0cdbb
-
SHA256
eae7d51154ab442a59dfe4fd65bbdcadbebed9daeb2ae60f34bd105aea5e8bf4
-
SHA512
c26c01c9c58bed30b24787518f51941e6c8e34d390e7f87cc511347c2a9ada7aa86705e62c7c4570e402ef2dcee7bf4134d246137a7e768102569fa7f8036559
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYEH:hDXWipuE+K3/SSHgxmc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEMCE7.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEM64FA.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEMFF11.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEM5DDA.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEMB4A5.exe -
Executes dropped EXE 6 IoCs
pid Process 3684 DEMFF11.exe 1460 DEM5DDA.exe 1432 DEMB4A5.exe 1176 DEMCE7.exe 944 DEM64FA.exe 1900 DEMBD0D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4688 wrote to memory of 3684 4688 ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe 104 PID 4688 wrote to memory of 3684 4688 ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe 104 PID 4688 wrote to memory of 3684 4688 ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe 104 PID 3684 wrote to memory of 1460 3684 DEMFF11.exe 107 PID 3684 wrote to memory of 1460 3684 DEMFF11.exe 107 PID 3684 wrote to memory of 1460 3684 DEMFF11.exe 107 PID 1460 wrote to memory of 1432 1460 DEM5DDA.exe 109 PID 1460 wrote to memory of 1432 1460 DEM5DDA.exe 109 PID 1460 wrote to memory of 1432 1460 DEM5DDA.exe 109 PID 1432 wrote to memory of 1176 1432 DEMB4A5.exe 111 PID 1432 wrote to memory of 1176 1432 DEMB4A5.exe 111 PID 1432 wrote to memory of 1176 1432 DEMB4A5.exe 111 PID 1176 wrote to memory of 944 1176 DEMCE7.exe 113 PID 1176 wrote to memory of 944 1176 DEMCE7.exe 113 PID 1176 wrote to memory of 944 1176 DEMCE7.exe 113 PID 944 wrote to memory of 1900 944 DEM64FA.exe 115 PID 944 wrote to memory of 1900 944 DEM64FA.exe 115 PID 944 wrote to memory of 1900 944 DEM64FA.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea4023b76c3c97c7417069f20fcce905_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe"C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\DEM5DDA.exe"C:\Users\Admin\AppData\Local\Temp\DEM5DDA.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\DEMB4A5.exe"C:\Users\Admin\AppData\Local\Temp\DEMB4A5.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\DEMCE7.exe"C:\Users\Admin\AppData\Local\Temp\DEMCE7.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\DEM64FA.exe"C:\Users\Admin\AppData\Local\Temp\DEM64FA.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\DEMBD0D.exe"C:\Users\Admin\AppData\Local\Temp\DEMBD0D.exe"7⤵
- Executes dropped EXE
PID:1900
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:2352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5a08679c3ff9dd861f0333c8aa507a630
SHA18a6033b0e32a5b8aaae282d28020474146e4041d
SHA2561f6fc54d4c23e7a7c8f37df6b160783d6273a4b374dff2ffd68242c243f5fade
SHA51289b8c744c5c31422fe6862ae16f58cbef87ec34cddc5f7e9bce3f7d309e7d7c96b9ff80db1f3d8d4d2b9349b65142a9bd8f54eaafcaa3434b24232908ffa4939
-
Filesize
14KB
MD5dde23040498be5f96e7675fedbeede82
SHA1099c21cfe08f7cc5cccf2624ce7900e0cf022c70
SHA256e8644191611c2f75e52b003afd3db700fad44ff2694c7916c23bfb871246b8c9
SHA512724c7927f9a1993cbf25cfcb3e396b0df81c3c4248dbc500dc6ddb2d7f5fc2802779e28ebbc6b14f4c78eb33a676b08a3481727ed85076137dcf7f4c5a7425d6
-
Filesize
14KB
MD54dcd3c1308f4ed73a20be16a0739c2e3
SHA15f072352538b87a14729e0cd6c9ebf41723c478a
SHA256c4db725ef1543c9e323ae1c4a1815087deea240d6582599ee48e504febc869db
SHA512de715db76662ed512f77f5eedb97174392f3eac3bcbd88ae9adc2f348e5ee66debb14a4bcdc1d62be23ba907f3ce1d58d518a74830001018893f8c75c3010783
-
Filesize
14KB
MD53fdd15909c63f3671596310378f7a64e
SHA169657708d62f8ee52bc8c440a2c2760ea9866e6f
SHA2563e4151d56180780d54b840280c465f4bce9c37fe66d511f7fa820952b016361b
SHA51228c0ed83b4eccc52c9f3a65e625883117b3227e2cf044019e7d01f42147b4fe9be217b0625057f311a65b49a2e4417ebb9439f7f4d124a11c2b98c5fcb9e12a3
-
Filesize
14KB
MD544a2b892fc47c0be4006a039d136ab65
SHA1fac786e48f5c8159e734d22e8f27fce27ca052d5
SHA256901664213b997c5614b574974011ee668f06db5a70dfbe59387180561e8d487b
SHA5122de8a09292d5bcf27645b7b84fd01435f821d090666b63b76138914a253ae536f437d4bcb14af7d6b62cc18f662a3522b779dae08f39132a4ff1c28e690cc3b9
-
Filesize
14KB
MD5a7846974c23ac97cd7b518a8374447d1
SHA1e6f61d4c0022826cfdaa2e7442170b192e4c1df3
SHA256606bd059e2666eae1a639d5db19508cd119e9468e50271b1818973d7d4c2c76f
SHA5121b624c59ad4d4424b54cf48f0027f95cb711c708c60dece4f1743c79afd471ed0905b9ede1cf9069569077a61ef8e91b7f6c0490c7da47e47bf12a9bb4406003