ffa6ff884b941d0431103892fa4d2804e23f960bed61f726379dfcfc31151016

General

Target

ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe
Size

16KB
MD5

ec918e26cd1bb819a5481ce78b933f7d
SHA1

4510818d87d1c8b9c4879b8c932fa55f19b9560e
SHA256

ffa6ff884b941d0431103892fa4d2804e23f960bed61f726379dfcfc31151016
SHA512

f1bc08ac6cade686351253ee255d391e3a7b75e744e74834ecc4b599cb3536d50d6f253a334476af5e4ebf26600abe322b4be5dbd3da1edcfd78467d42814565
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYze:hDXWipuE+K3/SSHgxmze

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEME6A7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM466A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM9F29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMF7F7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM5087.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
1116	DEME6A7.exe
392	DEM466A.exe
4480	DEM9F29.exe
4392	DEMF7F7.exe
1348	DEM5087.exe
2984	DEMAA11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1116	1140	ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe	99
PID 1140 wrote to memory of 1116	1140	ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe	99
PID 1140 wrote to memory of 1116	1140	ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe	99
PID 1116 wrote to memory of 392	1116	DEME6A7.exe	103
PID 1116 wrote to memory of 392	1116	DEME6A7.exe	103
PID 1116 wrote to memory of 392	1116	DEME6A7.exe	103
PID 392 wrote to memory of 4480	392	DEM466A.exe	105
PID 392 wrote to memory of 4480	392	DEM466A.exe	105
PID 392 wrote to memory of 4480	392	DEM466A.exe	105
PID 4480 wrote to memory of 4392	4480	DEM9F29.exe	107
PID 4480 wrote to memory of 4392	4480	DEM9F29.exe	107
PID 4480 wrote to memory of 4392	4480	DEM9F29.exe	107
PID 4392 wrote to memory of 1348	4392	DEMF7F7.exe	109
PID 4392 wrote to memory of 1348	4392	DEMF7F7.exe	109
PID 4392 wrote to memory of 1348	4392	DEMF7F7.exe	109
PID 1348 wrote to memory of 2984	1348	DEM5087.exe	111
PID 1348 wrote to memory of 2984	1348	DEM5087.exe	111
PID 1348 wrote to memory of 2984	1348	DEM5087.exe	111

C:\Users\Admin\AppData\Local\Temp\ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec918e26cd1bb819a5481ce78b933f7d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\DEM466A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM466A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Users\Admin\AppData\Local\Temp\DEM9F29.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9F29.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Users\Admin\AppData\Local\Temp\DEMF7F7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF7F7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\DEM5087.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5087.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\DEMAA11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAA11.exe"
        7⤵
        Executes dropped EXE
        
        PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM466A.exe

Filesize
16KB

MD5
76f7d89af0e63afb1630fcd0be29f2e5

SHA1
f44f0829d92675fbe9b2c1dea87e41fbaf164d6d

SHA256
0437c5769032685da68bc1c66d4d3946d3f6758cc0abc4700d8ac3b6ba87bb6d

SHA512
7bdd9b7dc08e0dfb705096f459029be336744edc72b769d9aa2914f3640d76efcd9eab0e1b8c2af248a6621a794c513fb14d87e6c91c1a72d214c46db81a89fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5087.exe

Filesize
16KB

MD5
5652bb27216a18169845aa51cb970e24

SHA1
92a6cbbab3dc727654b8e31413ac3d8e1fc880b5

SHA256
ce1775206b3b3206e0db01bb79500f800c390b178dea92b9c7bfc0020d26442c

SHA512
3a28181cd6b6d8223ce1f6b605cdf3010d999f631510ac8bec701b3dac100aaea20985248274f40b2676aa8055d2352b6e00169f73564a9099838efa45a5331c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F29.exe

Filesize
16KB

MD5
adbf6c8e9cfc404e2752104d25328e5c

SHA1
15a4ea4533ba734a860cbc3d91d370a8d7842e17

SHA256
149de456c4ef681c20ffa178903a3d0d3cf240feb726465ed894e4804046b318

SHA512
9523459c2c562564f43427eaf65ee74c00407da008f1bc4f39baab5b6cf365bdf44cc643edb511326001995c64a2c5af8ef575d49c683c71ac446e1920c94ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAA11.exe

Filesize
16KB

MD5
f7a49f871620df7c77a045fabcc9392c

SHA1
f1f35566be0b0f18b28000363bb0495be3059749

SHA256
b1768e0ac2383646ed6a8538d5fadb918d8bdf1fbc7422c2b6f9a83c8b391df7

SHA512
8cf47dc1d707a07518d008439b5f77450cd7dcd93fa9224a02c0b9b9be5ea7451db106f466f290e02b021253bc712b35b0035e05e5b4cc234e5d174f2f846021

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe

Filesize
16KB

MD5
1ed4178bda3fd3dfcba1752247c3c6fb

SHA1
873f6c26e134396a2d5ef1c180ee1b989d94221d

SHA256
f33cb0cfabfb593e66dd3ab46fcb83f0b0c1ec0b9ae9fd7eb092f746546d7b6d

SHA512
be3a9b91c5f8e3a1e246ee294a696f5ba9618e4bb4966053dbe5b3187905b79020f223283853e0755bc8cdd99c5ca62f116b77c1a91cfa245ddf6efcfc221734

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF7F7.exe

Filesize
16KB

MD5
2a5bc75afa50846809a051c6c5e3f141

SHA1
0f78ed63f6e18030ce38e3d9a8ca474c51843da0

SHA256
f294665c7eb9e2e50dad85efbf4ea6071d08852f46866c02aa6129178fb50141

SHA512
618cca25843897b71cc32436137bd50cc2710c58cf84b9099a226059a68e7ee0c42dc0238708bc38af6e778575c55dceeae7c78fca78e0eac95a8f39c769123b

Download Submit

Analysis

Sharing