7a84f5e90e164cb3d76c823a829c1ca04afdc926f8c1c69b06c3c4386d63b244

General

Target

ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe
Size

15KB
MD5

ed3cff1d54cd28a9fc56878d6ebd6be3
SHA1

966589883559d847d2c43bec00a97719297303fa
SHA256

7a84f5e90e164cb3d76c823a829c1ca04afdc926f8c1c69b06c3c4386d63b244
SHA512

d525f5f90ad03c3c77854190c102673ddc9c6dbed804d22d56b359ef5acc15f0266f6d75212c1f6022797432c0fabf9eab397d13b6868bf921c04fb7cedefd6c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh66:hDXWipuE+K3/SSHgxmyh66

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM4646.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEME1D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM3F17.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM96EC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMEE14.exe

Executes dropped EXE 6 IoCs

pid	Process
232	DEME1D4.exe
3568	DEM3F17.exe
4324	DEM96EC.exe
4320	DEMEE14.exe
1868	DEM4646.exe
3912	DEM9E4A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 232	3508	ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe	98
PID 3508 wrote to memory of 232	3508	ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe	98
PID 3508 wrote to memory of 232	3508	ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe	98
PID 232 wrote to memory of 3568	232	DEME1D4.exe	102
PID 232 wrote to memory of 3568	232	DEME1D4.exe	102
PID 232 wrote to memory of 3568	232	DEME1D4.exe	102
PID 3568 wrote to memory of 4324	3568	DEM3F17.exe	104
PID 3568 wrote to memory of 4324	3568	DEM3F17.exe	104
PID 3568 wrote to memory of 4324	3568	DEM3F17.exe	104
PID 4324 wrote to memory of 4320	4324	DEM96EC.exe	106
PID 4324 wrote to memory of 4320	4324	DEM96EC.exe	106
PID 4324 wrote to memory of 4320	4324	DEM96EC.exe	106
PID 4320 wrote to memory of 1868	4320	DEMEE14.exe	108
PID 4320 wrote to memory of 1868	4320	DEMEE14.exe	108
PID 4320 wrote to memory of 1868	4320	DEMEE14.exe	108
PID 1868 wrote to memory of 3912	1868	DEM4646.exe	110
PID 1868 wrote to memory of 3912	1868	DEM4646.exe	110
PID 1868 wrote to memory of 3912	1868	DEM4646.exe	110

C:\Users\Admin\AppData\Local\Temp\ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed3cff1d54cd28a9fc56878d6ebd6be3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\DEME1D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME1D4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\DEM3F17.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3F17.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\DEM96EC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM96EC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\DEMEE14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEE14.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Users\Admin\AppData\Local\Temp\DEM4646.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4646.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\DEM9E4A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9E4A.exe"
        7⤵
        Executes dropped EXE
        
        PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F17.exe

Filesize
15KB

MD5
bef759db8bfbfd88143eb613e5f76158

SHA1
dbb93a0f38ec5adab4f250541fcff4ab99b494c1

SHA256
ab0a8662438d75d7960a939195930abd83cffaf39388ea7d50f7825de482b5dc

SHA512
2af7153ad3a9cb35c94f668ddc27ca9cc43a02da7a9def9279ae2bf81a620a8c6070b7f500424ef13d96fc7a7e6b99cdac40333da8e9e8ca9f755add2842deff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4646.exe

Filesize
15KB

MD5
1223a455c859dd5d653cdd8d44bc5f9b

SHA1
89830d534e7105964385914d91e18f7db4f3c404

SHA256
76da09df0f808373a8f4e95c4dedaa855b8b325d8044f2f16a6a319089f71ba2

SHA512
dd1a114480cd6df6de3270a2334f819c71e9408fff5d70421020a9a9700e3c37191572e27dbf71f6626ac7cf61145a44731a743c2289235b4752acc4dfcc8646

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96EC.exe

Filesize
15KB

MD5
31d94b16547c6acfa985850e9b35d1cb

SHA1
7e13b0c42a2a6d8c89002594225655e4629205e1

SHA256
c2dad78671e3b674be1ff3851957d839955bf7fbc8724580555f99a627352480

SHA512
f01af64ac703fcf9a2960b33a9ba4e14ea4bc24058ac52625f6d7b32e871567a49fd8821af38dd9e86b36fe23653ae4126304351d051a0b5449a28c3ea8af39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9E4A.exe

Filesize
15KB

MD5
f7c5ac2bcc76851811bc7c5854513cd3

SHA1
eb28730ac9662484aa4a12e009d44966b82d57da

SHA256
d3d4738ab9df604dce1fa2eb698db5ffeff1ba5236ec1da1eef66a45d9a3686c

SHA512
721b2870c59ac49a351dcd7526d7742356d35371417684d7a38974622722362f52552e2f6624e70bfe4fdf92ef1274feb594cd3cab609f8750ae0a285a93543f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME1D4.exe

Filesize
15KB

MD5
e242648b55adc7c720fc2db5d6986cb0

SHA1
f9a33fd4c28b0f6c954fe38ff3116be854b7701b

SHA256
65756cccc8a5ad6328ce377cf3187741e4c428610c898bd9dd9e001f54665cce

SHA512
889421913048c763adb83dd92ce1dd72c522c74f434a84a0c85ede45523736b44c9c1ed593b526c4c4f3bfac0236fd55a04c8e133fa7cf697c50b31aaa00439e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE14.exe

Filesize
15KB

MD5
9a49f2bc606e14f95ff983731ecdfdab

SHA1
dfa1f3f2a26e69803aab26154edeea4a3c4bf322

SHA256
355680bd92fb03362142ab345b3e1d04611d09bd70cdc65fcc3b96ce6bf6184d

SHA512
6e1897c27be6184d6396e45f4a4ce51957c7397682d36700bd68b9b8baec22046b929f8e55ff9e038660708599bb8386bcd152f30fd3842699177deb0cd9789e

Download Submit

Analysis

Sharing