b20f911e26de554f338c2205d857b5a9e19103d65ff029f5b63127a9ef5ccb16

General

Target

f14997a6e80ec85e1539f1330e077811_JaffaCakes118.exe
Size

15KB
MD5

f14997a6e80ec85e1539f1330e077811
SHA1

a4dc96dd041694213defef85ead7d5ce768e738f
SHA256

b20f911e26de554f338c2205d857b5a9e19103d65ff029f5b63127a9ef5ccb16
SHA512

1c256fc27b2926be7282e8b0045d698055286c17c09797a53d34fda8aae830b1a35236fa70d70a7a23706574c3df1dd1eed2e500f282e479d92f57a1390bf6bc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8QHuPc:hDXWipuE+K3/SSHgxm8quPc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7ED0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMD7EC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM30F9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM893B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f14997a6e80ec85e1539f1330e077811_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1410.exe

Executes dropped EXE 6 IoCs

pid	Process
4332	DEM1410.exe
3624	DEM7ED0.exe
4520	DEMD7EC.exe
2260	DEM30F9.exe
4588	DEM893B.exe
1628	DEME248.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4332	372	f14997a6e80ec85e1539f1330e077811_JaffaCakes118.exe	99
PID 372 wrote to memory of 4332	372	f14997a6e80ec85e1539f1330e077811_JaffaCakes118.exe	99
PID 372 wrote to memory of 4332	372	f14997a6e80ec85e1539f1330e077811_JaffaCakes118.exe	99
PID 4332 wrote to memory of 3624	4332	DEM1410.exe	103
PID 4332 wrote to memory of 3624	4332	DEM1410.exe	103
PID 4332 wrote to memory of 3624	4332	DEM1410.exe	103
PID 3624 wrote to memory of 4520	3624	DEM7ED0.exe	105
PID 3624 wrote to memory of 4520	3624	DEM7ED0.exe	105
PID 3624 wrote to memory of 4520	3624	DEM7ED0.exe	105
PID 4520 wrote to memory of 2260	4520	DEMD7EC.exe	107
PID 4520 wrote to memory of 2260	4520	DEMD7EC.exe	107
PID 4520 wrote to memory of 2260	4520	DEMD7EC.exe	107
PID 2260 wrote to memory of 4588	2260	DEM30F9.exe	109
PID 2260 wrote to memory of 4588	2260	DEM30F9.exe	109
PID 2260 wrote to memory of 4588	2260	DEM30F9.exe	109
PID 4588 wrote to memory of 1628	4588	DEM893B.exe	111
PID 4588 wrote to memory of 1628	4588	DEM893B.exe	111
PID 4588 wrote to memory of 1628	4588	DEM893B.exe	111

C:\Users\Admin\AppData\Local\Temp\f14997a6e80ec85e1539f1330e077811_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f14997a6e80ec85e1539f1330e077811_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\DEM1410.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1410.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\DEM7ED0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7ED0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\DEMD7EC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD7EC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\DEM30F9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM30F9.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\DEM893B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM893B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\DEME248.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME248.exe"
        7⤵
        Executes dropped EXE
        
        PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1410.exe

Filesize
15KB

MD5
76dd54d9210110b41f5529305d9bc188

SHA1
65e589345c82335b22dadc1a895e95281ec1625e

SHA256
0c432c743e9adf33878b825f36d1b5fdbca058de60e421837686401d3a1b66dc

SHA512
c59454ca512c83cfdd6a665c41c3d529f43b1207fc945764414a7683e233b794c683172b90e99eaed7a7b7d8857438ac8c7886dfeb2f24d26249bce2a5e237ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM30F9.exe

Filesize
15KB

MD5
8e3f2e064ee38c7976cfe14eac0e1ce5

SHA1
53da9c6c82105a1479e0df69b56398c80d26db62

SHA256
167c5a878780af65d9ea9ba3b7cf26edbf54c0d9b55e2e8b37f864d27cb724e7

SHA512
dfa0048e79d6073b91ff0c6ca4ae9744cc68d634a54bd4657791ad433e07a41abc0537d545d097fa1299be804b19490d66420d58530ba781e1bc68bec91a1871

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7ED0.exe

Filesize
15KB

MD5
dcd7950a4960c6750d0170dfee150442

SHA1
9f9bab5f7c48849f70c322f5a8dbbb69d23ed6eb

SHA256
3112be9f7978af33db41b16debc6c90399ed3a7154c7f9382f1f3031d96c3552

SHA512
6894ace896480f56233799e3247494d17c10982d84bed138a2e1d8cb3fc662461871152ee1c69b7bd481e16a5959dcc5e89ac1ed79b911027aee862a6e5fae39

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM893B.exe

Filesize
15KB

MD5
a8270bbcdd246e1bc536947d24e0ed2c

SHA1
24900c3f8ed4ab5d369f185a3e7922e4d63893b5

SHA256
19a0c05a53da9f86f3b029af888e5828f9298f91aeed6f1f3328fc09eaa05d75

SHA512
7ecb314ef59d1f44a34e7ee5fe3087e86dbc897fa3a9afc81d079f4e37b5e2cbcddc24fcd2beb8e8d8e4609bd480dfbea75ae2fa616e78eafd5acaee93f6c621

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD7EC.exe

Filesize
15KB

MD5
030b706acc7110ee32e0a0b340e7e11e

SHA1
5e1aba671c07c12bbed571d2398af68b66101a83

SHA256
b34c15a964ae9be6b588a0c906930f97a4c053e3127888e6c06ac328eb4b3cb7

SHA512
79379d1c02f6ac64ca73ffd91a67ccea2dfe4400f6e7eb68606518e1c30ae7b68ea77bf62126d09db44ca3fd00c2cb39908a4400ea75d3999ef40bec09c8d47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME248.exe

Filesize
15KB

MD5
40b52c18b83f846fe76a53658441b917

SHA1
a9aeebfbd7d8876f25d788f31167cd6a2a85fef2

SHA256
368686677da4907201ed0c8fb32a5942bc01e77a87bb1b6c341ca1bc1c950f5a

SHA512
133da2a967bca713472896752f14ad838cc886c60bf5b4c96c43a41db2ec72a4c5b169e1c1a3cc506c44d7743ac2739403441134af71de3422170ddeb6a8bd54

Download Submit

Analysis

Sharing