9d997d8a14d4261ab5f3c097bd0d0af1da3e0415a134035db13bc9a0b5e191e2

General

Target

f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe
Size

20KB
MD5

f4123d6b6601e98963f4b05c6a5ff35d
SHA1

11e447a518d372a62d4926a5bb48833613687b68
SHA256

9d997d8a14d4261ab5f3c097bd0d0af1da3e0415a134035db13bc9a0b5e191e2
SHA512

f1a99619f810e46c5af54fdf68a9c3a0aca7d1b7aa6e549a0f960d1c55fb08347f3694ae06c07f7e29409954889f41dc4b1eaee8ee070e26ad69fea161bd5c2b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PR6:hDXWipuE+K3/SSHgxmHZPR6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMC1BA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM1E31.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7683.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMCE28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM263B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
2792	DEMC1BA.exe
3672	DEM1E31.exe
4324	DEM7683.exe
4464	DEMCE28.exe
4820	DEM263B.exe
1048	DEM7E10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 2792	4436	f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe	99
PID 4436 wrote to memory of 2792	4436	f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe	99
PID 4436 wrote to memory of 2792	4436	f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe	99
PID 2792 wrote to memory of 3672	2792	DEMC1BA.exe	103
PID 2792 wrote to memory of 3672	2792	DEMC1BA.exe	103
PID 2792 wrote to memory of 3672	2792	DEMC1BA.exe	103
PID 3672 wrote to memory of 4324	3672	DEM1E31.exe	105
PID 3672 wrote to memory of 4324	3672	DEM1E31.exe	105
PID 3672 wrote to memory of 4324	3672	DEM1E31.exe	105
PID 4324 wrote to memory of 4464	4324	DEM7683.exe	107
PID 4324 wrote to memory of 4464	4324	DEM7683.exe	107
PID 4324 wrote to memory of 4464	4324	DEM7683.exe	107
PID 4464 wrote to memory of 4820	4464	DEMCE28.exe	109
PID 4464 wrote to memory of 4820	4464	DEMCE28.exe	109
PID 4464 wrote to memory of 4820	4464	DEMCE28.exe	109
PID 4820 wrote to memory of 1048	4820	DEM263B.exe	111
PID 4820 wrote to memory of 1048	4820	DEM263B.exe	111
PID 4820 wrote to memory of 1048	4820	DEM263B.exe	111

C:\Users\Admin\AppData\Local\Temp\f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4123d6b6601e98963f4b05c6a5ff35d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\DEMC1BA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC1BA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\DEM1E31.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1E31.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\DEM7683.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7683.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\DEMCE28.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE28.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Temp\DEM263B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM263B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\DEM7E10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7E10.exe"
        7⤵
        Executes dropped EXE
        
        PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1E31.exe

Filesize
20KB

MD5
b36e46c5201c627337a2bfa9c472bfb3

SHA1
0f0b08b409a9f3dec9b58b5b6cf19a1633beadd4

SHA256
b321babeeab84520e7633808a3d42d2f4d5f34539dadeefcad9203a2c3a4b498

SHA512
8ef14b7bfa9e3ffdf6da90d6a6e2d3aaef0b4c984c8036e4a5326a19e68bbb880ea77687104e7c8c2702b162ac3883679711a1df49cc5fa1cc98aea4ff3c281c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM263B.exe

Filesize
20KB

MD5
d73bc623393ab53de503864db8cfb2dd

SHA1
7de8d40ceaf822dfc54ab55efca5d031e0805ff1

SHA256
eceec12ac7758dd152d8aab2e08274073677cf6a41492247d55979f210e47048

SHA512
6be37c067d3612c7bafab1237a7771ab4cfcfeda7a6df4cfc8cee3f699766aa1a3a6697811e4f7d5dae87ae103176a013bc8c523a110d5a6e4c08127ad8d2607

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7683.exe

Filesize
20KB

MD5
e1a0ef0556e8dac598d56beca1e9afbf

SHA1
2dc684d9635cf6f499d76d70f1a080fb17bcb923

SHA256
cc58bbc78857977f30b38b583a229236b360a169e5add44e4560316fbf3a0edf

SHA512
53ae74ad77f139d0b5eb2dbd853faa09ab77a2cd793dc2d4e38e4097c8b96930ed52fa354a72a1aaa31443d52ea5999aa689c55b0a104fd13ad1a0d74e7d95f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7E10.exe

Filesize
20KB

MD5
3529eba57bc516c5290548f56cf554a5

SHA1
741f92f640f8a427aeb447bfe77afbbafd6dd624

SHA256
594d31497d6eb57999147d18e871a51a5b72ea56b4822fb5717c54359ac4f33e

SHA512
327438fb10593c7d23adf979b06660a1b946a92d5d57d761b37f9783c40e963b1f92c2a3388f9f94dc32e5589477fad200ad5157d2f1848bb2d1e4f42e048d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1BA.exe

Filesize
20KB

MD5
1f389f3a815f87f7f4d203c78c601678

SHA1
2c0f715c3617b2c82d319dc27e200ec909d04e4f

SHA256
06ef5c53466850574122da3c980ac903ffc7691a637e005e410a0878bd2e94f2

SHA512
1da631ee555400acb2a918fd3215c78aead80e299756ee883887ca9e0f659f330a55271b7eea2effe2d30b82be0fd6a72486d0e17b90b304ef212331ee204faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE28.exe

Filesize
20KB

MD5
54e38ee3635cebc3a2eb84743b242c69

SHA1
18910497108fabcfa562d56cb80e990e2a5418b1

SHA256
eec944d8e3c7f90f15f6d2ebf014ff6fe6966f017604990c6327e9110d9da5c7

SHA512
b516e573efadcc89e82f8a75e8b8555525183deca9da1cb054f503adc7d87302e0ae98f197cbb4e95fc83a9e7cd3c6c73a566fce83203033f6d1a0b7a054e595

Download Submit

Analysis

Sharing