3104de4038127cb8ee230848554e332e455196fa2c4a8b4929090953fe77c846

General

Target

fb38cfe7aac3dd018157e51c3cf45d34_JaffaCakes118.exe
Size

16KB
MD5

fb38cfe7aac3dd018157e51c3cf45d34
SHA1

c7e15ad9dfadd59208cdbcd44f7b19f199fb8535
SHA256

3104de4038127cb8ee230848554e332e455196fa2c4a8b4929090953fe77c846
SHA512

943e92313ac5ce6c8e9a5e578b6bdb768d5186d91d590ff146b7f36b696a1a716888122155c291589c702a1584a3abcabf46ebeb1f73851ff6c298912080e6ae
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY497w:hDXWipuE+K3/SSHgxm0w

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM4CD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM8CCA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEME52B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM3D6D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM9560.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fb38cfe7aac3dd018157e51c3cf45d34_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3300	DEM4CD.exe
4448	DEM8CCA.exe
1364	DEME52B.exe
876	DEM3D6D.exe
2956	DEM9560.exe
3248	DEMEDC1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3300	3016	fb38cfe7aac3dd018157e51c3cf45d34_JaffaCakes118.exe	101
PID 3016 wrote to memory of 3300	3016	fb38cfe7aac3dd018157e51c3cf45d34_JaffaCakes118.exe	101
PID 3016 wrote to memory of 3300	3016	fb38cfe7aac3dd018157e51c3cf45d34_JaffaCakes118.exe	101
PID 3300 wrote to memory of 4448	3300	DEM4CD.exe	104
PID 3300 wrote to memory of 4448	3300	DEM4CD.exe	104
PID 3300 wrote to memory of 4448	3300	DEM4CD.exe	104
PID 4448 wrote to memory of 1364	4448	DEM8CCA.exe	106
PID 4448 wrote to memory of 1364	4448	DEM8CCA.exe	106
PID 4448 wrote to memory of 1364	4448	DEM8CCA.exe	106
PID 1364 wrote to memory of 876	1364	DEME52B.exe	108
PID 1364 wrote to memory of 876	1364	DEME52B.exe	108
PID 1364 wrote to memory of 876	1364	DEME52B.exe	108
PID 876 wrote to memory of 2956	876	DEM3D6D.exe	110
PID 876 wrote to memory of 2956	876	DEM3D6D.exe	110
PID 876 wrote to memory of 2956	876	DEM3D6D.exe	110
PID 2956 wrote to memory of 3248	2956	DEM9560.exe	112
PID 2956 wrote to memory of 3248	2956	DEM9560.exe	112
PID 2956 wrote to memory of 3248	2956	DEM9560.exe	112

C:\Users\Admin\AppData\Local\Temp\fb38cfe7aac3dd018157e51c3cf45d34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb38cfe7aac3dd018157e51c3cf45d34_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\DEM4CD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4CD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\DEM8CCA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8CCA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\DEME52B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME52B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\DEM3D6D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3D6D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\DEM9560.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9560.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\DEMEDC1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEDC1.exe"
        7⤵
        Executes dropped EXE
        
        PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3D6D.exe

Filesize
16KB

MD5
37b3908c90ed24ca0ffda7f234c6e972

SHA1
17d06a517cc82a99d722a802e1528652cbba21a9

SHA256
3b1376b044fb95c44ae559cc679ccd7da346bde8217048cae02aecbc7b0b67f0

SHA512
9ef47aecbeb9b42866c1a7d0d748708db84b2ba62d1fc8f4134facd32467ca525c03b8996aa979c30c9eeb211aa30c153546e7c6d71cf025c86ae93ecfc08a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4CD.exe

Filesize
16KB

MD5
40cd70f1b71b5de7ec8f5113a57b70ee

SHA1
5d7c5c46143ab8fc1688987344745daa202281c4

SHA256
ef5a96910e1bf3ca9415095aca4c97e624c3510f3319962c0eaf163ea3462e3f

SHA512
fda4fdbf7c72cf935dbfef539dc0001e0831abf5ea6d08a7c54d2f31a4b26a02192cc83b749b740df7d8d0d39715803564a72820dc68599319216a7f577a4538

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CCA.exe

Filesize
16KB

MD5
a886acb9ecb022d5d83bc4aab607b4fa

SHA1
91284e2319ed403543d9b48a5fe98411e5789591

SHA256
def36839a93b8a579d144727d8080e07b28d97ffe0eeae90fe663b444f399792

SHA512
5d40aaa50c53cadda0695234515ced19cb1b799c5ce5f47e805c5d1c5031ef4944171d79dc136059aebad793b9f618c54743a66de493c9a43563ad69825ce2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9560.exe

Filesize
16KB

MD5
a6b4c1d7e56865cefbf957cd91e82d7a

SHA1
c66d1024bc9da7f7a624510c6dc3fe903fd63cf6

SHA256
9f231cb158cf91984b71c922cbf2bcade4f32d340d5a61d97f45b3ec8c1059c7

SHA512
d535bb0f90a27f7a76f44680aeaef42aaf8bc2bd6e3cc774966b71745f3e6b97d627f33bf985d614a39873b69765a2f4352de0124eb489a6839103c0bce633ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME52B.exe

Filesize
16KB

MD5
a0a90d485c5498b586945227bdf13ca6

SHA1
38fcd4fb5ce7f40e24e5d09955d600e963fd4f90

SHA256
7c3a6015ac04b4d58139a75961564f39f93d774340cf1edcb9221037f53bbfff

SHA512
13528125d312e2cc04a2997fa11d6959b229e9c4610d8f1fa764ab1e918e3dc94fbdac1306348b379da67eef61078b3bf13906437add9007fac46028b2961371

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEDC1.exe

Filesize
16KB

MD5
5dfb1762bb7bda49825987ed0bbf627e

SHA1
f5ceca8ae7581614a9ec48969e09f65f5aa48c7c

SHA256
96ef5ea2678b2011c1cc75eb1f884b1a2bb58dce29f3df929bc9d2246fad2b2a

SHA512
2caccf380fa9d92c2c86a460e29bb8daf62e082c527c7b31f74e5eccef1529407e8d34087a6916f03027aea342082e90aef4dc98db232e68ed83a28d2477dd2a

Download Submit

Analysis

Sharing