6525f367c2bb3fed160a7cbd0b1728fa04edc7e4f5f988a8653bbd9f48388c3b

General

Target

ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe
Size

14KB
MD5

ffc17fd836338e7a3fd49c1e5476646c
SHA1

cba4ba66d716dc4212af2cf74168a6fdb03e0af7
SHA256

6525f367c2bb3fed160a7cbd0b1728fa04edc7e4f5f988a8653bbd9f48388c3b
SHA512

fff289c624b455e001d2027e53aebf66962f92767b49b61fb3a7e061b6ecf3b7315e4fec7aa302a0713d9e543377e4d6ab1214b05b727c8a686e28c326f56c7a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhpLJ:hDXWipuE+K3/SSHgxp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMC975.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM2282.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7B22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM13E1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM7191.exe

Executes dropped EXE 6 IoCs

pid	Process
3808	DEM13E1.exe
4488	DEM7191.exe
4404	DEMC975.exe
1192	DEM2282.exe
1440	DEM7B22.exe
1092	DEMD4CB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 3808	4664	ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe	99
PID 4664 wrote to memory of 3808	4664	ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe	99
PID 4664 wrote to memory of 3808	4664	ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe	99
PID 3808 wrote to memory of 4488	3808	DEM13E1.exe	103
PID 3808 wrote to memory of 4488	3808	DEM13E1.exe	103
PID 3808 wrote to memory of 4488	3808	DEM13E1.exe	103
PID 4488 wrote to memory of 4404	4488	DEM7191.exe	105
PID 4488 wrote to memory of 4404	4488	DEM7191.exe	105
PID 4488 wrote to memory of 4404	4488	DEM7191.exe	105
PID 4404 wrote to memory of 1192	4404	DEMC975.exe	107
PID 4404 wrote to memory of 1192	4404	DEMC975.exe	107
PID 4404 wrote to memory of 1192	4404	DEMC975.exe	107
PID 1192 wrote to memory of 1440	1192	DEM2282.exe	109
PID 1192 wrote to memory of 1440	1192	DEM2282.exe	109
PID 1192 wrote to memory of 1440	1192	DEM2282.exe	109
PID 1440 wrote to memory of 1092	1440	DEM7B22.exe	111
PID 1440 wrote to memory of 1092	1440	DEM7B22.exe	111
PID 1440 wrote to memory of 1092	1440	DEM7B22.exe	111

C:\Users\Admin\AppData\Local\Temp\ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffc17fd836338e7a3fd49c1e5476646c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\DEM13E1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM13E1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\DEM7191.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7191.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\DEMC975.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC975.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\DEM2282.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2282.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\DEM7B22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7B22.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\DEMD4CB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD4CB.exe"
        7⤵
        Executes dropped EXE
        
        PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM13E1.exe

Filesize
14KB

MD5
781f811e54eddbe457997036352b7c3c

SHA1
386190c1519520a7a5d1b5bf6d802e5e2132ba6f

SHA256
fa0fd3e4189746feb5f5e312edb61706eb55ffe161cc61b1299a3a3cec86996e

SHA512
98d3d7eaad6086a2bdfe285c3e2f267958829220ec06932ebd3db47496638617514e2e209d0d3bdc3c8403ce07f6c0733939179e9e024fdf40f4c320325865c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2282.exe

Filesize
14KB

MD5
0ca2d2d4a624a0cad1c171f78b45eef2

SHA1
0b9b86d29bc15cf6073dcbd39665ed0bb3227f39

SHA256
e6c512767e6c8de82f8311b9d7db5eda1f0f58e1c1c598b711aa860416816c78

SHA512
f4ff8448372a2c13d45d7dd85227aacf40c1aaf953d423b6d8ca7ce8bdc7013e29896ac12b96a155b3ddf7b48a0a8716142c2c4844720ff0988bca6bc2bfc06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7191.exe

Filesize
14KB

MD5
27f822a1beb860553486085671020ce4

SHA1
707db5171a1cb74b54c7f105576d7737418016e7

SHA256
9c71e5194f7bea6dfaf9d64e27de59611db216782e92a6c672be976f5dd51215

SHA512
42465406b2f84df2e02a89065756e102784670d2f96f508b17fe21956e1a550e7170da404b557c08b4de0d96f5b648e2cf8ea952df1186274a894f9bd86c9861

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B22.exe

Filesize
14KB

MD5
f1fb782cf227fa613bcd78070de8824d

SHA1
60e6eee38fb3c91b4669e55494ccd591f8bbc06e

SHA256
0246992f464143a720b3ed60346c4116ee41a0a3a99ace53fbf012582b1f384d

SHA512
1a2e18ff3bcb5e8780af973a3214e92be19321f3b60043d33c173c1d71172d891289ef8e512ccd25d0859f0bf2f86a1c664de7f276b2512e59b900f1b6197697

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC975.exe

Filesize
14KB

MD5
11ad01ad7517a44bea91fb0297fbfa56

SHA1
701aec5bc099322d5bc3c110e48f1a09b046dee6

SHA256
95d08fb71a36db7ba42472820796c93cc40fb6a5221648acdd134e865612622b

SHA512
3da1fbc9bb0e2519d199357b8ac76ee76d40210b576a5ca2509ec1c9dd1f3e2f4514548cf46bcbd2ed3af9768d5d919bc85a2e22e59d2baa28f345e1e977f9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD4CB.exe

Filesize
14KB

MD5
9ae0067f9e6581650a8099fb54506f7c

SHA1
26dafbebb195d739d75b5013382d7277bb93efe3

SHA256
fa2fc3f284d91213bb30b0a1761b8909fc46cf0006cc8c9f1cb518294c3d5629

SHA512
eba98bf3dc04744ef54a0605b2edceed913fc021657d414c6481a49c85279f67a179805975848f16b46812fb781f8b8d6651f9a1101e5de8d0721b72dbb1c45e

Download Submit

Analysis

Sharing