ba31660aaea6e1db272ed051f10edb68c2aa8618d595a1c784a8eaf8b98716cc

General

Target

0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe
Size

14KB
MD5

0af5cf02ae4e6ddfed1bc9d927d9738f
SHA1

3e515fe0be70cc8111c109e57b1af675106b878b
SHA256

ba31660aaea6e1db272ed051f10edb68c2aa8618d595a1c784a8eaf8b98716cc
SHA512

6381133476861152c414384295c4660aabcd68680c19cb1778cde5930929bfbaea703e7ca6c3cfa8ca2b523f1c85d39e8e034cb86d1f08f93c0bdd8a36cab73d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYT/:hDXWipuE+K3/SSHgxmT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM4BD4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMA399.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM6184.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMF383.exe

Executes dropped EXE 5 IoCs

pid	Process
3152	DEM6184.exe
2320	DEMF383.exe
1360	DEM4BD4.exe
1644	DEMA399.exe
1016	DEMFC87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3152	5016	0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe	97
PID 5016 wrote to memory of 3152	5016	0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe	97
PID 5016 wrote to memory of 3152	5016	0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe	97
PID 3152 wrote to memory of 2320	3152	DEM6184.exe	105
PID 3152 wrote to memory of 2320	3152	DEM6184.exe	105
PID 3152 wrote to memory of 2320	3152	DEM6184.exe	105
PID 2320 wrote to memory of 1360	2320	DEMF383.exe	107
PID 2320 wrote to memory of 1360	2320	DEMF383.exe	107
PID 2320 wrote to memory of 1360	2320	DEMF383.exe	107
PID 1360 wrote to memory of 1644	1360	DEM4BD4.exe	109
PID 1360 wrote to memory of 1644	1360	DEM4BD4.exe	109
PID 1360 wrote to memory of 1644	1360	DEM4BD4.exe	109
PID 1644 wrote to memory of 1016	1644	DEMA399.exe	111
PID 1644 wrote to memory of 1016	1644	DEMA399.exe	111
PID 1644 wrote to memory of 1016	1644	DEMA399.exe	111

C:\Users\Admin\AppData\Local\Temp\0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0af5cf02ae4e6ddfed1bc9d927d9738f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\DEM6184.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6184.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\DEMF383.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF383.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\DEM4BD4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4BD4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\DEMA399.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA399.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Users\Admin\AppData\Local\Temp\DEMFC87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFC87.exe"
        6⤵
        Executes dropped EXE
        
        PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4BD4.exe

Filesize
14KB

MD5
d0d4bf927464ed44ca610a800543d321

SHA1
b803704ebf196e655dd64fbe1a7de5632bd1aad3

SHA256
0959b8b8bec084ed29eac170174fe906bbc524fdf5fe099776193a36020a0274

SHA512
6a2b1beeb09a67acd2a43cdb1550d970a1d30ffd8367ea91869c08c0a7891e3df764b3d30382b283d2a5ed0c71062dd345c7f09c80dfea36f6b41c30d0473b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6184.exe

Filesize
14KB

MD5
5eae460e30fb3950af0dce3a051f385a

SHA1
868bd9172781cab416c633d782c74da6cf1fcd38

SHA256
a5bf8ca9b62e779190e229e176c436a0018063739f5488fbd5595fee018d76cc

SHA512
1f7b82a31cb3f31d369647e1f0a4566fb157143688fb2ea4fbee070fbf98c887c7096137ba5e6720da212e7be8a8ef9bb2710a7644e39c09d259fa09d83462c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA399.exe

Filesize
14KB

MD5
37be01ab5b84f63a9375e6f941bf926a

SHA1
c0c786532ee1df7130dc2069b6b9843ae215e255

SHA256
bf116a6686dd46751d8071c2a303515dd63c0cf7efc631d980e236a691f887f6

SHA512
a34e47b07310c197dc48efbed0d25da5856769bef650afe06b35b78dfcfdea808a50fd55a7e62e667e9b83ef4f8bf9f3cc5811ad7eb50bd3802acf0aa94670fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF383.exe

Filesize
14KB

MD5
3452a27400e8b477af69bd0e4f5bc1b1

SHA1
128cded9df6242146e45092f1f2de1b2ad159795

SHA256
b05093f05a7897fe384be2b196f85914e958702a21f253aad06799372e214aeb

SHA512
9c400a5c7f6b92d08ed6e1c9171732d94a2fe3f7259fe82396e690284ac7ee42ff43703f75d6ffa43ab5e5440c99f2b47f04fd378ab9a2ef4bab46ab5cd2cf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFC87.exe

Filesize
14KB

MD5
b7a44c5e2f8110ba39347b00e3a32ec7

SHA1
4aadc26df2e7fd0633657b4345c07db026e4d451

SHA256
3d3a3a7c7453034f290b59b1a6ddee1e1af753d920221267b14c81f0635490b9

SHA512
2dbd102277e2439dbc8bbc80b6b70ffa51eccde09aee8414f361a02e38b2b31c07f8cf966442e06e26bf007911d96f0b7d23c05589895d104b203fffdc5c1a02

Download Submit

Analysis

Sharing