Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:49
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
-
Size
16KB
-
MD5
f9fde476b15ad9fe7da9a629f280ae8c
-
SHA1
1e06abb6ceceef9fee6170b0590114979e4c1f2c
-
SHA256
ac7699a7ff7ef0ea4473ce4dd6391ed175be53e3c5e884a94ffd51788a008538
-
SHA512
df3256bd480ac979ab11d150e9ef28fbce3d82b82492bead078bea7e5bbd9ff4383d2dfcd5b78bccd64c9e41764ff0d3045402a67e5b2cabee4a9b11d896aebe
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Fi:hDXWipuE+K3/SSHgxm0Q
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation DEM759D.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation DEMCD52.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation DEM23FE.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation DEM7AE8.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation DEMD1B3.exe -
Executes dropped EXE 6 IoCs
pid Process 4696 DEM759D.exe 800 DEMCD52.exe 2916 DEM23FE.exe 2168 DEM7AE8.exe 2996 DEMD1B3.exe 4284 DEM28CB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMCD52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM23FE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM7AE8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD1B3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM28CB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM759D.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2528 wrote to memory of 4696 2528 JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe 98 PID 2528 wrote to memory of 4696 2528 JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe 98 PID 2528 wrote to memory of 4696 2528 JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe 98 PID 4696 wrote to memory of 800 4696 DEM759D.exe 103 PID 4696 wrote to memory of 800 4696 DEM759D.exe 103 PID 4696 wrote to memory of 800 4696 DEM759D.exe 103 PID 800 wrote to memory of 2916 800 DEMCD52.exe 105 PID 800 wrote to memory of 2916 800 DEMCD52.exe 105 PID 800 wrote to memory of 2916 800 DEMCD52.exe 105 PID 2916 wrote to memory of 2168 2916 DEM23FE.exe 107 PID 2916 wrote to memory of 2168 2916 DEM23FE.exe 107 PID 2916 wrote to memory of 2168 2916 DEM23FE.exe 107 PID 2168 wrote to memory of 2996 2168 DEM7AE8.exe 109 PID 2168 wrote to memory of 2996 2168 DEM7AE8.exe 109 PID 2168 wrote to memory of 2996 2168 DEM7AE8.exe 109 PID 2996 wrote to memory of 4284 2996 DEMD1B3.exe 111 PID 2996 wrote to memory of 4284 2996 DEMD1B3.exe 111 PID 2996 wrote to memory of 4284 2996 DEMD1B3.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\DEM759D.exe"C:\Users\Admin\AppData\Local\Temp\DEM759D.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\DEMCD52.exe"C:\Users\Admin\AppData\Local\Temp\DEMCD52.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\DEM23FE.exe"C:\Users\Admin\AppData\Local\Temp\DEM23FE.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\DEM7AE8.exe"C:\Users\Admin\AppData\Local\Temp\DEM7AE8.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\DEMD1B3.exe"C:\Users\Admin\AppData\Local\Temp\DEMD1B3.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\DEM28CB.exe"C:\Users\Admin\AppData\Local\Temp\DEM28CB.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4284
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5e5a20d1f08b6c3aa5781908820069526
SHA129e604bdfdccffad23056c16a3aa7abcf9764211
SHA256b87ff22634cdfadc85c7d6b7befebfd479757f6bf843b7d4cbc182e4db2d206a
SHA5121f092d535925dcd949b2598bcd0a2dd10fb2e85ae48ba38b4f6a2d20a709fec0dfb564da8ec9a5c09c2f4e77ef9c58c3f249f771a3bbf23ba8fd4fd978fd46d6
-
Filesize
16KB
MD5ab2d33a450d8914655c4a547a1ec1b39
SHA1b85ab1dd2ec72aa83ec13689c669ebea96f19a1c
SHA256950cf6e2e9bf97717bff294618b048e15fe47694675932f410117c0bab190d16
SHA51228612063cd19330098c56905c8222d39af7f851ba9d2889968f731e0291a23e6e3f9815f16eb695e8095b27d2603f28e3dbde80f45fee14acf32e4af0a8281de
-
Filesize
16KB
MD5f1b44d46cff6b36157088b23667422d9
SHA16b0e296a62562b9df21c419a04c9e610da242f43
SHA256470a5b3f62271d1bcd2546103fd38c1f1ba83cb5fbbfcaa0513f3eea8dbcc75b
SHA512446bd6a83985da8e8bf1ad50f30255de7b61238cc9e56cdafec144ef6c2d7c323ae0ef6050f7d1dc4545469397f0578f68592e8d3c95d9ee725f141273f40111
-
Filesize
16KB
MD5f7b2c5bd761fa808f0824ddfc8b65599
SHA15acda81fab4e6caf794ceb2b497093b26bab2850
SHA256bc37f6db43255f5bea206af5d19b72f7d657de58e4a5a8d29056daac47ebf924
SHA51274248b582538bde566d2ccfdd8a4654929bae508281784b7f5e911a423737437527d97fb9a44fc73a854374bfb0e54fc0c1f36d5b0f90e9e62ce75270fdd2a0c
-
Filesize
16KB
MD539053d22bf9e6d150cbfb00817c1bce7
SHA1beca9a77bb8c639e7a46376fc728b7f80ab0529a
SHA2563c59c4ebc3b0c86b10d099c268b575d8fa90e8fd57dd1dac40ff419fae0623bc
SHA51225f44520b9e971edc1e8db55c3ed3973798583319fcb24a3527acbc4ce0789398173927432be777c2a6b7233605fa1f135abeb70cf81057eebf75dc060a81272
-
Filesize
16KB
MD584d2ddd6e1a4cb5f987803255bd51999
SHA111b287134c392fb6389a08ae077829ba569a99a3
SHA256df4881bd3bf3e8b3a16f97763794c085f161a3aefca25e45357f5a44861953e5
SHA5129a8204f2d1403dc9aa6bdb0a46ad8818b11b170a85953d762eb25919ca8f79b819dd9feda0527b8173ac186ae08fc083dab4e87ba0b3d64bbe7088478d7b9a33