14ab2fe64354b9ec519a528d6934e8ddb03dabc5ebb34c23129cd5c86b2554f1

General

Target

10e1f2e0c01c9631e567af8f36bbc61b_JaffaCakes118.exe
Size

15KB
MD5

10e1f2e0c01c9631e567af8f36bbc61b
SHA1

14b578c49d28dcd272da4a5c6304f74cc31dfb5e
SHA256

14ab2fe64354b9ec519a528d6934e8ddb03dabc5ebb34c23129cd5c86b2554f1
SHA512

cf46a443e59fc83af58efd7b5b5bd83c76a05df8b36e8cfa805ba4f4c338dbf52ca2b718dc95c603c9096253aeed8dcfe6652ec069a47c494c1cd71dae7831c4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8QHi:hDXWipuE+K3/SSHgxm8qi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM6B38.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMC34B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	10e1f2e0c01c9631e567af8f36bbc61b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM62B1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMBBAF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM1383.exe

Executes dropped EXE 6 IoCs

pid	Process
2684	DEM62B1.exe
960	DEMBBAF.exe
4812	DEM1383.exe
4844	DEM6B38.exe
1352	DEMC34B.exe
4940	DEM1AF1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 2684	5020	10e1f2e0c01c9631e567af8f36bbc61b_JaffaCakes118.exe	95
PID 5020 wrote to memory of 2684	5020	10e1f2e0c01c9631e567af8f36bbc61b_JaffaCakes118.exe	95
PID 5020 wrote to memory of 2684	5020	10e1f2e0c01c9631e567af8f36bbc61b_JaffaCakes118.exe	95
PID 2684 wrote to memory of 960	2684	DEM62B1.exe	98
PID 2684 wrote to memory of 960	2684	DEM62B1.exe	98
PID 2684 wrote to memory of 960	2684	DEM62B1.exe	98
PID 960 wrote to memory of 4812	960	DEMBBAF.exe	100
PID 960 wrote to memory of 4812	960	DEMBBAF.exe	100
PID 960 wrote to memory of 4812	960	DEMBBAF.exe	100
PID 4812 wrote to memory of 4844	4812	DEM1383.exe	102
PID 4812 wrote to memory of 4844	4812	DEM1383.exe	102
PID 4812 wrote to memory of 4844	4812	DEM1383.exe	102
PID 4844 wrote to memory of 1352	4844	DEM6B38.exe	104
PID 4844 wrote to memory of 1352	4844	DEM6B38.exe	104
PID 4844 wrote to memory of 1352	4844	DEM6B38.exe	104
PID 1352 wrote to memory of 4940	1352	DEMC34B.exe	106
PID 1352 wrote to memory of 4940	1352	DEMC34B.exe	106
PID 1352 wrote to memory of 4940	1352	DEMC34B.exe	106

C:\Users\Admin\AppData\Local\Temp\10e1f2e0c01c9631e567af8f36bbc61b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e1f2e0c01c9631e567af8f36bbc61b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\DEM62B1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM62B1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\DEMBBAF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBBAF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\DEM1383.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1383.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\DEM6B38.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6B38.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Users\Admin\AppData\Local\Temp\DEMC34B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC34B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\DEM1AF1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1AF1.exe"
        7⤵
        Executes dropped EXE
        
        PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1383.exe

Filesize
15KB

MD5
ec7d841ec5eb590057a85fd0cdf0755f

SHA1
94df5f0c6bd8e71b90bca6ab12a6cd13c641d4b2

SHA256
2e7ba549be9c87bbfa8c5d0f42ad894d44cd3431bc94fedcf402e28080bde869

SHA512
df533404089306f97705be90025879c98a3231957bc056615b9a652d97df456abffd02b55884fe60c24adc2f2917de3ddbd379bb036326afb5ad6d010e8e070f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1AF1.exe

Filesize
15KB

MD5
d76f82ab7f5e55a972724b348bda9079

SHA1
dcc8563d2ac9e934e6111009a75fa4426e7042ee

SHA256
4038da55f9d442542c84f20b870c7d1c290afde7c2a2566ea89407260798c594

SHA512
e08034cfb38a6e77b9ab7a7871cd0dbf27d6eaa88b0aafbf22be67a152cf825b1002413e4b54243ab178d4b2229eb54bda4e665884bfaee84b6581f815241c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM62B1.exe

Filesize
15KB

MD5
df9de23a6150d8d8dd883fb7f42f5c1f

SHA1
a769b3da798c180bfecfa1461ff2a66e1624f86a

SHA256
cb60e8072041810415588c0ec3fa9e7c5eb4c6e28580e3d0ce8e32b7b03d651d

SHA512
14c21bdf0d8026fa4f69381ca78eefec251a2ab816f39b57bafedb34d4e8903e09f2bd5f5200327a9fc3da94e19399bceba24e2d8d3169dfba4f0514dde2b03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B38.exe

Filesize
15KB

MD5
d05d293483b15389f43e6cddd07a9a31

SHA1
a0b4c891de8944f6e2b11842a91ae86cc53cfdfd

SHA256
caa72383743fd535e12ad4348c98a000034c8a88807e4abc2eff4d96cbb8e3a5

SHA512
f16fea9c770a9fe65aa40e3f5914e3c536db601ce9949dbaca8027df348de97d1a9a2b3c5d8abcaa73b0e4dfc5aec0c7a3c2f9a6a5e7408a81e6f54582356842

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBBAF.exe

Filesize
15KB

MD5
1cd5e5e45b89ea567fdbe5a584323f6f

SHA1
717e36da90321f54ead895e4058fb868eb51dfc6

SHA256
edc7b528d4d9b37fecb6f473620b073a09bdc00c25f5dabaa11fe5d5da0b90d9

SHA512
7d836ea2d6a2369313af283f63abe00be9990f933f54caf5a77db41cc3bfd1c19f09567251bbb7651aa90b8fe8bb23d3532ed3a1eb09152d790e1de831d93173

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC34B.exe

Filesize
15KB

MD5
3e7d47d2459c3af10964ec25b7c8ab39

SHA1
6e99244cb6f40b0bc7167dfcad776d39c6a4a850

SHA256
c3d5abed5adb4435843f952f6d2fc072caaf8076b54c200a6f31f82897fba95f

SHA512
711e93c855f4657ee90474221965969d216200a5234ffe821b536460cf624d2454ef46b4531686c0c0e060601d9880c08a48d88baffe1365fba11ecc360278d0

Download Submit

Analysis

Sharing