857d384bb9d841aeb80330b059e579d428250c5e84b58ab1ad6bbf73c6ce9566

General

Target

12db56543c6d72313f4c6ec0295203d4_JaffaCakes118.exe
Size

16KB
MD5

12db56543c6d72313f4c6ec0295203d4
SHA1

559efedc6f87d32aa42b13cf922b6db1472c1fc1
SHA256

857d384bb9d841aeb80330b059e579d428250c5e84b58ab1ad6bbf73c6ce9566
SHA512

84c79bb7eb96116ec059f2e0d57334d62063caa4a2b5c76941b4d61b2eb7c0a3bb2f46af8b19d84c12a695d408b5ce27d3bfedf85e8a185a005c5bf5dcc62296
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhOOhCT:hDXWipuE+K3/SSHgxth

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	12db56543c6d72313f4c6ec0295203d4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3836.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM8E75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEME455.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3AB2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM90E1.exe

Executes dropped EXE 6 IoCs

pid	Process
1260	DEM3836.exe
4976	DEM8E75.exe
860	DEME455.exe
4364	DEM3AB2.exe
3060	DEM90E1.exe
3492	DEME6F0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1260	3456	12db56543c6d72313f4c6ec0295203d4_JaffaCakes118.exe	98
PID 3456 wrote to memory of 1260	3456	12db56543c6d72313f4c6ec0295203d4_JaffaCakes118.exe	98
PID 3456 wrote to memory of 1260	3456	12db56543c6d72313f4c6ec0295203d4_JaffaCakes118.exe	98
PID 1260 wrote to memory of 4976	1260	DEM3836.exe	101
PID 1260 wrote to memory of 4976	1260	DEM3836.exe	101
PID 1260 wrote to memory of 4976	1260	DEM3836.exe	101
PID 4976 wrote to memory of 860	4976	DEM8E75.exe	103
PID 4976 wrote to memory of 860	4976	DEM8E75.exe	103
PID 4976 wrote to memory of 860	4976	DEM8E75.exe	103
PID 860 wrote to memory of 4364	860	DEME455.exe	105
PID 860 wrote to memory of 4364	860	DEME455.exe	105
PID 860 wrote to memory of 4364	860	DEME455.exe	105
PID 4364 wrote to memory of 3060	4364	DEM3AB2.exe	107
PID 4364 wrote to memory of 3060	4364	DEM3AB2.exe	107
PID 4364 wrote to memory of 3060	4364	DEM3AB2.exe	107
PID 3060 wrote to memory of 3492	3060	DEM90E1.exe	109
PID 3060 wrote to memory of 3492	3060	DEM90E1.exe	109
PID 3060 wrote to memory of 3492	3060	DEM90E1.exe	109

C:\Users\Admin\AppData\Local\Temp\12db56543c6d72313f4c6ec0295203d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12db56543c6d72313f4c6ec0295203d4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\DEM3836.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3836.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\DEM8E75.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8E75.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\DEME455.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME455.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Users\Admin\AppData\Local\Temp\DEM3AB2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3AB2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\DEM90E1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM90E1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\DEME6F0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME6F0.exe"
        7⤵
        Executes dropped EXE
        
        PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3836.exe

Filesize
16KB

MD5
04973b81f5ec7961a639a1418c84a9ac

SHA1
5caf27685f77011e499cf23664e64cad35bc95f9

SHA256
cfdb3f3b0a310256c788615b4b25480385a18c738ef46d4b633274dbfcca299d

SHA512
477f4eb5a4927190c89140b48f2427fab5c4800b2011906fa6f3fc738aae490afae6355cd029e4c57a672e723d053bd36c67d1194a5f7dc2d5981c988691b2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3AB2.exe

Filesize
16KB

MD5
8b3ed4880ddeeab40a06cef4f15c1320

SHA1
5957ba021c3ea8244a3e7113a6d439baec00cceb

SHA256
23bb76d78be2456d942379477438ce9431a26f1a8794959ded2ecac5f901f8b1

SHA512
f6bc6bf53aa62e255c81aaac921d84851f09da779d0aecf36f10b29aece3f332ffbb3f8984dab4597c9efd7dd540cda35431d1bd9841d6f05ff1c90bf89c4dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E75.exe

Filesize
16KB

MD5
db167cf0b088a6717391d4a711df3df6

SHA1
a61257dd77af32d2be1b4412a9dd580a68248a17

SHA256
2e15275a1f351c093def1d9c1c07d41c6d7baef0274fc299b544c5e33b0ad231

SHA512
0cf4248a7180dafa5af649c497c3204896c8c3291a3846dfedb59cd798fbd7bb37389b3d1ec1c904dc3c8fa3e27b3417d2108861ced494af686eaedee1d2d6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM90E1.exe

Filesize
16KB

MD5
6401af0f3c083a00e90eec70d8dcd422

SHA1
6a372db47675ec0409dfe86725a435e6be7d1286

SHA256
f7433ed6ac1f574c6fad7476e04eea1f95e15f6a7e2ce755623f13a01c0850c8

SHA512
d09a4cfa3a896a89aa09d647d95f52c663348ab4e48edf08eb989472a05f6dfd63ce0e69c55c527a4ec7e72ad5be1345c8e95c940228382cfbf3ed85cf958eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME455.exe

Filesize
16KB

MD5
4e8966fde689d7139879d8a20fbe04a1

SHA1
a9ec8547b9d22d101c16b9ceea5d067ac83f56de

SHA256
4b004aa9f01dd5dad6725849a4b5028a82304e8b1df973a0407961202f50b81f

SHA512
82b827c2da1767f3d1af14c62d3f1e0738483b71247c462a1362c9185169ba446cd897ab367a9d0fd4e58fb50b57aebab8a306d5ad008a3a74451032d5cd8890

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME6F0.exe

Filesize
16KB

MD5
c693b800374aaa27525e7b2817a73d6d

SHA1
e57d0754c48e3c708c669606af9dca846def9083

SHA256
f5aac55bbfb71e80adc733dc6e0f23a27b98af6794b7a0d3277f332c34e08bdd

SHA512
34bb243a4b66250c223fd677e7e1502742b1b45e04f429f70f0ae8d1c64af3ca5a1529890aa8d03d9285a0dec1526e0c046c40d1bb07245034dca91e22628e97

Download Submit

Analysis

Sharing