5340fa00d94dad020cd738c7953f2993ee2409bb1a3a9d31f1393e358eb285b3

General

Target

016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe
Size

16KB
MD5

016eca0dcdd25213cf26abb261fca666
SHA1

a3742fc23c3d072f77f93cd22827de5d1fd357d1
SHA256

5340fa00d94dad020cd738c7953f2993ee2409bb1a3a9d31f1393e358eb285b3
SHA512

9575e604658b8be5e64a28f25c5b9cad5f1800c848cb0be964e4a3e529110a37734e8494e558c89213921a48eab77b3a6a22f9453b5a705ada5e6b6f185a2a93
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0:hDXWipuE+K3/SSHgxml0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM3F4B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM96A2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMEDAC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM4476.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM9B22.exe

Executes dropped EXE 6 IoCs

pid	Process
4804	DEM3F4B.exe
4572	DEM96A2.exe
4180	DEMEDAC.exe
3012	DEM4476.exe
2936	DEM9B22.exe
3356	DEMF1BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4804	1988	016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe	97
PID 1988 wrote to memory of 4804	1988	016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe	97
PID 1988 wrote to memory of 4804	1988	016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe	97
PID 4804 wrote to memory of 4572	4804	DEM3F4B.exe	100
PID 4804 wrote to memory of 4572	4804	DEM3F4B.exe	100
PID 4804 wrote to memory of 4572	4804	DEM3F4B.exe	100
PID 4572 wrote to memory of 4180	4572	DEM96A2.exe	102
PID 4572 wrote to memory of 4180	4572	DEM96A2.exe	102
PID 4572 wrote to memory of 4180	4572	DEM96A2.exe	102
PID 4180 wrote to memory of 3012	4180	DEMEDAC.exe	104
PID 4180 wrote to memory of 3012	4180	DEMEDAC.exe	104
PID 4180 wrote to memory of 3012	4180	DEMEDAC.exe	104
PID 3012 wrote to memory of 2936	3012	DEM4476.exe	106
PID 3012 wrote to memory of 2936	3012	DEM4476.exe	106
PID 3012 wrote to memory of 2936	3012	DEM4476.exe	106
PID 2936 wrote to memory of 3356	2936	DEM9B22.exe	108
PID 2936 wrote to memory of 3356	2936	DEM9B22.exe	108
PID 2936 wrote to memory of 3356	2936	DEM9B22.exe	108

C:\Users\Admin\AppData\Local\Temp\016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\016eca0dcdd25213cf26abb261fca666_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\DEM3F4B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3F4B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\DEM96A2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM96A2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\DEMEDAC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEDAC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\DEM4476.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4476.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Users\Admin\AppData\Local\Temp\DEM9B22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9B22.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\DEMF1BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF1BE.exe"
        7⤵
        Executes dropped EXE
        
        PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F4B.exe

Filesize
16KB

MD5
2e0471aee4704dc9490b9fdd7e17df20

SHA1
60510311f39ec531b59b5598b32fa76e468cfe67

SHA256
5387c736efaded856b4b8ccd7080dc5f291a599d9fc4034241333cab3b48e484

SHA512
d2869d936e83c7ed78b76dadf18c73b0c75f9e21acd0fac9bcf76bcfec30a5872e04b4bfbd53c37cc246c512df4cd8f373bf0d73c702bc43c959835515b8c23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4476.exe

Filesize
16KB

MD5
bf130b7d2777fbc07dd7336c2a37b299

SHA1
ef1857c105316315a5078f7ef7c368e1fb960cab

SHA256
ab2a4f96438cef82a41e0d2574934848ff11289273d670f2c5b57935c219064f

SHA512
870f6416b1345deed93c7960e9a1d5584cbdeb763f832836d4b3caf30f7260f419a2fa67c6900d38ec8b732be1fa6127528eaa33f428e101e9d992dc524607b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96A2.exe

Filesize
16KB

MD5
ea8fd6da2507ffd617f0859e285c2537

SHA1
ecb300df1128270d76566f9750042a25d645197b

SHA256
c353318bfee8385738bd15f4119da0247f80772dd4b824131ad78d35a5c8e912

SHA512
3c6bc6ffff3f7e86fc4d1f2c022f7d282a82bfaa23cd141f1417bdb643ba028f8bec2fb8c930c5d3eb5f215a56d2454f445f3d23459d835ebc8111d86573ca53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B22.exe

Filesize
16KB

MD5
a59b8137ac1240a41e6fd24ae34cd242

SHA1
78a5c668d92369b4ed21e06113723308c1bfba75

SHA256
12ba85a67e7ae52a8dc606aa40623cd6e711ecf59ce85687e661db038d19c86c

SHA512
68c45066ed95ab99d13e0357ac469add994d3a1bdccc8d2b75b0775fe2adfd6bacd67489546b4670c160730803c48bb27162dd1699e761f0639985aaf7fef817

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEDAC.exe

Filesize
16KB

MD5
c4abfe2e5b481e8b9e033634f5e504b8

SHA1
0f6c54d54ec8c3556a50542e4fe2fde1815560fb

SHA256
6fa9f5445027aa768b8069730d1f1dc38dae20b45f1dc6d384bcbad6c3b18d07

SHA512
fde48292615f4c44ff88bf424111b17783e18f6074cd9ea3a1cf079936493db0d61d32e87062294e6f08efe1f0d17d6c2e537b5959a018a3906446e4a8720353

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF1BE.exe

Filesize
16KB

MD5
e654b42b91924903c10f4860d99dbc50

SHA1
c2f8cbfd9300bbb21f4f167139a8a781a0382ffd

SHA256
02d81e2d0e5686449b917e028daf8d464e69579d34676c96e0cd63afbe8df132

SHA512
b5631acf788332a33b0af5b9b8086eae6405f2d9e7fe080fbef794c35440be606dec9d13c8393906733912e45f77caf7ee40507d11bd72c0b1a5dbf9fb95b4d4

Download Submit

Analysis

Sharing