a8054060ea7a103dc8d2943aea79c5cfed3645c23c1027fcfd042e6d14daf847

General

Target

06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe
Size

15KB
MD5

06d39b248619f7fda87fc5847d7a6ef2
SHA1

9b80ecd44a4c26020bd38bc75358ff9d684e1477
SHA256

a8054060ea7a103dc8d2943aea79c5cfed3645c23c1027fcfd042e6d14daf847
SHA512

b8d11cd602a5ef4bfd7419950666e5c80f3023070554b4825e41d8e37a258f4ec5811942a0d28c5315eb49633da66cab30c90fc6c292fa211a1932cfaff7a8a2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvAz2d:hDXWipuE+K3/SSHgxm4U

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM39EC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM903A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEME61A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3C49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM9258.exe

Executes dropped EXE 6 IoCs

pid	Process
764	DEM39EC.exe
3052	DEM903A.exe
3132	DEME61A.exe
1840	DEM3C49.exe
3044	DEM9258.exe
3084	DEME886.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 764	2312	06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe	95
PID 2312 wrote to memory of 764	2312	06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe	95
PID 2312 wrote to memory of 764	2312	06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe	95
PID 764 wrote to memory of 3052	764	DEM39EC.exe	98
PID 764 wrote to memory of 3052	764	DEM39EC.exe	98
PID 764 wrote to memory of 3052	764	DEM39EC.exe	98
PID 3052 wrote to memory of 3132	3052	DEM903A.exe	100
PID 3052 wrote to memory of 3132	3052	DEM903A.exe	100
PID 3052 wrote to memory of 3132	3052	DEM903A.exe	100
PID 3132 wrote to memory of 1840	3132	DEME61A.exe	102
PID 3132 wrote to memory of 1840	3132	DEME61A.exe	102
PID 3132 wrote to memory of 1840	3132	DEME61A.exe	102
PID 1840 wrote to memory of 3044	1840	DEM3C49.exe	104
PID 1840 wrote to memory of 3044	1840	DEM3C49.exe	104
PID 1840 wrote to memory of 3044	1840	DEM3C49.exe	104
PID 3044 wrote to memory of 3084	3044	DEM9258.exe	106
PID 3044 wrote to memory of 3084	3044	DEM9258.exe	106
PID 3044 wrote to memory of 3084	3044	DEM9258.exe	106

C:\Users\Admin\AppData\Local\Temp\06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\DEM39EC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM39EC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\DEM903A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM903A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\DEME61A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME61A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\DEM3C49.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C49.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Users\Admin\AppData\Local\Temp\DEM9258.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9258.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\DEME886.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME886.exe"
        7⤵
        Executes dropped EXE
        
        PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM39EC.exe

Filesize
15KB

MD5
02f1e3c350223f11193968fbd847b4ba

SHA1
c6f01516e837c2f8e6af8f9b6a490b043ad14707

SHA256
c5b897cc54caf918b71d1729428513a83d9f31cb2b706e96117e6e4c49bc6bf2

SHA512
38a8f9e8cac55c87a97626418b7df0f0d50106261acaf201b66a421dbb9dc3dbc7b8ea0cbaee1d15dd4dd707ce24ab5d8387c691549bd226a21f05a8236c05fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3C49.exe

Filesize
15KB

MD5
1ef34f96c5896ed5b3f1e5a88cae56b5

SHA1
60cd9d12fbf831dc465c7a59bed2a25e3dcd3653

SHA256
f705eca083e1dd1be50fd1fbb2e5961a9e3a72bff9edfdc0fcca149f611019f8

SHA512
f0bd0f530e63ad88354de69107410dde7d8b0da1dacba690ffe7ad0954364755f9944bcfe40e02d01702d6a44cbdebec74a22f4c7aef7aa7a59c9b533c7adf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM903A.exe

Filesize
15KB

MD5
b77d982cb6f3da1cd53fa60f87ce443b

SHA1
710604a6b762dce5f7b4cda7070c7b03ae3e1aa7

SHA256
937a2eeb93546f2fa067ccd52e9aed9e2cbc4caf2379f7ee31e3db4a469db6f5

SHA512
0ddd5fed9074c2a2f427f337f3933ea07fd6294134121db064086ad9458f52cfaf7875f1fd1de30290808dd1a9db7b1d97c9285c362598387129f1e081bd4cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9258.exe

Filesize
15KB

MD5
373f1354161bc67b285829d7affe89ca

SHA1
bb41a5da828998041d38df25eb062113c10b8d8a

SHA256
b977de6344f358db3d7548614024a5058a8cb3b1b4c2b71890399710bf3f91af

SHA512
b0c5bbb671719de50cf2d08e505d5a8cdba422548ed84c8eacad6d10d2f3981232e2b7afd0c59d79f2cd12660d11ed48d9c067eeb14d98292ff2bc44f9b6a69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME61A.exe

Filesize
15KB

MD5
43aeb7ee40924df947f6909fd2a34fb1

SHA1
b39faf5d0fd65cfcd5ededc4d82ccea70d105f29

SHA256
b1baca5dc49d526979e0ecff2426d605fa5ed568dfbca9aee8a2efbe526e1f60

SHA512
22040ceb0a3a29eb3814ad4f45f4d159ee232031b303cf94d699c2536c98490d1b0d4b46c1d4c65bc365a0f03bd9831501f71e0a2646bfb6ab8bc7b23aa5fa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME886.exe

Filesize
15KB

MD5
2537a17a277b1a29e37a546c1a1dcf9d

SHA1
58b5e6912e0ac620d4468e349eb5c2775d0f9721

SHA256
3f79ecf9750a1c1379bb7892b8d3bd8ff55bc3082b0dbb500829a43bddfb3a38

SHA512
a4483e40f5113255627ed7ea663e9848175dc4381aa5a6c73366b10c883a4b09918475905584895ad2485f7ab333c3251dffc253e837c79dd3fcd91a88ca884c

Download Submit

Analysis

Sharing