fed5291c2443e49e70d89de0f944621a4dead8e16e023947a0f3923598aac816

General

Target

06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe
Size

16KB
MD5

06e931b42b33ab3a95c666b5fc2ae6fa
SHA1

97d8d1909fe36851133a65228c14b58b922b8367
SHA256

fed5291c2443e49e70d89de0f944621a4dead8e16e023947a0f3923598aac816
SHA512

98bac124308982722c3f848db8bd2f56f739d73449a035f06f059f67a099afe2ce164208d63906fd557a6f62f9311166ac21b0dcda1e4b3d2dc5d7f46528443d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5Z7+K:hDXWipuE+K3/SSHgxl50K

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM344E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8ABB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEME0BB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM36AB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8C9B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
4856	DEM344E.exe
4992	DEM8ABB.exe
3496	DEME0BB.exe
2504	DEM36AB.exe
5072	DEM8C9B.exe
1344	DEME29B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 4856	856	06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe	97
PID 856 wrote to memory of 4856	856	06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe	97
PID 856 wrote to memory of 4856	856	06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe	97
PID 4856 wrote to memory of 4992	4856	DEM344E.exe	100
PID 4856 wrote to memory of 4992	4856	DEM344E.exe	100
PID 4856 wrote to memory of 4992	4856	DEM344E.exe	100
PID 4992 wrote to memory of 3496	4992	DEM8ABB.exe	102
PID 4992 wrote to memory of 3496	4992	DEM8ABB.exe	102
PID 4992 wrote to memory of 3496	4992	DEM8ABB.exe	102
PID 3496 wrote to memory of 2504	3496	DEME0BB.exe	104
PID 3496 wrote to memory of 2504	3496	DEME0BB.exe	104
PID 3496 wrote to memory of 2504	3496	DEME0BB.exe	104
PID 2504 wrote to memory of 5072	2504	DEM36AB.exe	106
PID 2504 wrote to memory of 5072	2504	DEM36AB.exe	106
PID 2504 wrote to memory of 5072	2504	DEM36AB.exe	106
PID 5072 wrote to memory of 1344	5072	DEM8C9B.exe	108
PID 5072 wrote to memory of 1344	5072	DEM8C9B.exe	108
PID 5072 wrote to memory of 1344	5072	DEM8C9B.exe	108

C:\Users\Admin\AppData\Local\Temp\06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06e931b42b33ab3a95c666b5fc2ae6fa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\DEM344E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM344E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\DEM8ABB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8ABB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\DEME0BB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME0BB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\DEM36AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM36AB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Users\Admin\AppData\Local\Temp\DEM8C9B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8C9B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\DEME29B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME29B.exe"
        7⤵
        Executes dropped EXE
        
        PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM344E.exe

Filesize
16KB

MD5
0a2313e9c8f21c9d4a8473b777227338

SHA1
a5fbbf68c853eae06c7887314a5b195b83ec1e09

SHA256
6e681ddf7603a86547ac70cf387d4e561b8ee6fe92a42d65a5e942ce9f802e9b

SHA512
91d3a17b6229c5e304fa263b46958ec06ab430a12d7f1699f2f72a5abd0b56d25a3a4f35e7ddbf2085473569e20c17fd375e220bd8078f4415e60e9fdd84e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM36AB.exe

Filesize
16KB

MD5
c07a6142667a4c904de239f4d8d5498a

SHA1
59a6c8ff4548e9485e14c655e44bf23d5ca88b0d

SHA256
5ea7c53eb2539a37a557da4e9c1faa5aa6be263171d9674a3c5adbe96802bc63

SHA512
357308b5e3361cd3b29d6c50b53e501d063a4e137eab2685226b044cb968624ad2b2f2fa9f968db17f009e4dc9a7a01aa5e8be289b54e8e9eeb38f4b4e9a06bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8ABB.exe

Filesize
16KB

MD5
8f8e77f9291dbbe9c0af5e7252134bdb

SHA1
c9d358cec1e070adfc92668ca69aa3846e0e75a6

SHA256
fee2d2c390b31f9b918b2e04febce24e2ee35fe6cd124fdd1fec7e84c77377c0

SHA512
921729feab4d12700f37d30c1fee07f13cb0166991b35c0167f1b68d330453e75a242fa936fc5846a0de45d346e45bd153ee250576bb0b8bb5a2362dcac55d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C9B.exe

Filesize
16KB

MD5
50deb63435618966391a543c8367ad4b

SHA1
857487d6371c27599669cd2c12872c5c668424ad

SHA256
3aae1ff707de7149894019117ddb63b287e2dfc1580f24208e339ed3628e6ca2

SHA512
d691545cbe9df1232407b508411f5a660daec9f9a2962037ac5e4dc44ac96ddb9c5d81c97fe052b1d51664a8c5f93fd6d11de4bd76d59b2143dcc1961f0ae74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0BB.exe

Filesize
16KB

MD5
a00e4a30697e3d7131da66ea8beb9134

SHA1
7d11adc062d92009a34cb54e39afc2e265594f18

SHA256
136e85a2cfbb9ba701aa9a0d40d298d8c98c210a554fe60db7e3afb3374abbc4

SHA512
995b3adaa134c798c8843e8029a2438805a53fd404cdc018d28887c2acbf51e7b8a0fb079f86726a2ff0283e8be1856e62c7674aa4c6edcc1685acf52b2ad473

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME29B.exe

Filesize
16KB

MD5
f2ae5253614985de74468fe419099a2c

SHA1
de618d52deb22c67a8ed8473188876aa52b99408

SHA256
b3ba0129be5788879dc0320e1fe8129ac4c3198c85b7f593e42ec033d7527617

SHA512
91e5aaf1b39d30fb586f7f0a0c2ad9d309330836d63b4cc3e658e3d956be4b0287c140252123dabacfdeaad63a368978d3d1d55390fcec0d70140deb765ee093

Download Submit

Analysis

Sharing