6bced70618e95672ac4d74ee4f1de60c4d54fd1996866ccd2f51dc6585476a83

General

Target

09878d48c0899ebd890d8438db1ba487_JaffaCakes118.exe
Size

14KB
MD5

09878d48c0899ebd890d8438db1ba487
SHA1

ac38f044b2f1bfa70cabb16ff0fe8936ae7510d7
SHA256

6bced70618e95672ac4d74ee4f1de60c4d54fd1996866ccd2f51dc6585476a83
SHA512

f399040a521a7526f3e3bb4d10c7d4ae71e747ec5069f065e72f26b67ff303eafd1621bf998b21bda932ee64cf6904de7b91c2e1e8e905f37e958912ba514a4c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0a:hDXWipuE+K3/SSHgxm0a

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM2FF4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM87A9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMDF8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	09878d48c0899ebd890d8438db1ba487_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM6F63.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMD830.exe

Executes dropped EXE 6 IoCs

pid	Process
4788	DEM6F63.exe
4360	DEMD830.exe
4296	DEM2FF4.exe
4488	DEM87A9.exe
3788	DEMDF8D.exe
4100	DEM3762.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4788	1996	09878d48c0899ebd890d8438db1ba487_JaffaCakes118.exe	97
PID 1996 wrote to memory of 4788	1996	09878d48c0899ebd890d8438db1ba487_JaffaCakes118.exe	97
PID 1996 wrote to memory of 4788	1996	09878d48c0899ebd890d8438db1ba487_JaffaCakes118.exe	97
PID 4788 wrote to memory of 4360	4788	DEM6F63.exe	100
PID 4788 wrote to memory of 4360	4788	DEM6F63.exe	100
PID 4788 wrote to memory of 4360	4788	DEM6F63.exe	100
PID 4360 wrote to memory of 4296	4360	DEMD830.exe	102
PID 4360 wrote to memory of 4296	4360	DEMD830.exe	102
PID 4360 wrote to memory of 4296	4360	DEMD830.exe	102
PID 4296 wrote to memory of 4488	4296	DEM2FF4.exe	104
PID 4296 wrote to memory of 4488	4296	DEM2FF4.exe	104
PID 4296 wrote to memory of 4488	4296	DEM2FF4.exe	104
PID 4488 wrote to memory of 3788	4488	DEM87A9.exe	106
PID 4488 wrote to memory of 3788	4488	DEM87A9.exe	106
PID 4488 wrote to memory of 3788	4488	DEM87A9.exe	106
PID 3788 wrote to memory of 4100	3788	DEMDF8D.exe	108
PID 3788 wrote to memory of 4100	3788	DEMDF8D.exe	108
PID 3788 wrote to memory of 4100	3788	DEMDF8D.exe	108

C:\Users\Admin\AppData\Local\Temp\09878d48c0899ebd890d8438db1ba487_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09878d48c0899ebd890d8438db1ba487_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\DEM6F63.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6F63.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\DEMD830.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD830.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\DEM2FF4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2FF4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Users\Admin\AppData\Local\Temp\DEM87A9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM87A9.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Users\Admin\AppData\Local\Temp\DEMDF8D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDF8D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\DEM3762.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3762.exe"
        7⤵
        Executes dropped EXE
        
        PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2FF4.exe

Filesize
14KB

MD5
5f8da9476afd78c7c593e2dc83c8bb63

SHA1
ce21f1b18eb7901e3e95c0736768146ecfd55d05

SHA256
02a4e6b401f2080f10daeb03b608e5f02b5d36f46877685bcb3b8f3248fae674

SHA512
9b3986683318aeb9c0da904656cfafac6a6fba4c9ad4bc0a9708c3421e426dad4a65e0d38513c4f14dd2ef49144639c33665a74ee4819a06a7f843c79fa92c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3762.exe

Filesize
15KB

MD5
59621a8a1ef4b7282e94c5dc10f85ad9

SHA1
1858de0fd8029956956a4ed676d3bd3f8e100e08

SHA256
f9f14d78dca689aa6f3d50dda593e39f89965dcab0ad3b3836ba848790136e5e

SHA512
639e6646913aabc0392e67b79fd2295d70e3dfe9c3c7a09c9ac11e39106d1637ac4a090b26a5b4d1a17b354e90ca18424062a09ba77a49c356d355aca5375f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6F63.exe

Filesize
14KB

MD5
dc1cd552478e28d7629a89598ad7859e

SHA1
bbefbbbd4a72bc5c4beedbada292f873940216fb

SHA256
616ede12f9040d4844b3ff3b32c7f69e343b6947738ed7b68c53a9b2074e74af

SHA512
338a0093b9ee228bf0b4afe02b674ac0c36d866f38d3f3b67ac7dd657ba6b59688fe5bda0490f27161e2284468a5f325dac273ca7e366e65b2f7cb35a07a396c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM87A9.exe

Filesize
14KB

MD5
c2c32735f54945aa313498884033ba51

SHA1
a3bb6f3905b9f97a43fb8bded539c63e22d10b71

SHA256
9eb41a09b52b84e92c221e6390eb9c5a2a69a257ce0198bb4fb0199a7c5443d4

SHA512
7a927ff01bd9da9fe2804850d47c81941494f26656c89ae846253de4e92808753933648b943e4a54e9e8d3770e74a4177a7a113aba810703f698160cc01a23e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD830.exe

Filesize
14KB

MD5
0d1f54cbecc2bba941617ed5637f29a5

SHA1
fec01a33ec4e2a9bf6c6d16433cdfe9acae2e73e

SHA256
da6b8829f36df50e192c5f77773ddceff643c009182c3150ab0b82b1bb991cb9

SHA512
ac6c9923da773e36349122b37bfd66bf6fdec771d75e5a15005a4cef2a0470468731e9f4473c6a245ae8c273a3d2abbb47523e3248382bf7369e5e8a0b0fc1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF8D.exe

Filesize
15KB

MD5
a9c208b49905a4eea61895fccea8f4b0

SHA1
9c6d723991c5d259e769e516cb54528a396ed0e3

SHA256
6e1530abed0b000dfa5a9d8cef684ff759df6aeced5f7094d9643ff43547f43c

SHA512
6bb4f1474cc4af76d4e68e61ea9a2ff6e46f5f695ecdf7eb780583c004b5c12276d3ba1570075093b9dac96e50ce24a05acb858a370c1314ccfb2ccd82c630de

Download Submit

Analysis

Sharing