5ae55a196808bcaf6fbde8c0b65e73397157d6854fa4e024e6d3d78a74917f2c

General

Target

0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe
Size

20KB
MD5

0aa50059e9c5744036c27ee7f4465a3c
SHA1

d4a1cd00e08bb86dd169215ebcee22a2ad384566
SHA256

5ae55a196808bcaf6fbde8c0b65e73397157d6854fa4e024e6d3d78a74917f2c
SHA512

77c4be036fc7ab2b681febf8674daaf7e570a5f446fc4b2ac4bbaf0c8b6fa487c9dc9fcf674ecf8bdbc75de6ec855b329dd82e2d38da034f63165dd41ed42f3c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41qr:hDXWipuE+K3/SSHgxmHZ1e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM43CF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM9A2D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMF05B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM467A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM9C3B.exe

Executes dropped EXE 6 IoCs

pid	Process
3076	DEM43CF.exe
2576	DEM9A2D.exe
460	DEMF05B.exe
2024	DEM467A.exe
3980	DEM9C3B.exe
2952	DEMF20C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 3076	4548	0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe	98
PID 4548 wrote to memory of 3076	4548	0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe	98
PID 4548 wrote to memory of 3076	4548	0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe	98
PID 3076 wrote to memory of 2576	3076	DEM43CF.exe	101
PID 3076 wrote to memory of 2576	3076	DEM43CF.exe	101
PID 3076 wrote to memory of 2576	3076	DEM43CF.exe	101
PID 2576 wrote to memory of 460	2576	DEM9A2D.exe	103
PID 2576 wrote to memory of 460	2576	DEM9A2D.exe	103
PID 2576 wrote to memory of 460	2576	DEM9A2D.exe	103
PID 460 wrote to memory of 2024	460	DEMF05B.exe	105
PID 460 wrote to memory of 2024	460	DEMF05B.exe	105
PID 460 wrote to memory of 2024	460	DEMF05B.exe	105
PID 2024 wrote to memory of 3980	2024	DEM467A.exe	107
PID 2024 wrote to memory of 3980	2024	DEM467A.exe	107
PID 2024 wrote to memory of 3980	2024	DEM467A.exe	107
PID 3980 wrote to memory of 2952	3980	DEM9C3B.exe	109
PID 3980 wrote to memory of 2952	3980	DEM9C3B.exe	109
PID 3980 wrote to memory of 2952	3980	DEM9C3B.exe	109

C:\Users\Admin\AppData\Local\Temp\0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0aa50059e9c5744036c27ee7f4465a3c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\DEM43CF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM43CF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\DEM9A2D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9A2D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\DEMF05B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF05B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Users\Admin\AppData\Local\Temp\DEM467A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM467A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\DEM9C3B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9C3B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\DEMF20C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF20C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM43CF.exe

Filesize
20KB

MD5
70a5b2aa7dbdc81e16a4e2f79549df15

SHA1
196b9fe72093fbede2c1273170b3da4b67c55845

SHA256
d10331238f5cae21d0d7d596c5b1ecd3265857e154b2f09e0fe91b77302b2682

SHA512
3b81483dd1d1e04ac23e1c6fbbee90746ca2af506cafee3e9b87fa4fe82206e44ac9e276fb6869d333094a615add5730db201e5efeb401b3c6e829a9baeab496

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM467A.exe

Filesize
20KB

MD5
87c6d11165a7dced4a5bf8e5d0ac8528

SHA1
a1f3f4ed0aad93218f0cd9cb2bd78a7f57855125

SHA256
f0904f9b5a492c86f021e30918830128fb550d0c826854dd2384c6f14150aff1

SHA512
4e6732e90114adb492bc76e320473be09d457d4173d33de2a6c7a324844e605e59922be39f04e61ba6baccd0a9e3265af68ab3150b353d0bcc687fdda43a353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9A2D.exe

Filesize
20KB

MD5
99b1de582c7ea8c6d6fa110a8146fe32

SHA1
48998def19ff20f4b6e62fe32ef1d06020620dc8

SHA256
efd2a8d5efba5be02ca862594fa3b48227c07a76b4807a6e84cb96188f39d379

SHA512
ed9b76cbee70891d6ff440dbcb89e764f074a7116cedd364ee24c7d06a02425c15c07965f42540dc819d75a5798ee1b693420197dd06857f1d4c222e01f15fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9C3B.exe

Filesize
20KB

MD5
e5829355afc3163a1c753354b9a16874

SHA1
9ca6a138e93953eb5d3f4fcfd1caa01badd13333

SHA256
1bf8b394fff593967aaa017ae117ccca44cad479638d46c6503e3ef905ce9bf2

SHA512
fa3d1e51d2e16732b263398a2e205734ea932fb65c4c2bc75af9aca91710d6f26707eb9d11238a435247a15901056be7c9f0b790a75c19f72b2285a3e1964551

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF05B.exe

Filesize
20KB

MD5
7699fe9c07752dc5c1d49e4bda4b9374

SHA1
9fcba73847449a5621e1e9f4ee63cc7b7dde087d

SHA256
abe306c8051be31698e2c5d3819daf85d77bc4ea65de44dd22a322880a341d79

SHA512
210979fb98f49ada57a43dd5c1796f2ed598422fe4ff82b6afcdd8195f84864414e3ace78b1dd481b8735f823aaaf27e6f3e4af22d824765bc8b5d54b809eed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF20C.exe

Filesize
20KB

MD5
f02774c865877bcc8e6934ae59622832

SHA1
4b390c04e8a1c85faa43fa15cfc1af03833df339

SHA256
42dd7d7a4b9cb39ca6ff3e8682c2e2c9dca646f68f6a7c0fe002498b19ea2d52

SHA512
fd26565f977558260349f1ca6c1d5b11ea64a9ed1d51245c48a1e9575d2c9af6e0962ac95ca239ae233a7b646fd361b66c149a37fc5c68af1a793ab5920a7e82

Download Submit

Analysis

Sharing