b73f3a562e331041b72b851db697f59ce9c174b34d1269faad97b64718ef87cd

General

Target

09fa6c365ee380e9f68f3cda6af2f388_JaffaCakes118.exe
Size

15KB
MD5

09fa6c365ee380e9f68f3cda6af2f388
SHA1

a422ab3224a2715eefd2bb5e2c649968246c41de
SHA256

b73f3a562e331041b72b851db697f59ce9c174b34d1269faad97b64718ef87cd
SHA512

ce679c5864136b545699093cc0de230e348f276f2a2b23c0b6ed27c84777b86d2309c58c2852e29456c249895cb2b0169c7c654048fa229201bc9b1bf620e54b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6Q5:hDXWipuE+K3/SSHgxmyh6w

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM398E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM902A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEME668.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM3C77.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM9296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	09fa6c365ee380e9f68f3cda6af2f388_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3432	DEM398E.exe
3412	DEM902A.exe
2608	DEME668.exe
1356	DEM3C77.exe
3220	DEM9296.exe
2364	DEME8A6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3432	4320	09fa6c365ee380e9f68f3cda6af2f388_JaffaCakes118.exe	98
PID 4320 wrote to memory of 3432	4320	09fa6c365ee380e9f68f3cda6af2f388_JaffaCakes118.exe	98
PID 4320 wrote to memory of 3432	4320	09fa6c365ee380e9f68f3cda6af2f388_JaffaCakes118.exe	98
PID 3432 wrote to memory of 3412	3432	DEM398E.exe	101
PID 3432 wrote to memory of 3412	3432	DEM398E.exe	101
PID 3432 wrote to memory of 3412	3432	DEM398E.exe	101
PID 3412 wrote to memory of 2608	3412	DEM902A.exe	103
PID 3412 wrote to memory of 2608	3412	DEM902A.exe	103
PID 3412 wrote to memory of 2608	3412	DEM902A.exe	103
PID 2608 wrote to memory of 1356	2608	DEME668.exe	105
PID 2608 wrote to memory of 1356	2608	DEME668.exe	105
PID 2608 wrote to memory of 1356	2608	DEME668.exe	105
PID 1356 wrote to memory of 3220	1356	DEM3C77.exe	107
PID 1356 wrote to memory of 3220	1356	DEM3C77.exe	107
PID 1356 wrote to memory of 3220	1356	DEM3C77.exe	107
PID 3220 wrote to memory of 2364	3220	DEM9296.exe	109
PID 3220 wrote to memory of 2364	3220	DEM9296.exe	109
PID 3220 wrote to memory of 2364	3220	DEM9296.exe	109

C:\Users\Admin\AppData\Local\Temp\09fa6c365ee380e9f68f3cda6af2f388_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09fa6c365ee380e9f68f3cda6af2f388_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\DEM398E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM398E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\DEM902A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM902A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\DEME668.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME668.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\DEM3C77.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C77.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Users\Admin\AppData\Local\Temp\DEM9296.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9296.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\DEME8A6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME8A6.exe"
        7⤵
        Executes dropped EXE
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM398E.exe

Filesize
15KB

MD5
f27134c83e074e60ce1843991abe5239

SHA1
edee61da896033c50fb240d225617e7ec1053d73

SHA256
a7b1db28b0560a65d521391353e42e730ec39f2a09c7acf28c28b926172981dc

SHA512
3060d5063002e09dad0485d4ee02947f0a986b7cd71bb25cf9d2d455a4b79e40c423110fa77181b543604efbd09c2e58c60d95529409e0aa0d2f1909b60c5cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3C77.exe

Filesize
15KB

MD5
b26dfd02d36fbe8fd4de179f618841b5

SHA1
da7a63501579da615d701f93128a4d8b0c0479ff

SHA256
9233daab8399f476bd070d9fb4f5dd64be6fdf6d807217a7701145937234ad05

SHA512
82c1be9f23c407975763afe1529cab8565e382d4362dc69ca9417aa91746aae0044a2aaa8fdf0b47aadbb81daafc70330c27e293923ba590d6fa19946ed98f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM902A.exe

Filesize
15KB

MD5
d7c62056e2c5eed669246c6492a3021d

SHA1
cdec805f764d3fd2bb6a1af904e0f1c7c90ec9b8

SHA256
dca192df03100ccb965d336afc7014df071278ef72ccbef8d653d62a830473a3

SHA512
1d9fcd2420eb1057e769c7b1dd364e3e93d9609c97766f87b40d7fe82374b99c18f620582e6b3fd07b136ada3f1cd6deaef424a12c64b3e5bda3a92fde5d9672

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9296.exe

Filesize
15KB

MD5
07a9aca97a6286e79f3026c3637bfc35

SHA1
87df95b9b49b1d8caa708c086835f88aa3bfff0b

SHA256
a92fa390f47ca416404e28754388803f34f73fda417b65efc4952f0970c5e341

SHA512
f84a56220c0e23235674f1466e10f3ce815f49a6cf2693794ba9e7cac61992ba478aaaf671225039b00ab2b3f79f901579e80334f1b86caaa97307ddf69b46ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME668.exe

Filesize
15KB

MD5
a2170d2d3459b1e021b770eb2ffdee37

SHA1
5e62754e9649f9cc589e754ff609bbb483e28b1c

SHA256
3d4ecef2f33b8414bab6a11bed1d19b3023cf8fa27a399abdb24707a94800885

SHA512
60b964d1442f46f1bd38b490b031ecad2d3c91248197b14f0e799a5b3fc089839f360816b8737a5b6753c7150401d42ca78d794bd89f7191faf24b372fba100c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME8A6.exe

Filesize
15KB

MD5
89355df309c8f504b611ead61293c011

SHA1
3af6d47c96cd0996dfcb3716465ca0cfa0dba13e

SHA256
0c553fea2889edbdd539632c97a2b7dd993d11e437676a27132402e8701da947

SHA512
2dc246bee32323c3da56d69756031a2ec8858501c62b323f4ad89a7390358f4f22757d9542096f9346cff776e1b729f453a403ede476ae187c1dc58861feb55c

Download Submit

Analysis

Sharing