56697b254e8af68aeb8a6940dfff89088f1e96b43e36bdb062c0fb63f938092a

General

Target

0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe
Size

14KB
MD5

0a845cefe0ae5cb677c9f1b6cce7aa17
SHA1

4af06678f4e6e2614ecdb78d4b567763911dd6c2
SHA256

56697b254e8af68aeb8a6940dfff89088f1e96b43e36bdb062c0fb63f938092a
SHA512

96460cc081f0f6bdc08c9ff025dde992b9dff91d238ac7a4061d62a0638dc62f26c4409a46d624faf5611ff9804deacaee25c023cfa18af8800ea17e47f092a2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhXc5:hDXWipuE+K3/SSHgxq5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM4229.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM9858.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMEE67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM4496.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM9AB4.exe

Executes dropped EXE 6 IoCs

pid	Process
4632	DEM4229.exe
3768	DEM9858.exe
384	DEMEE67.exe
2724	DEM4496.exe
2688	DEM9AB4.exe
3716	DEMF0E3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 4632	2380	0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe	97
PID 2380 wrote to memory of 4632	2380	0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe	97
PID 2380 wrote to memory of 4632	2380	0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe	97
PID 4632 wrote to memory of 3768	4632	DEM4229.exe	100
PID 4632 wrote to memory of 3768	4632	DEM4229.exe	100
PID 4632 wrote to memory of 3768	4632	DEM4229.exe	100
PID 3768 wrote to memory of 384	3768	DEM9858.exe	102
PID 3768 wrote to memory of 384	3768	DEM9858.exe	102
PID 3768 wrote to memory of 384	3768	DEM9858.exe	102
PID 384 wrote to memory of 2724	384	DEMEE67.exe	104
PID 384 wrote to memory of 2724	384	DEMEE67.exe	104
PID 384 wrote to memory of 2724	384	DEMEE67.exe	104
PID 2724 wrote to memory of 2688	2724	DEM4496.exe	106
PID 2724 wrote to memory of 2688	2724	DEM4496.exe	106
PID 2724 wrote to memory of 2688	2724	DEM4496.exe	106
PID 2688 wrote to memory of 3716	2688	DEM9AB4.exe	108
PID 2688 wrote to memory of 3716	2688	DEM9AB4.exe	108
PID 2688 wrote to memory of 3716	2688	DEM9AB4.exe	108

C:\Users\Admin\AppData\Local\Temp\0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a845cefe0ae5cb677c9f1b6cce7aa17_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\DEM4229.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4229.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\DEM9858.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9858.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\DEMEE67.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEE67.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Users\Admin\AppData\Local\Temp\DEM4496.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4496.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Users\Admin\AppData\Local\Temp\DEM9AB4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9AB4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\DEMF0E3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF0E3.exe"
        7⤵
        Executes dropped EXE
        
        PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4229.exe

Filesize
14KB

MD5
14f941351be7bad9e0ca546b458a1dee

SHA1
38e2fdd9966d3fc7f4971b8fd5ca6f63cfeb8b82

SHA256
670cb2e7e82d3be7b457447b666b9067a9f229cae9107b446bd9f34eb8b7f068

SHA512
40c62189df0ef5e9ec497111f94f46cc81037b8c9415becec6b2a1edf61f5ebbc81fd34c617370d07a38d54e722b422fa4ed46c451c7daa129d0de8d8da3ae04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4496.exe

Filesize
14KB

MD5
f3a6fe66daaf26ca2ee54aacbe06dc42

SHA1
47a5562fdb9f57ca46d2033bc75f5ddc46728c9f

SHA256
ec2120c84f7c742d053980801d6b3350609ec90ed4f6997282dc4a2110bd1ccf

SHA512
81d4178f937616c8cae3f387a4dc399c848b94421d8c1c83f3d545aff1be880a9f5c1e6e38679dbcb8c2f95fa487bc39b6d746fbbee720a82e49837c042721b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9858.exe

Filesize
14KB

MD5
d525f99c23ad9aa2970025135e27288f

SHA1
520004f929df67a59fc1f417681c77dfc45608de

SHA256
fb3bf9e18a85cba6ab625a66edea18eac20c7ec5a17134c3a2582e1de4b897ab

SHA512
e399c06716182ace3cefa5660beba1a68e94194c0a56e60a977253f272e59576a213008bdae660f9219f87419e257ae9e16b93605abba98b895c8506aae495f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9AB4.exe

Filesize
14KB

MD5
b4ef73dadadbd451efd485c9c76d4a9f

SHA1
31ed500a4dd07cd0f7d7a20f8f502c9212685981

SHA256
61119e643ad3767aad6fc7d07eb1be7df1c1d33dd9f44c6895869c6b5b13607d

SHA512
a43a945aa1d16cd7d03250054e8d7ccf93278f5f24718c79420263a0613ace6509df1a5e3b9a02b64ca0744bedefebd476f3eb183d8406c4964039d5aded5274

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE67.exe

Filesize
14KB

MD5
eb0ae8d7860d26ad70e544ddeb9d1825

SHA1
3dbde9bb0d4d3e8079e38a45e39332272b28464c

SHA256
82416f18c87e4571d6f55a931d5b89ba22225c65bd0bbc329ad44bee6cb8285e

SHA512
023bdf9f7ae36f76dd583db99d350e3340a4bc3ea37aed3855d4e9863fabbe96213740d0f6a2380559f6e201c7858545f7473b00d6ced9f7e260d7ee6eef2349

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF0E3.exe

Filesize
14KB

MD5
26888fb959c419777003b5bb068fecd5

SHA1
572664b0811b1de84622fc05e7e4f9824fb16849

SHA256
e41f864bc8375f4576c4b41d6f4a8280c4925f8aecaf56282e344041d8ccb1e6

SHA512
15866c759ee1f9231830e1c3f09f2f8993f6170672cc4dc0465b6476afccbfd5aa70a9ce1530d16995de99986bf1e63fc87d79be114abacd1b69fa8310835074

Download Submit

Analysis

Sharing