5433923231b71ac9066ca601bbf2737e52f335b3d0fe7866afd37b90d5da398f

General

Target

0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
Size

15KB
MD5

0bed5566318e9c699bfef7d0a1ff0de9
SHA1

c33becbe980b8822c26e21311a217673fd25f420
SHA256

5433923231b71ac9066ca601bbf2737e52f335b3d0fe7866afd37b90d5da398f
SHA512

5b4fa781ba238d63fe04b678b1d4b748cf3dba03ac858fdf84bf63c56f7d04b74d07ce07f2daf53bb09e0e31aa8e8e81ab776b2b06e021e7b19beed5c4b24654
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4lCKn97:hDXWipuE+K3/SSHgxmqN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM30F3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM8770.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMDD6F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3321.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM88F2.exe

Executes dropped EXE 6 IoCs

pid	Process
4900	DEM30F3.exe
3340	DEM8770.exe
4504	DEMDD6F.exe
2104	DEM3321.exe
4004	DEM88F2.exe
4008	DEMDEF1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 4900	1864	0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe	98
PID 1864 wrote to memory of 4900	1864	0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe	98
PID 1864 wrote to memory of 4900	1864	0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe	98
PID 4900 wrote to memory of 3340	4900	DEM30F3.exe	101
PID 4900 wrote to memory of 3340	4900	DEM30F3.exe	101
PID 4900 wrote to memory of 3340	4900	DEM30F3.exe	101
PID 3340 wrote to memory of 4504	3340	DEM8770.exe	103
PID 3340 wrote to memory of 4504	3340	DEM8770.exe	103
PID 3340 wrote to memory of 4504	3340	DEM8770.exe	103
PID 4504 wrote to memory of 2104	4504	DEMDD6F.exe	105
PID 4504 wrote to memory of 2104	4504	DEMDD6F.exe	105
PID 4504 wrote to memory of 2104	4504	DEMDD6F.exe	105
PID 2104 wrote to memory of 4004	2104	DEM3321.exe	107
PID 2104 wrote to memory of 4004	2104	DEM3321.exe	107
PID 2104 wrote to memory of 4004	2104	DEM3321.exe	107
PID 4004 wrote to memory of 4008	4004	DEM88F2.exe	109
PID 4004 wrote to memory of 4008	4004	DEM88F2.exe	109
PID 4004 wrote to memory of 4008	4004	DEM88F2.exe	109

C:\Users\Admin\AppData\Local\Temp\0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\DEM30F3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM30F3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\DEM8770.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8770.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\DEM3321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3321.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\DEM88F2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM88F2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\DEMDEF1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDEF1.exe"
        7⤵
        Executes dropped EXE
        
        PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM30F3.exe

Filesize
15KB

MD5
b31611d780440572f018472db2ed90c1

SHA1
9e5a22fed1404cb64519c1aee173b17bc87e9373

SHA256
e51185c0df8e11f43286c94f01b7ddb2fd280385f31918533d163a550acd4119

SHA512
0214748cbe118a88c249165f1fe4a440e0ba30680abfcd287a8da0e88416a8a520ea80a849f48182180bf430d7a8ef1f8a6eb65cc862ba528d7d237192509f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3321.exe

Filesize
15KB

MD5
e25111b23e35bb8676e45703aacc9a5e

SHA1
f77f7b3f21c5b5db156987571ed303665c872989

SHA256
ebfebbc99b7c984ced16268faba87aaab24b00d073a477c4a4be856286bae0ea

SHA512
95e652f08c0a05d30952a8a8ab16c04a3dd7ae8cb4c0881c3826952a3d8adc3962636479229620881210b00fc155b10681c3f0f3ba6253f563c785835dd6a3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8770.exe

Filesize
15KB

MD5
51c85df738df02be8c14e36ff4990cb8

SHA1
d4446aed7b984696843821d30ec971d5353fd7e9

SHA256
28afe9d661cd21358afdba16fc28e61be2bd2388e175e35f89a9e70157761ef0

SHA512
a3fcb075728ac3f9976e2b30325625cce8f739782e51fefd94bd5254b1bae3f19befb100f4a705c519a1529ea8365b610ed544242e90da395461d0a257040af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM88F2.exe

Filesize
15KB

MD5
1a58b3e7481f0e18bb9cde2ccaf63334

SHA1
80a8ff0d527c24c9459fa3d767f713128944e712

SHA256
d7b27042d94645dedbf5285a11774e271f3b9a104f1345d115e6bfb9e355cb61

SHA512
d5cba86d73d43af0a77f57d55e039ede21eae151f75fcbaf14a39b88baa7cb675e7f5d921fb8820d941f4800fef7954a23f45a6dd78f939e243dbb910daa556d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe

Filesize
15KB

MD5
79f685a87b9c8ca5db3f95c4d1bc793a

SHA1
4745cd3ed28d2bd010301ffb19b27884b9a2d942

SHA256
9cb6d3b2d836ba72b0743735efe6f12df292266529677222d59ee9420352eafe

SHA512
526ebd6b72bc7dfb0b7d7ca88d8f721ab9e8beb7679ac15fb1797492b3a350887a7bdc9c8f6787a5e8e0f16a862c5da8acd26cdf28b63f432000dd0e508397ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDEF1.exe

Filesize
15KB

MD5
1966a4a28f1620ca57e52c6361e08c2f

SHA1
6c89c37d8bd3ea53e719c44ed7c8832c4a6ecf7f

SHA256
40df16ba30fe533030777b49ecf9f1b7e8faeaab20e7f005fefff1c88ab591e2

SHA512
2d06cee7e3d4ccf4cd0630ecc73c809c1e73c874e341e532b2ecd0a276d6d62d988c3ffccad801f0377b00ecf1d925d9366f93128cdede3d0d3b65d3285099da

Download Submit

Analysis

Sharing