434f722ffdf743a797daafdf030583ea0ecba8ef0c00a3b1919de069b09e31bb

General

Target

0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe
Size

16KB
MD5

0b3e5b5e936df11e5d3626151c19ebe8
SHA1

0622f11bc61e1e1400a91f7cdd51a22c78b20fb2
SHA256

434f722ffdf743a797daafdf030583ea0ecba8ef0c00a3b1919de069b09e31bb
SHA512

d21a45ee4897f69aee3d7aa8d7f763d8a8fe4c4f7c0fb1ef28da029d555fcd6ad5abdcaa1e7e9d7f07729eda97caafd0195eca35d0e471350e5e9615a0b65433
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZll:hDXWipuE+K3/SSHgx3ll

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM3582.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM8D76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEME48F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM83C6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMDD6F.exe

Executes dropped EXE 6 IoCs

pid	Process
3784	DEM83C6.exe
2764	DEMDD6F.exe
4572	DEM3582.exe
380	DEM8D76.exe
2980	DEME48F.exe
4796	DEM3B98.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3784	1976	0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe	98
PID 1976 wrote to memory of 3784	1976	0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe	98
PID 1976 wrote to memory of 3784	1976	0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe	98
PID 3784 wrote to memory of 2764	3784	DEM83C6.exe	100
PID 3784 wrote to memory of 2764	3784	DEM83C6.exe	100
PID 3784 wrote to memory of 2764	3784	DEM83C6.exe	100
PID 2764 wrote to memory of 4572	2764	DEMDD6F.exe	102
PID 2764 wrote to memory of 4572	2764	DEMDD6F.exe	102
PID 2764 wrote to memory of 4572	2764	DEMDD6F.exe	102
PID 4572 wrote to memory of 380	4572	DEM3582.exe	104
PID 4572 wrote to memory of 380	4572	DEM3582.exe	104
PID 4572 wrote to memory of 380	4572	DEM3582.exe	104
PID 380 wrote to memory of 2980	380	DEM8D76.exe	106
PID 380 wrote to memory of 2980	380	DEM8D76.exe	106
PID 380 wrote to memory of 2980	380	DEM8D76.exe	106
PID 2980 wrote to memory of 4796	2980	DEME48F.exe	108
PID 2980 wrote to memory of 4796	2980	DEME48F.exe	108
PID 2980 wrote to memory of 4796	2980	DEME48F.exe	108

C:\Users\Admin\AppData\Local\Temp\0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b3e5b5e936df11e5d3626151c19ebe8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\DEM83C6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM83C6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\DEM3582.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3582.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\DEM8D76.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8D76.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:380
      - C:\Users\Admin\AppData\Local\Temp\DEME48F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME48F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\DEM3B98.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3B98.exe"
        7⤵
        Executes dropped EXE
        
        PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3582.exe

Filesize
16KB

MD5
a459ef6adec5167f05e7d6737e34eff9

SHA1
30fa8a0a2eebe3d81d368e47fb1da57d1836f99e

SHA256
93bdc451cb62ecb2da6c102c124919ac794db33a8a08de5ecf7174625a298e61

SHA512
518b1ebcdc2ebfa98b8a398d116c9fec59f5cddf2c98e7e792a996da6a7edfcdf9b06788dce9509134cd6d0183d1904c0d7b5106ca3771d4aee6e0e79857f863

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3B98.exe

Filesize
16KB

MD5
7b93d7d2e423083844a8c6e59f23a6cb

SHA1
209884aaad46cb8d31057cca579027aa7044071e

SHA256
7701aa058dfa737f77cbf9e3a7aad1a4a9a074cfaa34b654ebf429264947d9e4

SHA512
81ecc5d8e14f1ad5110cf867aba1b6d95b6576e71cc2d051961e19edcb85e2010bc367d130fc2da9cf18e2f8786eb1d10d4044497189c19c09482b6c4d9c437c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM83C6.exe

Filesize
16KB

MD5
5e8d46c29f437f782e4f9039e948c802

SHA1
ea85d948d8940a3997cd9b779e06a1acf4441f8b

SHA256
be91a00600b2e2d3566c66878d8f7b15beb55ec072dd3e7c26ed3d9ed920e2ed

SHA512
c96a3877878902eb029bb3c14c943177a713c359b59731f37dec573b29aa237302fcf4e9ca68f2e7ce0ad51808e628e767f817f6912dedc70d6c940713440d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D76.exe

Filesize
16KB

MD5
a5e06fff99960b68bbe9333fc70ee60d

SHA1
c5d3060b20e793782384b2302d6512158d89a0ba

SHA256
10656d4eab154ce0255328a1c9836b43d8a633c49fb0b80cab14bea6e6d4ebbf

SHA512
4112503e2dbfff0e4de16123f4832f2b8f8b46595f5a20143a92c21a5c20410fd0e7c0ac98ba034872c1c831ebdeae102a0e2db89173e078f9e6beba49bf4098

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe

Filesize
16KB

MD5
f0056264adb1e4eb5fc347b22505cab1

SHA1
6310c2e531304b4198692c184662d18562fff806

SHA256
414b0a2145aa62c030b8a55e0855aba5bbc35208a187583917b3fe0a1f1f8c00

SHA512
3cb5cf69f9ab94fd6e2bc832a29a383505e58d7e32d73a2b7c41a2d24cc1da82a2fbd7e0337c74bac12f43f7306367c5a53eecd84a62c7daf38fbbb8ff1a064c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME48F.exe

Filesize
16KB

MD5
a4b14d4a10bc83431b7ca1bc0cef0564

SHA1
74f5bd119d79149a5fea0cb4c6e79d55e93b48c1

SHA256
96d21d6fe4adad2dfe28701f366d6193e5a2c9140ac6f84ebda8ccbe1c63f253

SHA512
b1fe5df875bb8234746b7987a3fe30e9e4a912c777e83ab88bac2215e879d1ab1d962d0f0644f5934806cc2e9f23a26db92e08c6db2f09fbdf7329344477aff9

Download Submit

Analysis

Sharing