362bc615d5bb8b6c3387b35c147c18cbb4f25046af99061b9335a5e25bdf4577

General

Target

0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe
Size

14KB
MD5

0e4c41a998ccab92561ac1858ab836a8
SHA1

07e0d1777a1d689af330680484c6e4134a418f2d
SHA256

362bc615d5bb8b6c3387b35c147c18cbb4f25046af99061b9335a5e25bdf4577
SHA512

1fc68a3069c46b8e8d6f3d111e020852a6446c34702ece855b145f7d590c82ad75ade6dd82b408f3d25353c41a56e827563ee2b8fca6cbfb19f56c2d53395068
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhiP:hDXWipuE+K3/SSHgxLiP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3F99.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM9616.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMEBF6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM4244.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM9853.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3972	DEM3F99.exe
1632	DEM9616.exe
1732	DEMEBF6.exe
3652	DEM4244.exe
2024	DEM9853.exe
4280	DEMEE91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 3972	4084	0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe	97
PID 4084 wrote to memory of 3972	4084	0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe	97
PID 4084 wrote to memory of 3972	4084	0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe	97
PID 3972 wrote to memory of 1632	3972	DEM3F99.exe	100
PID 3972 wrote to memory of 1632	3972	DEM3F99.exe	100
PID 3972 wrote to memory of 1632	3972	DEM3F99.exe	100
PID 1632 wrote to memory of 1732	1632	DEM9616.exe	102
PID 1632 wrote to memory of 1732	1632	DEM9616.exe	102
PID 1632 wrote to memory of 1732	1632	DEM9616.exe	102
PID 1732 wrote to memory of 3652	1732	DEMEBF6.exe	104
PID 1732 wrote to memory of 3652	1732	DEMEBF6.exe	104
PID 1732 wrote to memory of 3652	1732	DEMEBF6.exe	104
PID 3652 wrote to memory of 2024	3652	DEM4244.exe	106
PID 3652 wrote to memory of 2024	3652	DEM4244.exe	106
PID 3652 wrote to memory of 2024	3652	DEM4244.exe	106
PID 2024 wrote to memory of 4280	2024	DEM9853.exe	108
PID 2024 wrote to memory of 4280	2024	DEM9853.exe	108
PID 2024 wrote to memory of 4280	2024	DEM9853.exe	108

C:\Users\Admin\AppData\Local\Temp\0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e4c41a998ccab92561ac1858ab836a8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\DEM3F99.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3F99.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\DEM9616.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9616.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\DEMEBF6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEBF6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\DEM4244.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4244.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Users\Admin\AppData\Local\Temp\DEM9853.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9853.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\DEMEE91.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEE91.exe"
        7⤵
        Executes dropped EXE
        
        PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F99.exe

Filesize
14KB

MD5
4246ee2229a3cad423c0e21eb81717da

SHA1
66e68de2cf60c590d0b72a481d7ed3d2cedfdbe2

SHA256
59544919711d9b1f16c1edf656d93db2c187ca5936bade1563bef20cc37e4e83

SHA512
f7473bd4172621289af4055fb2b9f22c81f879a5ac37941ecc44e230ef4a61a54643a3a6fe4e6841a33691e9360062f0c2ab74ab848d8a6acfc60263c78bfe6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4244.exe

Filesize
14KB

MD5
31e6b4b4c0cdb6645d09586f0917288f

SHA1
41079098df7ee2944b6c8d08ded4afb901eed7e9

SHA256
dc8c5710a5b6b831c0024ae4d7c4ef6348b177efcb3ad5bd3fca6de0d8159815

SHA512
5e075f0f2079e5bb5b6962c2f2018b9309dbd5e83e03b0dedfc830e5f1bc9031777f6ee1c4abcfa533270f7b8961e2b2bdcded758d54e23f90d2d09e3a4b548c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9616.exe

Filesize
14KB

MD5
bae0e6611cb6e8ea7ecf6e25de59b8ca

SHA1
3b6b2d544801f199b74d067f8e1b8b1424909c67

SHA256
53f68ff4bfc65c833409a66a4463c66db71c77c2ad23799b8eceab39b29ee4a4

SHA512
1845bd9fcf4cb08c0c8bd7ea3526b1b4cbb7d5400f06734f6c9e75834b1a88d7d4aee8e8c4b24011238f43ed632ae4c31af1357414de2d2f8bc04c40995f9462

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9853.exe

Filesize
14KB

MD5
e7c4c0d740b45968bdca5bc62f7243f6

SHA1
66a449344e91efff45d17bf957211dedd2ab1248

SHA256
601c9408f4100259b4d8818379b0894f8e9f57a910172a2b87fd1a6fc4383b43

SHA512
48fb75b1ea07a866263d5a6d37a51afd2147fa08e535bbbab946c6c1a79fb0f8d81998f76db43f95e2433521aa5549850ce8c94605d89a794c2b7c7d31e0cfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEBF6.exe

Filesize
14KB

MD5
16f27504772d0796b5c07d6e4e4b8e13

SHA1
3ea793b190c9e4857b1e444d085032db27ad1ec5

SHA256
0919d7c1ee2387a1d8fba1208a374fb518a34c02f619ecef8aaf48c7b5bd8312

SHA512
3e41f760fbc75fcd546c84f73ea362d2734cc7741fe1edf0a0ddb489b4a6d556eec298284720aee153a4257cad745529b8b4ce379506ce00e3cdad590adddf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE91.exe

Filesize
14KB

MD5
9a5b367e50416bd85fa6209866814286

SHA1
e9f6ba0d6f964a40037ef7f5b764251d4c1c17a0

SHA256
bcb9e431a41f75b357175485dd21e3abfb88b39a17a57cfcf55858449c089e34

SHA512
2b01ec02fe832a116a93054c691d60c2f18ee88d3d3296a8ea50ef11e49eb4fafc432a668944736c3b0dcf1cd95e0708adc3c5e259f7eef1e7f6f5a19bd9aac8

Download Submit

Analysis

Sharing