82bf3976864813303f88c6ed14030e7be1d45d09e094aadc848444840101415d

General

Target

0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe
Size

15KB
MD5

0ebc1f6e5b304686946b4ec4716d4a9c
SHA1

c8b37c6a9a8c4adf8a2e7a2643fdd247dc3a924c
SHA256

82bf3976864813303f88c6ed14030e7be1d45d09e094aadc848444840101415d
SHA512

1625d2948920acd10b28a1258ca3d17afb19fe12e5f1a78b6e950ade3ccb699540d5311acafe0abf19797723f3d86a257b16eb7f33d98a2df4487b02b9c33278
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJSmW:hDXWipuE+K3/SSHgxXW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM28FF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM80A5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMD82B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM785C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMD13A.exe

Executes dropped EXE 6 IoCs

pid	Process
396	DEM785C.exe
4720	DEMD13A.exe
2264	DEM28FF.exe
3416	DEM80A5.exe
1792	DEMD82B.exe
4536	DEM2FFF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 396	3308	0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe	98
PID 3308 wrote to memory of 396	3308	0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe	98
PID 3308 wrote to memory of 396	3308	0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe	98
PID 396 wrote to memory of 4720	396	DEM785C.exe	100
PID 396 wrote to memory of 4720	396	DEM785C.exe	100
PID 396 wrote to memory of 4720	396	DEM785C.exe	100
PID 4720 wrote to memory of 2264	4720	DEMD13A.exe	102
PID 4720 wrote to memory of 2264	4720	DEMD13A.exe	102
PID 4720 wrote to memory of 2264	4720	DEMD13A.exe	102
PID 2264 wrote to memory of 3416	2264	DEM28FF.exe	104
PID 2264 wrote to memory of 3416	2264	DEM28FF.exe	104
PID 2264 wrote to memory of 3416	2264	DEM28FF.exe	104
PID 3416 wrote to memory of 1792	3416	DEM80A5.exe	106
PID 3416 wrote to memory of 1792	3416	DEM80A5.exe	106
PID 3416 wrote to memory of 1792	3416	DEM80A5.exe	106
PID 1792 wrote to memory of 4536	1792	DEMD82B.exe	108
PID 1792 wrote to memory of 4536	1792	DEMD82B.exe	108
PID 1792 wrote to memory of 4536	1792	DEMD82B.exe	108

C:\Users\Admin\AppData\Local\Temp\0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ebc1f6e5b304686946b4ec4716d4a9c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\DEM785C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM785C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\DEMD13A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD13A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\DEM28FF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM28FF.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\DEMD82B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD82B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\DEM2FFF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2FFF.exe"
        7⤵
        Executes dropped EXE
        
        PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM28FF.exe

Filesize
15KB

MD5
afa4f8a0ac41c665282f3afd1a93a181

SHA1
0d10f94a78c9d46838637975b0b54f57fb034f3f

SHA256
bc3ddfe587f0954a4b35cdccb3c2c4849ae9c004f1661ce0614e8e1c0c065d01

SHA512
8ef026eb8aeaddf1dab8b911158555e9d78b3f2cc513f8454a8be642d0703f8fba6dee38774639a2d143c0f83ebd4aab599309f68dcc1e57e5b3ece8b70dd4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2FFF.exe

Filesize
15KB

MD5
ee5cedd064e8fc3c5fd65975365621fd

SHA1
38f7b2ce39e3f0bfa637c004e7c1d7f0b0b07a19

SHA256
1759cc250fe4a957413f05c3752e6718ecba8416af6edfed8e352ab8b2c0146c

SHA512
90e109d7e239ffc0140b6f7fb3c8ed4ae0a54f0d9ab8d36e350e90c8b5f3ebfda85297087787a172946738396a85dc2e160680c6ca959c60628e72bafd3b5bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM785C.exe

Filesize
15KB

MD5
605fb2f1c6eca8cdf5a99a17f1e35846

SHA1
937a8d28988bfde0cf459ad89c260db65d331132

SHA256
5b303f44ffbfc091241ec502337c6c412b544ae88cc27fae5520cd6081b115e9

SHA512
29c240c094e887ab90829600221c43e085eaa01776460762245381aec9bf755b318cbbb4617f1a9f5f04c4443bedc25026871befd5e2ca2674645c09f14f6ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe

Filesize
15KB

MD5
c249ca7f460dce23e0c3e9fe1f86b0c6

SHA1
44628b7c2242ef9d02f598ddfd90154c1a324982

SHA256
5c1154e97f0097b652f3d633f23ef11784231bc077f76ff5ddd2c4dcb84b33c2

SHA512
cee0c61463e1f8587204ac0a89a34adb06b4a66f1c3c403a2936af7f2104153e25db5b27ef3ff5d4cc1e16c848fcf53c2a98f1bee27ae790b91f3dd136073de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD13A.exe

Filesize
15KB

MD5
3143e53edbc6849ed06dd04717ddf88e

SHA1
b25fb1bb51440e2fbf775f33c68c931c7d85aa89

SHA256
7c2a6f894c9f325608e63448c72a94aca4de86ba1f0fe5dc13874d78043d8d18

SHA512
27569020e8d9dedca1c2d3996c7d8f5ac77415fa9d69b7ab760127cb87813219e74748141d0847df91833c3932585bad58bbbdc6ddf03f9ff766554966793ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD82B.exe

Filesize
15KB

MD5
37df9e16feb3197ef0e098ebe70de795

SHA1
b6f7fd676bd9e1665fc871948c6c7abca034d628

SHA256
0cf4d13eb53acbd2f8200399ba14b676ca5f781f889fe24d5ad13dd0923c53e5

SHA512
cb381bef016c20e7dd3a139315a17992df6e6ac2c0d3979c07abb2a4a4aa065828cb6bc29e66f71a0263317b6610c3fe58db1f3078d13f381b6a339307a32cef

Download Submit

Analysis

Sharing