1193547d3340b7ceef433b720dd96d2ea4b493030a9494626472f3a8958dfee6

General

Target

1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe
Size

15KB
MD5

1691b284f4f743299f55fb45a1430800
SHA1

4ff517a23e180ee9f7e3bd4052258f956ca7e2ca
SHA256

1193547d3340b7ceef433b720dd96d2ea4b493030a9494626472f3a8958dfee6
SHA512

75e0879d77e09cdcd086a0b9a0af2e6f692f402074eeb0893d428f3a6a2bbeccc0df16dac0ca533b8eda3b27ad6172f1665b2c4adaa8d3ede5d70a77893f2c37
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcPay8K:hDXWipuE+K3/SSHgxmkClK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM371D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8D8A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEME36B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM3989.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8F89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
624	DEM371D.exe
4868	DEM8D8A.exe
1536	DEME36B.exe
3784	DEM3989.exe
4320	DEM8F89.exe
1964	DEME5A8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 624	3900	1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe	97
PID 3900 wrote to memory of 624	3900	1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe	97
PID 3900 wrote to memory of 624	3900	1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe	97
PID 624 wrote to memory of 4868	624	DEM371D.exe	100
PID 624 wrote to memory of 4868	624	DEM371D.exe	100
PID 624 wrote to memory of 4868	624	DEM371D.exe	100
PID 4868 wrote to memory of 1536	4868	DEM8D8A.exe	102
PID 4868 wrote to memory of 1536	4868	DEM8D8A.exe	102
PID 4868 wrote to memory of 1536	4868	DEM8D8A.exe	102
PID 1536 wrote to memory of 3784	1536	DEME36B.exe	104
PID 1536 wrote to memory of 3784	1536	DEME36B.exe	104
PID 1536 wrote to memory of 3784	1536	DEME36B.exe	104
PID 3784 wrote to memory of 4320	3784	DEM3989.exe	106
PID 3784 wrote to memory of 4320	3784	DEM3989.exe	106
PID 3784 wrote to memory of 4320	3784	DEM3989.exe	106
PID 4320 wrote to memory of 1964	4320	DEM8F89.exe	108
PID 4320 wrote to memory of 1964	4320	DEM8F89.exe	108
PID 4320 wrote to memory of 1964	4320	DEM8F89.exe	108

C:\Users\Admin\AppData\Local\Temp\1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\DEM371D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM371D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\DEM8D8A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8D8A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\DEME36B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME36B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Users\Admin\AppData\Local\Temp\DEM3989.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3989.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
      - C:\Users\Admin\AppData\Local\Temp\DEM8F89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8F89.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\DEME5A8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME5A8.exe"
        7⤵
        Executes dropped EXE
        
        PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM371D.exe

Filesize
15KB

MD5
73f2a45c73c9d3b473719856cc2d5731

SHA1
b3008d8ee91c3b0e23e317bdf1905c3682e772ca

SHA256
535ea657232cbdb7082619c847401e7feb0d7b861a198c81cdb5bbf81cc961ed

SHA512
7cccebebce59d0bc60ef80051135d9b6b8819d2b1fb673cd068726dfe626c31c87391b02c17c99bab2887dc6390e665279298086cff795bb80ae56cd49e07bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3989.exe

Filesize
15KB

MD5
4bb75be2f8f2c3633d573fd9314facf3

SHA1
0a8487943dd01727fdc938b93aeb4cad6db32992

SHA256
7dd6388bca08a3ba26d8c599d940e7358b19fbbad53f5bf6cd3ea2fd4f9f5ec8

SHA512
55c653d012e489f933094759907c994182bcc62c73be5d5f20c6be62fa844e598f5ea19534da209be544282a088c73d44d94e2d983bb75ee0179971d946af887

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D8A.exe

Filesize
15KB

MD5
8c4c89157cf524fc3b65a182a6716829

SHA1
f66692365f70dda8f0ddedc681750bac84300934

SHA256
3e0a6769b0b7e090f2412e75ef655c977749175b58c0d55efa1e886e316954d8

SHA512
bc6fabe334061de5694246252caac7a00d95ee7666c6f85f2fa3642f2602a0a65d12dbaab9b9a4d9967e58ca31b42c1dc416a84e56818b064af1a1bddc25b0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8F89.exe

Filesize
15KB

MD5
7dae0426a4fbc0cf9528b1f875f03650

SHA1
a82ae500d90acf44ab521cf1ed7191b3ec2f2b08

SHA256
aa6eb74abcc0a5a8ac5876c448e8206f33e93f906c88bd576e3d73283664fe28

SHA512
2ec7860b91ea35976835ad72cf1eca0cbe9cb30b1a3dc2a689f9f83a0c802a4ec0b425973d23009eca04415b2f05f25ce62944aebe5a9509f7b80ce7160264c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME36B.exe

Filesize
15KB

MD5
bcb5b3937331b1a7e1c249e28d65737e

SHA1
bbee3138ec243bca584767cf496ff2484e6e3c51

SHA256
4b321816ba5bfc5b139cbe334067c38bb4fb7665f84ed524ca963c5d9e272a57

SHA512
c82a5ce2e004c59269e8d5c20517881c165e564f187bec82a77df3a4ff362e1cb5eed40ddfe4b14ab6e103c637c10c2e15d4c6b9c0823d380ce6a845332f8f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME5A8.exe

Filesize
15KB

MD5
a7ffbdd3dcb0dafb5b6893bc9da45e4f

SHA1
2f315379c8e103da6b73210bdd836d825ae097eb

SHA256
936af202c73f6e73e0e82540796b3a528f5a000e08aca3ad3fff4843e81558b5

SHA512
6a2c6f1bb70ca42d826f36107c733f82ff54a6c701e516e2565c8af8ee6ab14ea649bd0de62986df4cf66bfb635dcb75180f3c5966767762df951e10cfa32564

Download Submit

Analysis

Sharing