77756d8673f5d531c219f369e3954bb2302daf5f53bea49bf1125fe2baa3ece7

General

Target

1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe
Size

15KB
MD5

1718b8db4272c116d9feb3d713d7f97d
SHA1

fa42b37092efb003200aa397e6caea34530f38aa
SHA256

77756d8673f5d531c219f369e3954bb2302daf5f53bea49bf1125fe2baa3ece7
SHA512

67727d9dceae5eeb0e7b8c1a2a9155467a3a578887c4559a52af498bcc9ccbbdb8827100042e25751ddcd4de501d3843d5f3e7124213c6e2891ca76b50c7d5b5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvAzG:hDXWipuE+K3/SSHgxm4q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMCE67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM6F54.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMC813.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM1F2B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM7664.exe

Executes dropped EXE 6 IoCs

pid	Process
224	DEM6F54.exe
3992	DEMC813.exe
3960	DEM1F2B.exe
4752	DEM7664.exe
1612	DEMCE67.exe
2844	DEM25FD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 224	2972	1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe	96
PID 2972 wrote to memory of 224	2972	1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe	96
PID 2972 wrote to memory of 224	2972	1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe	96
PID 224 wrote to memory of 3992	224	DEM6F54.exe	99
PID 224 wrote to memory of 3992	224	DEM6F54.exe	99
PID 224 wrote to memory of 3992	224	DEM6F54.exe	99
PID 3992 wrote to memory of 3960	3992	DEMC813.exe	101
PID 3992 wrote to memory of 3960	3992	DEMC813.exe	101
PID 3992 wrote to memory of 3960	3992	DEMC813.exe	101
PID 3960 wrote to memory of 4752	3960	DEM1F2B.exe	103
PID 3960 wrote to memory of 4752	3960	DEM1F2B.exe	103
PID 3960 wrote to memory of 4752	3960	DEM1F2B.exe	103
PID 4752 wrote to memory of 1612	4752	DEM7664.exe	105
PID 4752 wrote to memory of 1612	4752	DEM7664.exe	105
PID 4752 wrote to memory of 1612	4752	DEM7664.exe	105
PID 1612 wrote to memory of 2844	1612	DEMCE67.exe	107
PID 1612 wrote to memory of 2844	1612	DEMCE67.exe	107
PID 1612 wrote to memory of 2844	1612	DEMCE67.exe	107

C:\Users\Admin\AppData\Local\Temp\1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1718b8db4272c116d9feb3d713d7f97d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\DEM6F54.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6F54.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\DEMC813.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC813.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\DEM1F2B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1F2B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\DEM7664.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7664.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Users\Admin\AppData\Local\Temp\DEMCE67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE67.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\DEM25FD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM25FD.exe"
        7⤵
        Executes dropped EXE
        
        PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1F2B.exe

Filesize
15KB

MD5
2c4c43f0de0c1a3d03ec48b8c7af64c0

SHA1
d4fe3bd621a2c7428a0df9943bb67bf4a5359206

SHA256
673f15cb934debf6c2dbf8a00003a7b9f46532bae96bf7f9d3902a1bd959655b

SHA512
229e092c50040b9886895932816dadbb673ed65492aa3c1c8b7a69f5f3a33b8192058dfb90bade9c990f03f0c380f4a73440ada9741a9ed27ec420f4bd3a8f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM25FD.exe

Filesize
15KB

MD5
666a6eba66543d0f8e0a3929c9f44a03

SHA1
8a3fa099168663761a5ad603f1041db1be15e8dd

SHA256
a7626f34019af8df5692cda881de741f3d70d38c31994621c78fca1812e48c3f

SHA512
ccacf215dd7ecf46cf84ee3b53d6f62bf69efd8fc0fee5e40a79123ee1dac14e4599b54afdc7a2774b0d71320e2685f394d07e7472cc2dbde2f68cbd29409886

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6F54.exe

Filesize
15KB

MD5
6f4797e6af458f0149338dfb72127ce9

SHA1
6b43df3680633bdd2acacf13db9724dc620b1ba6

SHA256
439b1128d727ee69d4ca3cf9f6cc5c003ced73749b0cd2799e05e4c81d894682

SHA512
8faa1da6d40cf71bf2e93804f6ddc4d8220c67fa94f94520b3fb3564c99d09c59ff7fd09496456be69cd73b14e879f03282fbcd6ddd346b58287c0f5b54ba40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7664.exe

Filesize
15KB

MD5
1881c383d4bb29402067500d70700b15

SHA1
fbfbc05f08ae68edb8e53ec5676cd6ec98684805

SHA256
253efa98cd57a1140e4b344495bd30941c6d625143cf1d6eb0047cc5abcda14b

SHA512
ff27498d6c9aeaf56b13362562838e90e42d6b272d7fe7984ee99e270091c072be317a43bc24c458a070875ef0bd5c4847d22f3460af1bf8ba7935bdce80f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC813.exe

Filesize
15KB

MD5
ab8416956bb45ce69833b33dcc784c7a

SHA1
ebdb07420f6f90e23e34435d6056292aea111cd7

SHA256
56990e9e4be0271dda739c445ebbe78a7b3b61be60e272c5a61f59eb0082e3cc

SHA512
e1d040b8baa964215ced7767850591284954c4bb5390aa5580f36fc71c151a63edd30691a599eda707375891c6ddaaf91e58367b7458df08f145b41bac15ee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE67.exe

Filesize
15KB

MD5
faa17954ed17aeb12aecf776b4912836

SHA1
5dbd977df0e0bd8728279f12415eaed786e2c8f9

SHA256
f60f1259ddace62f43b24c4ff371636158485e1cb8483ce5afee4300b05b6a29

SHA512
7aac7c6905fc44fe6855180a6c26c4248c7b011e3758a8307d4ee29d1b2316dcd782f446a8a6613f4432490e04382de868ab28e859dcbec00cb825b9cc3519e4

Download Submit

Analysis

Sharing