f42b4f419e10cb6eb5fcac6dbeb718fc578e097840e1dcec7870c8c40c3dbeca

General

Target

19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe
Size

15KB
MD5

19b4c2c33fe685ae8d5f5d3be7d4b2a5
SHA1

a578431f8271239a44b588320ddd572bf7900899
SHA256

f42b4f419e10cb6eb5fcac6dbeb718fc578e097840e1dcec7870c8c40c3dbeca
SHA512

3f71789414eb8cfc00ac1b42710162d826128a6d9c5a4867f7078771269e0638713febf0084ab4cc9bd95cce502fc9d32bfbf5f9dea0fc342b3291e948940e63
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8unV:hDXWipuE+K3/SSHgxm8y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMD55C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM7501.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMCE0E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM2611.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM7D97.exe

Executes dropped EXE 6 IoCs

pid	Process
3176	DEM7501.exe
2268	DEMCE0E.exe
1348	DEM2611.exe
4836	DEM7D97.exe
4292	DEMD55C.exe
3664	DEM2F53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3176	1884	19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe	96
PID 1884 wrote to memory of 3176	1884	19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe	96
PID 1884 wrote to memory of 3176	1884	19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe	96
PID 3176 wrote to memory of 2268	3176	DEM7501.exe	99
PID 3176 wrote to memory of 2268	3176	DEM7501.exe	99
PID 3176 wrote to memory of 2268	3176	DEM7501.exe	99
PID 2268 wrote to memory of 1348	2268	DEMCE0E.exe	101
PID 2268 wrote to memory of 1348	2268	DEMCE0E.exe	101
PID 2268 wrote to memory of 1348	2268	DEMCE0E.exe	101
PID 1348 wrote to memory of 4836	1348	DEM2611.exe	103
PID 1348 wrote to memory of 4836	1348	DEM2611.exe	103
PID 1348 wrote to memory of 4836	1348	DEM2611.exe	103
PID 4836 wrote to memory of 4292	4836	DEM7D97.exe	105
PID 4836 wrote to memory of 4292	4836	DEM7D97.exe	105
PID 4836 wrote to memory of 4292	4836	DEM7D97.exe	105
PID 4292 wrote to memory of 3664	4292	DEMD55C.exe	107
PID 4292 wrote to memory of 3664	4292	DEMD55C.exe	107
PID 4292 wrote to memory of 3664	4292	DEMD55C.exe	107

C:\Users\Admin\AppData\Local\Temp\19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19b4c2c33fe685ae8d5f5d3be7d4b2a5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\DEM7501.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7501.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\DEMCE0E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCE0E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\DEM2611.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2611.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\DEM7D97.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7D97.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Users\Admin\AppData\Local\Temp\DEMD55C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD55C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\DEM2F53.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2F53.exe"
        7⤵
        Executes dropped EXE
        
        PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2611.exe

Filesize
15KB

MD5
3759cbdd0da6792866eca002e557b9d3

SHA1
94ce82e4cbd5e909b38f83710df996c1201cb312

SHA256
ef8ef52eb6935020ff1e912914ef9a5ad5f27d3f969c17e055ee777b697dae92

SHA512
1bf2e435864cf2e8d71a8698d8f64c0f1ca536d97b60490c4fa5151c3aa94274cc63e7988e8536120fd0afbcffffce6a0f9c72b822450ddc766d0bccad53ba8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2F53.exe

Filesize
15KB

MD5
f610acb9f031530a9ff85c085a93098b

SHA1
eea35a525cb3d7fac2c13d08fe3f9b544c1ae1d1

SHA256
f44608fe63e5552f3fcf467a3b3083782934640d05da05a803cd2bb4d164883c

SHA512
3a86c43c53d0c4c841774248caf9bf15ee8b1fece8c71b1c880eb5fd90fe76d473144c06e49e9fd9b61b1322f43be97b7ead8c0a72a46e64195da3fa550bba1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7501.exe

Filesize
15KB

MD5
ada4f2b543f8173742496075dcfea1ca

SHA1
38b737c12105588982624ab0ad8474db88e54f63

SHA256
ed75675da565c40b59e4e036b4a10bee0a573fd11ce599378e445f598c30a9d4

SHA512
ee81d301aab5f1a4394d158f87e8dd5f40a97357626102f3b7f6e04a372c2dab5cc5c59f001a58508104d5e501cd0495bf42d096bdb1331d770ad9fa87deeae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7D97.exe

Filesize
15KB

MD5
39e31a1a57eaa191f656f15ea66b1d64

SHA1
13d6930a68de7d2c68f17e519846fda1b677f47d

SHA256
de5fa97ba79b9aaf1df3f7fcb1996b25531ef4ae8f8f07859f83449d568341be

SHA512
d0b3d0b7563408f19b40753c1978b200bc572eb28acfd52f8771b2d5aaaf46865f9754d7573a1aa4125a5ad0756c262ffcdd9e103e4baa1b65a8b37d08ad7fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE0E.exe

Filesize
15KB

MD5
ab5fc3e6679ddf5a099d4673688ef647

SHA1
588d39faa8a500d4870868634ab98436d86ac228

SHA256
cd56c54ee76c36d76e41bbda9b7e6083ba74f1fbe4b9ef952c9a633fa9b20fa8

SHA512
6d83014b9793d40e9967d6cbc6862f1e0474e7b9b526503e395b9e522eb9310bb9b5ed0d04db52b69d0023694bad6d7b3f891993da946d828be74e1bcb35a004

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD55C.exe

Filesize
15KB

MD5
2d22ab12f09860838bd92330ee814ede

SHA1
f741bf0e11a33865ac00ee9762b493a1dc4c36f5

SHA256
6e6c6f7d93205c579daf1e86f9d60680f67b1edcbfd6388a8ef6d15901cdc4f8

SHA512
3bc41c7e80ee0def369070f28fed62b1789e88f2a105db893d82c07c84a170510abe5463f00ed4fd061e1cda04b1155d4bc2aee5e61529aa4ba8b29d468dc184

Download Submit

Analysis

Sharing