4e7ab1709f3a8920a2a77ce0c5fc71260933739fc291a6987c73abe344f9f068

General

Target

1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe
Size

16KB
MD5

1c0fa321e025a2d26d01f650ff76356a
SHA1

11539afb6962036483f0fc097cb9d6f00f13781c
SHA256

4e7ab1709f3a8920a2a77ce0c5fc71260933739fc291a6987c73abe344f9f068
SHA512

352b1853c9bec5d4250de4270b2dfdf7784050e755f8b1d730f957f52cd1cdbe7a2e66c32eba7cbfd7ca6f6c89b3fe9fdfa7506cbb1d4528c2b1d20e226fa075
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlk:hDXWipuE+K3/SSHgxmlk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM6DBE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMC7C4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM1F4B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM770F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMCEC5.exe

Executes dropped EXE 6 IoCs

pid	Process
216	DEM6DBE.exe
3848	DEMC7C4.exe
4708	DEM1F4B.exe
2136	DEM770F.exe
1996	DEMCEC5.exe
4240	DEM26B8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 216	3984	1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe	97
PID 3984 wrote to memory of 216	3984	1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe	97
PID 3984 wrote to memory of 216	3984	1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe	97
PID 216 wrote to memory of 3848	216	DEM6DBE.exe	100
PID 216 wrote to memory of 3848	216	DEM6DBE.exe	100
PID 216 wrote to memory of 3848	216	DEM6DBE.exe	100
PID 3848 wrote to memory of 4708	3848	DEMC7C4.exe	102
PID 3848 wrote to memory of 4708	3848	DEMC7C4.exe	102
PID 3848 wrote to memory of 4708	3848	DEMC7C4.exe	102
PID 4708 wrote to memory of 2136	4708	DEM1F4B.exe	104
PID 4708 wrote to memory of 2136	4708	DEM1F4B.exe	104
PID 4708 wrote to memory of 2136	4708	DEM1F4B.exe	104
PID 2136 wrote to memory of 1996	2136	DEM770F.exe	106
PID 2136 wrote to memory of 1996	2136	DEM770F.exe	106
PID 2136 wrote to memory of 1996	2136	DEM770F.exe	106
PID 1996 wrote to memory of 4240	1996	DEMCEC5.exe	108
PID 1996 wrote to memory of 4240	1996	DEMCEC5.exe	108
PID 1996 wrote to memory of 4240	1996	DEMCEC5.exe	108

C:\Users\Admin\AppData\Local\Temp\1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c0fa321e025a2d26d01f650ff76356a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\DEM6DBE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6DBE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\DEMC7C4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC7C4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\DEM1F4B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1F4B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\DEM770F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM770F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2136
      - C:\Users\Admin\AppData\Local\Temp\DEMCEC5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCEC5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\DEM26B8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM26B8.exe"
        7⤵
        Executes dropped EXE
        
        PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1F4B.exe

Filesize
16KB

MD5
fad8cc12e763221a0e93cc807c7ad477

SHA1
5f77cdd87020100c59b03f0aee5ce203819391af

SHA256
0ae032fa818079887f15674300e1c18b66269ec38c2d3eee01d008e71a33b510

SHA512
aef101012269ed9c7d61e4bcd4a83fd2ba2c95146556a4fad0994fc3d1bf58080f30e547c89779a4b597ce71470a354bc3c777090c4f2bc7116b0d512b81b130

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM26B8.exe

Filesize
16KB

MD5
ec096bffa829bfa54d633a6b2e8a745e

SHA1
614633c3340c0c360c6920256e6dd6ffff794f57

SHA256
814d2bb2180733ba58c78e3a705a2892bbc2e5a57a0a9f0a84292db555efd49c

SHA512
e6040929aeb4e328c59f5035d7935646f5858fa4ef4ffa66d72c1d753420ca2d71fd5f50c5cc2a76e1550557cb094ef91c0ff7cfec6952d8fa7429ec7354bf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6DBE.exe

Filesize
16KB

MD5
1f72e0c5d1303a3a52814f3915a473dc

SHA1
305ee70093129c863def3cf1abbe7cee0a26b529

SHA256
1e49b7315a4d7ff3442d9832da4bcb5debf2496fcc52a520d4be31fb51cf30ce

SHA512
81db8ead5df17329b01922c3eae7c27f26d2e6d484bdbfed7e2d9aec142cb7ca66506194c0bbbaa92a26cc9b44fad1c7aec2985eba65cddd777298d8b5b63baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM770F.exe

Filesize
16KB

MD5
ecef34fe386912acf60f2366ebe16ea0

SHA1
cba4ace80ac461aac8a26a1dfe6065e24d4414d1

SHA256
e6fe9af07d7eda86acf83c2991a11b194bf32f36929c8e6077b0f0c6993c8e5e

SHA512
765542bc2f9ec01a1cbe43c7f5ccad41d797d1e572a29e97d19fe2b355a5b59f7cadb3da87209d885a49330288aba0722a3cc574883d112630d5859147d38cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7C4.exe

Filesize
16KB

MD5
a4daf88ba541216638b0231de44a88bf

SHA1
c7dda19785915f26c6f52fd17d2a47c2b20a4359

SHA256
733a3099aa4d042d0d1f420b429a8d793a5257190c2a7b207a58ff1756a2f150

SHA512
4366417ebcfccd2144ad662324f86a0af920364bb4c6d86a27336837fe8c7f87e26dd24f22c3b973bfeb6bbe0d2be7654700fcea9f204a0fa10ddf2497617f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCEC5.exe

Filesize
16KB

MD5
b0c54176a5f1fdacad9cf80d99601807

SHA1
e976ba05891983e9d60724aa72d108507ef5406e

SHA256
3ec85f25928efd5b5c2fd28e1f8c752832251f010000be1b203492a69292b82a

SHA512
58ebebe37f4d2855bf266966a44b2b572917df223abeaef0c4e25270e92b05722a0507c26aeb31523432a628f533a2c3af35ac9d19adcd5381f01ce10b3b245a

Download Submit

Analysis

Sharing