fdfc903b97cdbfab6a3b152daf75bc2e0124fa1d561bb589505e2be5cc962f43

General

Target

1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
Size

15KB
MD5

1bc5ac86fe53c6ef51a763c704eb36b6
SHA1

6409c5d206f6851829895c0887e5e85b7433c706
SHA256

fdfc903b97cdbfab6a3b152daf75bc2e0124fa1d561bb589505e2be5cc962f43
SHA512

f8ee14d99f71161e38032e2dbe4e4b55e18bf38d7c1dadb00d5cc61886b0bc054bc9a74b43f5913bdcd8114f37ce6a6cf34039b00321c2ed316c5ac8d7eac377
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hEuBmSN:hDXWipuE+K3/SSHgxmMISN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM3D57.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM93D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEME9D3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM4011.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM9621.exe

Executes dropped EXE 6 IoCs

pid	Process
3024	DEM3D57.exe
4352	DEM93D4.exe
2668	DEME9D3.exe
4916	DEM4011.exe
2056	DEM9621.exe
4936	DEMEC3F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3024	1972	1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe	102
PID 1972 wrote to memory of 3024	1972	1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe	102
PID 1972 wrote to memory of 3024	1972	1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe	102
PID 3024 wrote to memory of 4352	3024	DEM3D57.exe	106
PID 3024 wrote to memory of 4352	3024	DEM3D57.exe	106
PID 3024 wrote to memory of 4352	3024	DEM3D57.exe	106
PID 4352 wrote to memory of 2668	4352	DEM93D4.exe	108
PID 4352 wrote to memory of 2668	4352	DEM93D4.exe	108
PID 4352 wrote to memory of 2668	4352	DEM93D4.exe	108
PID 2668 wrote to memory of 4916	2668	DEME9D3.exe	110
PID 2668 wrote to memory of 4916	2668	DEME9D3.exe	110
PID 2668 wrote to memory of 4916	2668	DEME9D3.exe	110
PID 4916 wrote to memory of 2056	4916	DEM4011.exe	112
PID 4916 wrote to memory of 2056	4916	DEM4011.exe	112
PID 4916 wrote to memory of 2056	4916	DEM4011.exe	112
PID 2056 wrote to memory of 4936	2056	DEM9621.exe	114
PID 2056 wrote to memory of 4936	2056	DEM9621.exe	114
PID 2056 wrote to memory of 4936	2056	DEM9621.exe	114

C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\DEM3D57.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3D57.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\DEM93D4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM93D4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\DEME9D3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME9D3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\DEM4011.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4011.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
      - C:\Users\Admin\AppData\Local\Temp\DEM9621.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9621.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\DEMEC3F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEC3F.exe"
        7⤵
        Executes dropped EXE
        
        PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3D57.exe

Filesize
15KB

MD5
ae36a038781988c683669309f8991559

SHA1
12a92f1c60ce40b40243966b0c223cbb4edb387a

SHA256
e0615d2074a1e1db8d6e6d7c9d4a98d922dec122c299b8779c8920d54332d13a

SHA512
59888234ea1b50cff3e0a6ac1bab5199a32fd1d65cab8957cb87cf203cdb7278522a99f7d2c99148bb2e6ba6bc45b7e54eac266e2ec43846c54c168254b8614e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4011.exe

Filesize
15KB

MD5
4de7f9d6d7f294cb0e0c5dd45b1ff423

SHA1
53fd9562b044baca005053cfc4484bf41d0703b5

SHA256
204fc3721fa92d06b58026785a03a41e95d110240c88438060e550054fa2e7f1

SHA512
70342f455558149bff24c79d0bbb287c5f9714402ed5da11582c210a249a919ed9ea517da8142977fcd9e5596c9e5b582ee8e80fe9f58510bb707885435dded6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM93D4.exe

Filesize
15KB

MD5
09c768d77d5bf0ce207b031459f58ac1

SHA1
35de32a0079a050065deb032eaf0e6b5cdce391c

SHA256
54ee7394ac50774b65cc8409ca0f4408a03eb043ac312e2852e9c26f6babfa5d

SHA512
11d82a935a54769e859868c90515948bf1c006d4904afe5324ccfbe0d84b22ed52609df45aad2034ebfbaf9787ffc1854e3a7f4f1df46b4a16906283d536155c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9621.exe

Filesize
15KB

MD5
92757e059ffdd459b962e1bf93606157

SHA1
89baa143649b4de0fef506e1e1e69b0735320b0a

SHA256
4533ddbf04c74c08038d8189aaf5080690f2784d84286caadf01aa53191dc59e

SHA512
6b2c90c2a750b2cf9ce6aa3214d6e87c03051d5271091a73ad938bb951ac6b7a5e84db78f0ea8b0029e1f13e26d1c39bb6dbbd5b0c900466995701975a6cfae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME9D3.exe

Filesize
15KB

MD5
ec657f1d2fdc53ba5ee40c94eebe3136

SHA1
a016acc3993772673556f29f2ee9187864335e20

SHA256
974ff0f2cd770b1e49b686beace666ee875f7f07ee40cb27be8a6e8e07ed789c

SHA512
882228854ea9c5117d897fee4aa50ce77986f014639bfb8c408cf1ecfb1005942034babff2d36d399989c82b82a20cc0d04ba330d045feb246eacf912aa526cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEC3F.exe

Filesize
15KB

MD5
3eaf2728604d48a4c57d42b405114271

SHA1
6ab20c101806fe3973a7964059153da854608d68

SHA256
66cc9e756e3186fc7be5e56942cc9a8f8f6bb5f096e8d37579d233495061cf7a

SHA512
0a82cb4fcb3116b7b111537eb517f4c6daec0a036df601e0647a0006910c90b21867a7a855b2b31f5f32d26baf5cbe500d0b822c89efda610a3fb56503233df1

Download Submit

Analysis

Sharing