ff01511f61745f2cd7a5a46a9942338811605955e4da0463a885c6088a179052

General

Target

1cb562c9394716febea19bad65da8075_JaffaCakes118.exe
Size

20KB
MD5

1cb562c9394716febea19bad65da8075
SHA1

679586aa2792d6e668e79a1e25bad1f8e9a1d6af
SHA256

ff01511f61745f2cd7a5a46a9942338811605955e4da0463a885c6088a179052
SHA512

5770b96ebfda6b988d7c1b9a0f3babb401af6c031640646633e0b754a6fe06a5705fdf246aff5f4a61b49348b78f577df5d48981fe692a9ff150edf3b392d1b1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxI:hDXWipuE+K3/SSHgxmH+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	1cb562c9394716febea19bad65da8075_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM42F4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9961.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMEFA0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM45BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9BCE.exe

Executes dropped EXE 6 IoCs

pid	Process
3980	DEM42F4.exe
2800	DEM9961.exe
3452	DEMEFA0.exe
2096	DEM45BE.exe
4856	DEM9BCE.exe
3440	DEMF20C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3980	2244	1cb562c9394716febea19bad65da8075_JaffaCakes118.exe	93
PID 2244 wrote to memory of 3980	2244	1cb562c9394716febea19bad65da8075_JaffaCakes118.exe	93
PID 2244 wrote to memory of 3980	2244	1cb562c9394716febea19bad65da8075_JaffaCakes118.exe	93
PID 3980 wrote to memory of 2800	3980	DEM42F4.exe	96
PID 3980 wrote to memory of 2800	3980	DEM42F4.exe	96
PID 3980 wrote to memory of 2800	3980	DEM42F4.exe	96
PID 2800 wrote to memory of 3452	2800	DEM9961.exe	98
PID 2800 wrote to memory of 3452	2800	DEM9961.exe	98
PID 2800 wrote to memory of 3452	2800	DEM9961.exe	98
PID 3452 wrote to memory of 2096	3452	DEMEFA0.exe	100
PID 3452 wrote to memory of 2096	3452	DEMEFA0.exe	100
PID 3452 wrote to memory of 2096	3452	DEMEFA0.exe	100
PID 2096 wrote to memory of 4856	2096	DEM45BE.exe	102
PID 2096 wrote to memory of 4856	2096	DEM45BE.exe	102
PID 2096 wrote to memory of 4856	2096	DEM45BE.exe	102
PID 4856 wrote to memory of 3440	4856	DEM9BCE.exe	104
PID 4856 wrote to memory of 3440	4856	DEM9BCE.exe	104
PID 4856 wrote to memory of 3440	4856	DEM9BCE.exe	104

C:\Users\Admin\AppData\Local\Temp\1cb562c9394716febea19bad65da8075_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cb562c9394716febea19bad65da8075_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\DEM42F4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM42F4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\DEM9961.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9961.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\DEMEFA0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEFA0.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\DEM45BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM45BE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\DEM9BCE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9BCE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\DEMF20C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF20C.exe"
        7⤵
        Executes dropped EXE
        
        PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM42F4.exe

Filesize
20KB

MD5
5bc75570a48bdcbc985408076b94591e

SHA1
5ce3decfa9e80ca43b62407b965859c155ce702f

SHA256
188abf53ee05c210fb53f8498833253cde26845e9f95948401e7ea35c5a6224b

SHA512
e9ab531a19ee57146d5a21ec71185f57e3d633b40e9afd207987c0b28731b46a06af0556ea9217c21168d67cfb30a364b4e3a60f3a1ad3314609f82d11c8d06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM45BE.exe

Filesize
20KB

MD5
7ab2fb3bb2a9f3fe1d2675ba39bd64de

SHA1
3da51c9c6c17cfbc62f4b45f6bc11edb48215167

SHA256
ecd285a62066ef4e39c3854ac1f71bc45a2ad18e5527160bd7ba49e4ea0109ea

SHA512
6e2d4f37ff626583eb10cb95304eda52ae826135a8815bb6f5c6c12e336a79a86ab818b7f773c3e11230e049e61749474d19196cb5fef0322f5a895fdd9d8aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9961.exe

Filesize
20KB

MD5
dd5afb92217db95121ce904cb161e383

SHA1
7e9c07b1fdb1d7289b159175ecb5757b05feecc1

SHA256
d61e18f605b2958d1565b78e5b6cfda5e50c565bb7efff4caa61f34881c34ad2

SHA512
3a46d99626876944a1644f8df6fb0eeaaf3a93fcd98c3748f3c9169ad0d25f3a57681a985c0bf8d892fae14047b7788c85860d4d5b2a6eba2a046a999de45de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9BCE.exe

Filesize
20KB

MD5
58b1e29467111df24bd584459939c0d2

SHA1
8a2f262245ffc24e98e9f4e752ffc578a87e82bf

SHA256
b91802411b7f3c1bc83d683eb98b0437e666699de3f553d6af6e0d1a3d21cc73

SHA512
b0c8ca57e9f1a24413b33c4bed773a08d4fbddc24893c24ae2437105ced7297722f973d97d9177da8fc32418220ca0faddc9d518a80769e599b2f316da62d789

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEFA0.exe

Filesize
20KB

MD5
490f3d9ce8c0151763ddfe61f4bcac0a

SHA1
fbf5cfcb0b88d431271ac36b9e66fe2b539f6d4e

SHA256
b1dda237a164b56929255f12cedd9dc0977fc4698aa9b08d97552c586176bc4c

SHA512
51c571881d7c839623f0123c086b0f56063a589de817e1c79289f1802c95cd0b7335c759d02815bc2f0a7f461e92b076b1a39a0d46d4c824dc043e83dfeaed6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF20C.exe

Filesize
20KB

MD5
80d10708ed54d058393cba4213a9f137

SHA1
522753e74827ee61320f1f5dad008e1c0848d229

SHA256
cadb1c40f687a028fe845aaba9df2bb9690704a851b31f20260a729ae0e6b1e2

SHA512
2c3987b67fd394687eb04d71340609604445fd6deaf33f25355d8d7741f5ac204e1614a850dd28300fcea45c012a1d930af473f1d7dba55ad1f89361be218771

Download Submit

Analysis

Sharing