df925a665353ec76c444187087f793c4feac14e920b9f84fc125ab2a750e53a0

General

Target

1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe
Size

16KB
MD5

1d60d1382af76bc9f89568d97784a2a7
SHA1

5c31dc975f6664ff03d39934aeada5103a549449
SHA256

df925a665353ec76c444187087f793c4feac14e920b9f84fc125ab2a750e53a0
SHA512

86df541f4db153ae5e4c45bccb7ed422d263ac5cb1453bad026507311fda8ea29e8284d17e4874800f6c4cc6ef9e45284f057f243a9dd9e03cca1ca93e66d4ac
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD8ZO:hDXWipuE+K3/SSHgxt6O

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM3141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM879F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEMDDCD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM33DC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM89BD.exe

Executes dropped EXE 6 IoCs

pid	Process
4780	DEM3141.exe
4948	DEM879F.exe
4136	DEMDDCD.exe
540	DEM33DC.exe
3244	DEM89BD.exe
3860	DEME00A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 4780	3708	1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe	97
PID 3708 wrote to memory of 4780	3708	1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe	97
PID 3708 wrote to memory of 4780	3708	1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe	97
PID 4780 wrote to memory of 4948	4780	DEM3141.exe	100
PID 4780 wrote to memory of 4948	4780	DEM3141.exe	100
PID 4780 wrote to memory of 4948	4780	DEM3141.exe	100
PID 4948 wrote to memory of 4136	4948	DEM879F.exe	102
PID 4948 wrote to memory of 4136	4948	DEM879F.exe	102
PID 4948 wrote to memory of 4136	4948	DEM879F.exe	102
PID 4136 wrote to memory of 540	4136	DEMDDCD.exe	104
PID 4136 wrote to memory of 540	4136	DEMDDCD.exe	104
PID 4136 wrote to memory of 540	4136	DEMDDCD.exe	104
PID 540 wrote to memory of 3244	540	DEM33DC.exe	106
PID 540 wrote to memory of 3244	540	DEM33DC.exe	106
PID 540 wrote to memory of 3244	540	DEM33DC.exe	106
PID 3244 wrote to memory of 3860	3244	DEM89BD.exe	108
PID 3244 wrote to memory of 3860	3244	DEM89BD.exe	108
PID 3244 wrote to memory of 3860	3244	DEM89BD.exe	108

C:\Users\Admin\AppData\Local\Temp\1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d60d1382af76bc9f89568d97784a2a7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Local\Temp\DEM3141.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3141.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\DEM879F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM879F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\DEMDDCD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDDCD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\DEM33DC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM33DC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Users\Admin\AppData\Local\Temp\DEM89BD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM89BD.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\DEME00A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME00A.exe"
        7⤵
        Executes dropped EXE
        
        PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3141.exe

Filesize
16KB

MD5
ed0649758535dc969a1f5073cc2d4ef4

SHA1
3fc4090d6c540363c18b9bd74b25df9a8bbb4741

SHA256
6dd6c5a45fa4b5a0452aac01cbe4d909f29b4d79fc81c9dc8fd32f3643f8dc20

SHA512
d5a60931b2337ea943f2a06d4aa380c9c1c82b2d41935b3b210484f0121caf8214b8c1a1538a3cd7db78bc17dc9af3cc2299c8d70766f5a3b282025cdaed8861

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM33DC.exe

Filesize
16KB

MD5
0cac4124fc31dff36e6762673df2d00b

SHA1
b90df21f2d8b9c3e5a1219f8767848ad165fe807

SHA256
9e8cbc9c2f44f564f9dbd6c92530b84e7856cd027dc6af7d5c656b69e6e4d839

SHA512
651657c368995b7927f129f8e755fbcf3e69427cd49cb6cd4847479b89ad9e536e0a3a36ca5b11ac9fe6b786390299e6b9c834e04604c5701f241e85e6637c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM879F.exe

Filesize
16KB

MD5
bcb3a72738af101722e32c82e2798f30

SHA1
9322f3c4480cd5eaba8e12ea5217bdbdadfe9ec5

SHA256
4137b6afce914337d06dbf08f8a789dd5b7fd2caf8357b689f0cc45a35083b69

SHA512
23f067df94b11c11f1d468c750ff5a5029e225276a1cb0b2cfff9deb1038f4e94485fa311a619a53c71a134be821653cfffbf89f558010b2957be0cc1018c6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM89BD.exe

Filesize
16KB

MD5
37a35d3621d637f520718ef226dcfb86

SHA1
6279c8e158388a52422439b2d875c7a28b7b35a3

SHA256
a72b018d1a8d1ff7ded8dc3a51524759fb661c662550ced17345a11d3d900207

SHA512
eee1d031c6606292dfee587f3fb1ce437f412c75620e34b35ba4c1b9e6469e437cf5cf68040a0f5bbeb3e636a13a2531acdfb02ea63585b76575b61251eddc24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDDCD.exe

Filesize
16KB

MD5
de4d56cf871622606c5958765e1b0b9d

SHA1
ca128479b0c940928009d2160ee7a0f75b030c1e

SHA256
7a76e0a41f050f82518377d5c08d440b238f418cb58c9abc27c2787242da75e0

SHA512
1a18a92e2cd21e40e89b85e224da6b7de70ada8c50f8d9bd4dc31a9f77662287b61639775206d9494a6164d141215431d96409c88c843db21422cc77d04dafb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME00A.exe

Filesize
16KB

MD5
4ab2cf9ce60f70d1da6173e18cab0ea8

SHA1
6fb93986b85ca5be77fb023c46d006e62ff0dc36

SHA256
68e52bf3db032dd45283389dbd3654cee75124f02bd3023977b4ed7dc01f318d

SHA512
a1b6f0c74042b885763e94a15168301bcab3a68f9c2d559c0bf5c56a6e92a1eaa999a7fb3924bf5fa071a98132a624e1b209694fd2658f4fa58a763771d06632

Download Submit

Analysis

Sharing