8be92dfd9142a2b8f231d02a30e73b84aafc6d2af5e14ee46938e419af974de7

General

Target

1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe
Size

14KB
MD5

1d9e8a7c76d5ecbb3875fdda6023f6a8
SHA1

fdaab4c9a6c42b484b18b4a98aa1dd5a1a29cf0c
SHA256

8be92dfd9142a2b8f231d02a30e73b84aafc6d2af5e14ee46938e419af974de7
SHA512

00d24cc5d67be88b9c3a6ca99065f1edb5a0949cde49cae2ecf333b87a1b9c82716686b2e7010c17783610b7ca7da0ad5a767d96f488bb628212681a138bc5f7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh79X:hDXWipuE+K3/SSHgxzl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM77CB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMCF9F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM6DDD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMC7B5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM1FB8.exe

Executes dropped EXE 6 IoCs

pid	Process
2244	DEM6DDD.exe
3556	DEMC7B5.exe
1436	DEM1FB8.exe
4592	DEM77CB.exe
5032	DEMCF9F.exe
4156	DEM2764.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2244	2380	1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe	97
PID 2380 wrote to memory of 2244	2380	1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe	97
PID 2380 wrote to memory of 2244	2380	1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe	97
PID 2244 wrote to memory of 3556	2244	DEM6DDD.exe	100
PID 2244 wrote to memory of 3556	2244	DEM6DDD.exe	100
PID 2244 wrote to memory of 3556	2244	DEM6DDD.exe	100
PID 3556 wrote to memory of 1436	3556	DEMC7B5.exe	102
PID 3556 wrote to memory of 1436	3556	DEMC7B5.exe	102
PID 3556 wrote to memory of 1436	3556	DEMC7B5.exe	102
PID 1436 wrote to memory of 4592	1436	DEM1FB8.exe	104
PID 1436 wrote to memory of 4592	1436	DEM1FB8.exe	104
PID 1436 wrote to memory of 4592	1436	DEM1FB8.exe	104
PID 4592 wrote to memory of 5032	4592	DEM77CB.exe	106
PID 4592 wrote to memory of 5032	4592	DEM77CB.exe	106
PID 4592 wrote to memory of 5032	4592	DEM77CB.exe	106
PID 5032 wrote to memory of 4156	5032	DEMCF9F.exe	108
PID 5032 wrote to memory of 4156	5032	DEMCF9F.exe	108
PID 5032 wrote to memory of 4156	5032	DEMCF9F.exe	108

C:\Users\Admin\AppData\Local\Temp\1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d9e8a7c76d5ecbb3875fdda6023f6a8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\DEM6DDD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6DDD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\DEMC7B5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC7B5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\DEM1FB8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1FB8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Users\Admin\AppData\Local\Temp\DEM77CB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM77CB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Users\Admin\AppData\Local\Temp\DEMCF9F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCF9F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\DEM2764.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2764.exe"
        7⤵
        Executes dropped EXE
        
        PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1FB8.exe

Filesize
14KB

MD5
9becbbd61141051a11b7bcdad3068c40

SHA1
9703d2a28c1e8568b5fbcf53587aa105db9fecb0

SHA256
d6c59d36325f2913b6d89fcb44f412e6a54a871852e4b23ded47f57bc522a51a

SHA512
1f5802c3608305dad4c0fb8d2f31ec39226aa7999c3b8e0404e2616c6bf8015f5839ec232f4e177d0be7e48a59bc4587403f5952f21a9591342ce4e32433596f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2764.exe

Filesize
14KB

MD5
6007011d1e44c6dcc1caa456c0cbb3a1

SHA1
b320a36e258043878911fa400947d77103af0460

SHA256
79c13346d13ee1bd5991027b18056e060f8769deaf6eb37247f6a89b8dc4570c

SHA512
d710529fd36ac9d9f7a05413d9f2c791f86a639ea81ca8fc9046c179e76c37bc9756fa2d555cdd83e0bcc3281a5af82ea7c2fd4c68e51f6a6f6861efc9c6e533

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6DDD.exe

Filesize
14KB

MD5
beac06eddeddca1070c7ff85798392f4

SHA1
6e84aeab19dd17144766f20aadc34e1cbb3a4669

SHA256
59081d3f9ff6b6f6ab047c6e565ee13f94f9056d517b4d144becc84cd3875096

SHA512
28d86773513720034f5cc38fa0188ee444083bf14ff389e3675adf95327c96d3acc7ba74456ecb1191c8722f5ce0bf0167d89d94800a6f4d0256a38daef1b861

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77CB.exe

Filesize
14KB

MD5
0638c27cbab6e3bd2707cf6281351721

SHA1
9b868de0ebbc2269d768ad50c004ce474033d945

SHA256
3fbc7bf5b22ab4867ba347b4039ab6cc43fc1f4438bc7e9670cb753b242d453d

SHA512
ffd2cf26196f2699860f498ff29d80bc92c26509a96d95e343abde96ef358eb4f621546d3c53fc8465a6306591a0b043bfb5894658ab6690a974b4f1658bcd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7B5.exe

Filesize
14KB

MD5
61d3f7d62ae6c18f372a2638a669fdc4

SHA1
d47d9420810c4561e6a0199346e27135a31366f2

SHA256
aa6d2d50135f20d3429bcb98b06da4c32dc196bf06d941ccfb6fe4c80e9d87a0

SHA512
62f6cae1d21c906b4aff7dbddcc1f8644e45821b05b810cbaef4379e5d56142e5affaa090af2abf04cbbb6cecc376547ff1c90233edd102bfec2dde5ab4ab974

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCF9F.exe

Filesize
14KB

MD5
984ddf45bf3e5ee620be0992db80767f

SHA1
2ce5361d01aa06029d5fd9d21a2603129be34e8c

SHA256
96a7d029a4c8e9088f5a80acbb1291746182bfa1b15e8de483bd26ac4f518566

SHA512
d56c0d10834fd6d560514c1efcb28650ce105e99d6873254077b895800b601103810cc573de3364bf59266693d6bb6c39b9956893481270fa2179e1ad2c54bb9

Download Submit

Analysis

Sharing