1938427566a51a0bae87831b42282ae67a166a2c6ae81c1795a2d789bead4ef0

General

Target

1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe
Size

20KB
MD5

1fea9b86854ca0ad9659fb949161780a
SHA1

deea484161c46539ff0fab83957bcb70827a19ae
SHA256

1938427566a51a0bae87831b42282ae67a166a2c6ae81c1795a2d789bead4ef0
SHA512

8b0b273f37be02df018a8956ba2e3d4e6079c5a8c755386fa8636b558828df69673e948726d7d45c00a2c56e1562ad863800cfd9a5ea55ab31466d6424a0f8c1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41gS:hDXWipuE+K3/SSHgxmHZ1H

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3BE0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM924D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEME84D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3E7B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM949A.exe

Executes dropped EXE 6 IoCs

pid	Process
1292	DEM3BE0.exe
448	DEM924D.exe
1924	DEME84D.exe
4764	DEM3E7B.exe
4172	DEM949A.exe
4072	DEMEAC8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1292	860	1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe	98
PID 860 wrote to memory of 1292	860	1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe	98
PID 860 wrote to memory of 1292	860	1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe	98
PID 1292 wrote to memory of 448	1292	DEM3BE0.exe	101
PID 1292 wrote to memory of 448	1292	DEM3BE0.exe	101
PID 1292 wrote to memory of 448	1292	DEM3BE0.exe	101
PID 448 wrote to memory of 1924	448	DEM924D.exe	103
PID 448 wrote to memory of 1924	448	DEM924D.exe	103
PID 448 wrote to memory of 1924	448	DEM924D.exe	103
PID 1924 wrote to memory of 4764	1924	DEME84D.exe	105
PID 1924 wrote to memory of 4764	1924	DEME84D.exe	105
PID 1924 wrote to memory of 4764	1924	DEME84D.exe	105
PID 4764 wrote to memory of 4172	4764	DEM3E7B.exe	107
PID 4764 wrote to memory of 4172	4764	DEM3E7B.exe	107
PID 4764 wrote to memory of 4172	4764	DEM3E7B.exe	107
PID 4172 wrote to memory of 4072	4172	DEM949A.exe	109
PID 4172 wrote to memory of 4072	4172	DEM949A.exe	109
PID 4172 wrote to memory of 4072	4172	DEM949A.exe	109

C:\Users\Admin\AppData\Local\Temp\1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fea9b86854ca0ad9659fb949161780a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\DEM3BE0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3BE0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\DEM924D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM924D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\DEME84D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME84D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\DEM3E7B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3E7B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Users\Admin\AppData\Local\Temp\DEM949A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM949A.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\DEMEAC8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEAC8.exe"
        7⤵
        Executes dropped EXE
        
        PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3BE0.exe

Filesize
20KB

MD5
2641d611b73d1db3cf0faaf963a9938f

SHA1
db2b4cf88038d38f97debee231dbfd9312dbfd1e

SHA256
a49d9d1dbb21878330622027e50b450840ed2de743e79ca24e3f0333b1ffd1ea

SHA512
5ce4a5a3df0e7e7fd32793cee0a145567790c8523f46a5bb02fcf2800d052b5461322912514407c0755ac7e632a138ad2bccd26d88b7a763b23629396fbee550

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3E7B.exe

Filesize
20KB

MD5
8259bb33c8d12026dee5ade2ea3976cc

SHA1
5d481aa744cb9daab142346330b14c2640b2e0bd

SHA256
371736bc59ff53240ba812622b2ba6b596e26d8bed76db84e667550f45394f91

SHA512
dc5daff494cf5691362c7795c3e5d44f52824a8f6cbf53d55bbdba9bffd3e8d2ea07aa37a48f865b640c220c9b988474fe0b9c8cdebc33f6a351e86b472b6318

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM924D.exe

Filesize
20KB

MD5
43519d36ce6c34bfe1f94dbb5182c885

SHA1
3ef900be6d99c4c21f19219704685fba66fed8db

SHA256
093007571be64409157f2d3bfeccd0341e058eb10043de3660e5124e7ea5a4c8

SHA512
a5e7c4fefd4960d4e947284b70685ebaf3a3f2a282a644e1aac0ace15464cffb60915d7659d29fcb2a32c6f8a58d8ceb5f7888c51013c555604b7537e8e05c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM949A.exe

Filesize
20KB

MD5
32475711c6fe30e77dedc0a62af6b9e6

SHA1
c7ad7915d301c5747564a6e103637041babb3dfe

SHA256
2c69e6d66c2ce0690a5027032479c9885e6a6658bc0fed805f90a6be23026497

SHA512
90f5821600c7b3a335f73966de0725f883073300ab241b445a903bfad9054c1d138b3a8dd70ba9c584fc5a0dac4074aab7ce9862dda6f9f15ea286ce8bb48a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME84D.exe

Filesize
20KB

MD5
94000aca21aaeff3bf50c13957c767b0

SHA1
44af88526c093ed7b7e65b76059f43763cf9c0dc

SHA256
bd0fd720e4ecb492152f9d194b4347a5c14e69f42e483bdea069107a7658f811

SHA512
bcb869bfbef99e72858a78e3889c9a570229262e9270a0da8927ab88d34c35951dc46e307481d6c22c80b7bf15352c261dc5a776e28bea88da1024340155b836

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEAC8.exe

Filesize
20KB

MD5
9f021853cdf2b357f26588732f9325cb

SHA1
99a52b8bd3d4cbbe1f57e1f8dec7c5fa505a6d7a

SHA256
73a7aaf827225bdc79fd49a040e0df3627f8d7193dea9e6044a378c0489c0d39

SHA512
2f4598305cbe7b985b01eb0cef633d05557ecb5088d3129f81a8fb9efb03d760900f2ad3f15418edf2ec2720e26670925ec92b83db52eeafea8a961246991630

Download Submit

Analysis

Sharing