c33cccfbd90e2062621ff695fb13cb49766b5dbaff56b76ed43aa2a29c2c9b1a

General

Target

2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe
Size

16KB
MD5

2271c8cf26f650a3ec2d4429c7a22b96
SHA1

4c96803fcc7a9d6aaeadd27f67a1611cb597d386
SHA256

c33cccfbd90e2062621ff695fb13cb49766b5dbaff56b76ed43aa2a29c2c9b1a
SHA512

0a57c08423c54deb315bba7efeeafd84f53ebee3f835fe68366ae5bd360f3afb0917154a222f4c8c654b2a12cac1395d48023ec0e1a82d780480dff463110140
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRzF:hDXWipuE+K3/SSHgx3F

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM2CBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM831A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEMD939.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM2F58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8548.exe

Executes dropped EXE 6 IoCs

pid	Process
4220	DEM2CBD.exe
3096	DEM831A.exe
4968	DEMD939.exe
2776	DEM2F58.exe
1760	DEM8548.exe
4464	DEMDB38.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4220	4464	2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe	98
PID 4464 wrote to memory of 4220	4464	2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe	98
PID 4464 wrote to memory of 4220	4464	2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe	98
PID 4220 wrote to memory of 3096	4220	DEM2CBD.exe	101
PID 4220 wrote to memory of 3096	4220	DEM2CBD.exe	101
PID 4220 wrote to memory of 3096	4220	DEM2CBD.exe	101
PID 3096 wrote to memory of 4968	3096	DEM831A.exe	103
PID 3096 wrote to memory of 4968	3096	DEM831A.exe	103
PID 3096 wrote to memory of 4968	3096	DEM831A.exe	103
PID 4968 wrote to memory of 2776	4968	DEMD939.exe	105
PID 4968 wrote to memory of 2776	4968	DEMD939.exe	105
PID 4968 wrote to memory of 2776	4968	DEMD939.exe	105
PID 2776 wrote to memory of 1760	2776	DEM2F58.exe	107
PID 2776 wrote to memory of 1760	2776	DEM2F58.exe	107
PID 2776 wrote to memory of 1760	2776	DEM2F58.exe	107
PID 1760 wrote to memory of 4464	1760	DEM8548.exe	109
PID 1760 wrote to memory of 4464	1760	DEM8548.exe	109
PID 1760 wrote to memory of 4464	1760	DEM8548.exe	109

C:\Users\Admin\AppData\Local\Temp\2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2271c8cf26f650a3ec2d4429c7a22b96_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\DEM2CBD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2CBD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\DEM831A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM831A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\DEMD939.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD939.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\DEM2F58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2F58.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\DEM8548.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8548.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\DEMDB38.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDB38.exe"
        7⤵
        Executes dropped EXE
        
        PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2CBD.exe

Filesize
16KB

MD5
b4bbce1e1fa83037562bd31d2b331515

SHA1
77962d65552f33639257e50ff3aa4bcc68eaecfa

SHA256
db5ac4334a5b14414e111c4728c7e9d13a8748a3e1df6e1f347d1f2e2a416cc8

SHA512
8d8bfa61824aec8061887183cd838e019897a777c1966d79fc0534cba4a285bf263c0eceee36d7675423d4f68d8d4498b9056133b1c8ff9878a7f6556e7bfff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2F58.exe

Filesize
16KB

MD5
c73adfa2bcecd5a15649e0698ca4ebdc

SHA1
698ad068ea1324a8c0de9035f516473f745d8b56

SHA256
6f521f6ca65bcffe835ddde75960fc9edb9dbf6a84e10655c208dec3f8c0923c

SHA512
aae779abb614fb9cb9201be3b3256f9ca4086a6442f919b18f4a74472c2225ef40081db986c036873d200d2e23efa02ccefc7ea523d19c9856fe9191cb087a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM831A.exe

Filesize
16KB

MD5
a36862495035c1517b3dc3529c98c14c

SHA1
25c7b0ea43f67fa7f547faca9e869740a50d4d6c

SHA256
af969aeb1f62f80448a9d5fdba6c70048aa6e19083e03f57bcde7d1558546259

SHA512
4a230bb26f81c9c1da835d60bca0b696fb7e3e11c7926783ae96dcbe105440f3b15bb12e4a5cd99fbf9501e4ab3c9f392f76344e5dffe86ce4726292f3b9e5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8548.exe

Filesize
16KB

MD5
aec6d2940cea19256c956d42de15680b

SHA1
748bbc8732b8713542b81bb53cc22e1d3483e127

SHA256
e6143685fa89012ff1d92971f50cc271cc0959ae22b4244f3b17f4a0e1aa2dae

SHA512
a6b3ab805b99bedfc94be3e5b4909dc0e3255df6003f308e05d8d67ed93fa70c4ae8e889156ca6d735284bb738040b1ce054ff8cf07463b8d1c7935ae51e7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD939.exe

Filesize
16KB

MD5
909ee9877b73978474bf41afc963842b

SHA1
cf3400f5fde174d2c047019daa91a7f5f0855d6e

SHA256
17980541534cfaa7ea7f4e263846d245396ce6a992368c816d820a7c77e6bfc1

SHA512
199387ec0dc4652ffa6ecfdfe9f4006d0f0d2eaae4769ad9ec3803cea20f6b640e102a861dbdb48c2164dea474cc5b88024c036cabc036d64bf09d2d2b1b0318

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDB38.exe

Filesize
16KB

MD5
1afe68fd3a767b69a7d73b43b1acff18

SHA1
aa001c592c4490ca477f2c7e161cf08125adc8dc

SHA256
b9432f426937160a5cd87d2527c48b3d479f0aa733f65d05272567122b9938e5

SHA512
a281947e0d0ec304cc4433b8d5448487a74e405cf6fb76bad28ae6d82d58fb4f5f037347d7320733fca204781642a0bc75d7fd36def526b63d82a0221b940c77

Download Submit

Analysis

Sharing