3a2daa10563cfb3deb74346cb1cf504c719de24de6f738301814cf27bd742509

General

Target

2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe
Size

16KB
MD5

2275d7908bf208d91ada289d859c5350
SHA1

37419f08f1288c075e3c6c763f9e052dd7229e60
SHA256

3a2daa10563cfb3deb74346cb1cf504c719de24de6f738301814cf27bd742509
SHA512

d38c6f2d4be72c97945e8459ba23cef48311e62b8ad7d186789e2e931b9fd95d6eb41eb7b0a44be907dcbfb114788cef2a7c2f2f275937e5a6df6367cd12130e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5d:hDXWipuE+K3/SSHgxmL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM351A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8AFA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEME07D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM36AB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8CCA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
1268	DEM351A.exe
2264	DEM8AFA.exe
2852	DEME07D.exe
2532	DEM36AB.exe
1004	DEM8CCA.exe
716	DEME2D9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 1268	3476	2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe	97
PID 3476 wrote to memory of 1268	3476	2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe	97
PID 3476 wrote to memory of 1268	3476	2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe	97
PID 1268 wrote to memory of 2264	1268	DEM351A.exe	100
PID 1268 wrote to memory of 2264	1268	DEM351A.exe	100
PID 1268 wrote to memory of 2264	1268	DEM351A.exe	100
PID 2264 wrote to memory of 2852	2264	DEM8AFA.exe	102
PID 2264 wrote to memory of 2852	2264	DEM8AFA.exe	102
PID 2264 wrote to memory of 2852	2264	DEM8AFA.exe	102
PID 2852 wrote to memory of 2532	2852	DEME07D.exe	104
PID 2852 wrote to memory of 2532	2852	DEME07D.exe	104
PID 2852 wrote to memory of 2532	2852	DEME07D.exe	104
PID 2532 wrote to memory of 1004	2532	DEM36AB.exe	106
PID 2532 wrote to memory of 1004	2532	DEM36AB.exe	106
PID 2532 wrote to memory of 1004	2532	DEM36AB.exe	106
PID 1004 wrote to memory of 716	1004	DEM8CCA.exe	108
PID 1004 wrote to memory of 716	1004	DEM8CCA.exe	108
PID 1004 wrote to memory of 716	1004	DEM8CCA.exe	108

C:\Users\Admin\AppData\Local\Temp\2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2275d7908bf208d91ada289d859c5350_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\DEM351A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM351A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\DEM8AFA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8AFA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\DEME07D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME07D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\DEM36AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM36AB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Users\Admin\AppData\Local\Temp\DEM8CCA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8CCA.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\DEME2D9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME2D9.exe"
        7⤵
        Executes dropped EXE
        
        PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM351A.exe

Filesize
16KB

MD5
ba9a9b4ac8877d6abafceb4cc36c81ae

SHA1
6ab530c3853660f9feb2933c32312f66365f50ab

SHA256
68a3c0f0401e806369c8419c4b9e067bef98fd0394a4399d9715dbe505d57341

SHA512
dd527505687960edcf2c7c638319ad5641afd8669a2c0c81fea1b68810e8b3aca8fcd9f1fc8f56c01701f3d7d9afb6b303276108f640b7223e901355ba4500c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM36AB.exe

Filesize
16KB

MD5
c8a1f7441cc6a897a642435d9916efec

SHA1
d74d7ca833beff06448a13de585debe947714e5b

SHA256
9a950450167330dc3674adf48a0e757ad59d556113b56b20c2f59dbe54e4293f

SHA512
c8c8670a371ea650385619841201b72e29fa13db7b75ed9a04b6d741e1fbaeb5be234185732b09f615acbbba90862467f105d83d892b1884d3263d9a09433586

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8AFA.exe

Filesize
16KB

MD5
a2e4d8d78b09ee2c570fb25fec7e38b7

SHA1
1063eac28e731df63061d10dde2ad67d8693f5b9

SHA256
17b35217afb734b623028cba6681f8d7179d8a7bd2a2331a251426e918f708ec

SHA512
8d71d385522ad9dd4af2ba135e5e4b069801f7c90fc67c686c1c3f2442bf758b7326097a5bb0520cb878b25dc96c296d8ecea416992d89caab8a3db2436745d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CCA.exe

Filesize
16KB

MD5
c6ec645d9f9a9c0180a0296ab7a6a397

SHA1
b8a71d2ac6ef3368776dc8b9b28093fa8edde1fb

SHA256
bcc820113f9d91bd3a45124e9bb710d918f5d8fb3ad9c13f18517717f9ed9596

SHA512
e4f534e2fed35107cd7085dd84f4a543bf2957de588acb70f077bbbee0ab0210aad04636408dc6b26eb80e4fa46b534dddf6c5c98b57613f573427bf20af3616

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME07D.exe

Filesize
16KB

MD5
6a4db9f954f595110a5ce4e93d60581c

SHA1
5c9f06f94e454623f10a411c5e00e6111fc2384c

SHA256
90f88b1afb51245b8c357535ec3f4b44394af63bf5018d0bee8005c2b95af068

SHA512
fb763116eeb90512acb2d974ed87214bd8d9075336983d9505dcb9ea0f0d60986286b3fea333ce84457aefc84358329cb9ea22236210815b19d04e738b1ac21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME2D9.exe

Filesize
16KB

MD5
ffdbbfb1caa6d95996222ff53f0496fa

SHA1
d08bb223789540c88eef2add87a23be044eb3d28

SHA256
3dbbeae929a80ff201d5bfd06053195571876bdba1d9bb8102c64ebd2584f07d

SHA512
a09f347a696a5e434884afdb331d2d5b032d0bdfe336824039f476031d2370bb74cd376679a11df4313599e0f7133856787a2e51989459b4b5b56eb2fc67a8e5

Download Submit

Analysis

Sharing