52628d16b46289e2e4559cde46a522c9266fa8b25a1d03d60b2ae961db907698

General

Target

25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe
Size

16KB
MD5

25eae72ceec1d1ea9941ed7ff79b91f5
SHA1

7ddf6008b00708bfb541a42f918d041c8c26eb99
SHA256

52628d16b46289e2e4559cde46a522c9266fa8b25a1d03d60b2ae961db907698
SHA512

d121e74817b568083e52246d5434542429827647f998d5b5af8b96705031130a791388f7f9de2519c2c712c9f05514b16d053458f79b772774e71fdfeada5a6c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5Jm:hDXWipuE+K3/SSHgxl5I

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM7B6A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMD580.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM2D54.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM8567.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMDD4B.exe

Executes dropped EXE 6 IoCs

pid	Process
4092	DEM7B6A.exe
4328	DEMD580.exe
2964	DEM2D54.exe
4392	DEM8567.exe
4468	DEMDD4B.exe
2080	DEM356E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4092	3728	25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe	97
PID 3728 wrote to memory of 4092	3728	25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe	97
PID 3728 wrote to memory of 4092	3728	25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe	97
PID 4092 wrote to memory of 4328	4092	DEM7B6A.exe	100
PID 4092 wrote to memory of 4328	4092	DEM7B6A.exe	100
PID 4092 wrote to memory of 4328	4092	DEM7B6A.exe	100
PID 4328 wrote to memory of 2964	4328	DEMD580.exe	102
PID 4328 wrote to memory of 2964	4328	DEMD580.exe	102
PID 4328 wrote to memory of 2964	4328	DEMD580.exe	102
PID 2964 wrote to memory of 4392	2964	DEM2D54.exe	104
PID 2964 wrote to memory of 4392	2964	DEM2D54.exe	104
PID 2964 wrote to memory of 4392	2964	DEM2D54.exe	104
PID 4392 wrote to memory of 4468	4392	DEM8567.exe	106
PID 4392 wrote to memory of 4468	4392	DEM8567.exe	106
PID 4392 wrote to memory of 4468	4392	DEM8567.exe	106
PID 4468 wrote to memory of 2080	4468	DEMDD4B.exe	108
PID 4468 wrote to memory of 2080	4468	DEMDD4B.exe	108
PID 4468 wrote to memory of 2080	4468	DEMDD4B.exe	108

C:\Users\Admin\AppData\Local\Temp\25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25eae72ceec1d1ea9941ed7ff79b91f5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\DEM7B6A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7B6A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\DEMD580.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD580.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\DEM2D54.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2D54.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Users\Admin\AppData\Local\Temp\DEM8567.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8567.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\DEMDD4B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD4B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\DEM356E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM356E.exe"
        7⤵
        Executes dropped EXE
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2D54.exe

Filesize
16KB

MD5
e6f526808247976f333ef7928422628c

SHA1
50850927cef56f2ab64dfc0c79aaaf7c694a7dc8

SHA256
61188f09ee5c0d9df76981659a9885483c69770f842ec86847e8b4b593e46486

SHA512
3aff3aecad2e679aac77df007b313c5768743ea5425270ecd47ae95cef8439e951b3e2880f48dac3d0aa45bbe1d19084c8169a247f90f076c880b5f8c0edf815

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM356E.exe

Filesize
16KB

MD5
437bf4eaee8c14cbe7a2d9d5c6906a07

SHA1
f07407c7bd4354d3151ccfa55fc30ae89fc3781b

SHA256
c277588ebe67a2f4c20d46ecaacef3a8e7c505d7d05f8e609e021de6b0860934

SHA512
2f309abc6e654cbc61745679532468fc91f52922a56c3b3cebdf02ef34d6b164bc275a782d984760b8966d7d51e733c65992426d61bb9030266772d7a61d14ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B6A.exe

Filesize
16KB

MD5
d46fad6e6088176904f9cac0d92355d4

SHA1
bbd5f107913472b1366fd28eda1d2dd6ef773b60

SHA256
cb011c45cfea67925dc83789f2be0ed84e5ff59d93a3572cd15bdff307cc87c2

SHA512
c246058476c0057d1196e95d840f317c4397c805b2850d00bf1c91735c2306282f98850b830141eb4ba9bc3bd5fdce86c24b2f0e1adcc9353aa59cf0bc0463e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8567.exe

Filesize
16KB

MD5
75c62e63b1cc67ec452ae42f9e64cc5e

SHA1
9ee843c9cb82fdadaeb9d3efa4b3ff78f75305bd

SHA256
5ca8aa65557e375c91dcf22296d1d9de1fdfffcef9db82058678c1dfd156ff11

SHA512
2c1eef02aa19ddcf7b1379e152520e37cd63780e2a3ada4c70b38d74f51056fba5b11c22fdb53b3bc0988b7f84afd86ae80f6851c055ca6e0c183f132d4619dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD580.exe

Filesize
16KB

MD5
e472940be8c655cad73b1c4c0d8a01a3

SHA1
dabdfee82c97c4f855a7ae621609ab14f175579d

SHA256
6c863d308bfaab8a42ac415202e00e3f5a68f3ba8b9dc8d19721fc31e20b38fd

SHA512
51da6c4011692833eb08a64383ef6bef1dc24c1eccc85e94aa38b3dbf427ff6883431021a42230d15d4280f4e0424dd47d8efd26602fae101b71f766105f60cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD4B.exe

Filesize
16KB

MD5
747adb4ab2eac143b02516fce53057b6

SHA1
0068d5839cc8e77684ae91fb15583a2b7cfccd64

SHA256
f95ab741c9ee625d99780f9cec9e72d2d16ebf4c208d9edddcacc48122490389

SHA512
8caefc0f5eddc724ef7bb661b4bbff7139e47bafa20dabc6c298f70a80504409e831e9ec000c6f12797c46f67c786e0df3396e59dfd2521b64dd8800109086a8

Download Submit

Analysis

Sharing