96f7989358d3b37da30f4ce1837a2423dc9c795abaef6d76e7ef3ddcca3e3567

General

Target

27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe
Size

16KB
MD5

27fd7f5eb2fbb96affd0d9bf2af25a8a
SHA1

729db1a975d70a27d30bcff48356780685e340d6
SHA256

96f7989358d3b37da30f4ce1837a2423dc9c795abaef6d76e7ef3ddcca3e3567
SHA512

d4045c38a713ba8f40aeb9f7513252788ce6865f6e3cb75d996923f086f17c706b60d4522883be00e3bd8aebc4b66953818d5acf39a7c37a148cda5aa8244c79
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhjn:hDXWipuE+K3/SSHgx9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM32F7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8973.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEMDF73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM3592.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8BB1.exe

Executes dropped EXE 6 IoCs

pid	Process
388	DEM32F7.exe
2180	DEM8973.exe
876	DEMDF73.exe
544	DEM3592.exe
2804	DEM8BB1.exe
2672	DEME172.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 388	4556	27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe	97
PID 4556 wrote to memory of 388	4556	27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe	97
PID 4556 wrote to memory of 388	4556	27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe	97
PID 388 wrote to memory of 2180	388	DEM32F7.exe	100
PID 388 wrote to memory of 2180	388	DEM32F7.exe	100
PID 388 wrote to memory of 2180	388	DEM32F7.exe	100
PID 2180 wrote to memory of 876	2180	DEM8973.exe	102
PID 2180 wrote to memory of 876	2180	DEM8973.exe	102
PID 2180 wrote to memory of 876	2180	DEM8973.exe	102
PID 876 wrote to memory of 544	876	DEMDF73.exe	104
PID 876 wrote to memory of 544	876	DEMDF73.exe	104
PID 876 wrote to memory of 544	876	DEMDF73.exe	104
PID 544 wrote to memory of 2804	544	DEM3592.exe	106
PID 544 wrote to memory of 2804	544	DEM3592.exe	106
PID 544 wrote to memory of 2804	544	DEM3592.exe	106
PID 2804 wrote to memory of 2672	2804	DEM8BB1.exe	108
PID 2804 wrote to memory of 2672	2804	DEM8BB1.exe	108
PID 2804 wrote to memory of 2672	2804	DEM8BB1.exe	108

C:\Users\Admin\AppData\Local\Temp\27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27fd7f5eb2fbb96affd0d9bf2af25a8a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\DEM32F7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM32F7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\DEM8973.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8973.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\DEMDF73.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDF73.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Users\Admin\AppData\Local\Temp\DEM3592.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3592.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Users\Admin\AppData\Local\Temp\DEM8BB1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8BB1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\DEME172.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME172.exe"
        7⤵
        Executes dropped EXE
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM32F7.exe

Filesize
16KB

MD5
1d1b03a6e97c46a93f2a0758de1ac325

SHA1
bd78f01eab87aa8369f57746553ca532da9bfcc3

SHA256
43dcb6ffec513c683bf008b4528941ac41ae4203999f6629c3dad32f04eeef07

SHA512
4fcafc5b5d0d813c5edbc994ccb9909a1a7775089b7d90820275e7edd989e459492db66a51bc0f553e860468369034f1e371fc18bc4d1eecda27f2271064cf07

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3592.exe

Filesize
16KB

MD5
5235763d6517d45eb4d95fd139f34bbb

SHA1
0018d5fba4d27dce37904b6dbb2b13c6cfbda805

SHA256
773686de90db63a92227560a4b661b62891148f3ef90cda13143dbf054c3adc0

SHA512
249d262a272a4c12a6f8690d498b704472d44f5e8bc42bfdee352294495f31c3320d3c94085344a676a7babf954e2904e9a3b23ff8ac8525a50b763bf6cb30aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8973.exe

Filesize
16KB

MD5
432bbf8fc000a5738d2c21a54f257a02

SHA1
a18b190e81878525bff6f1d769940ac7ec53709e

SHA256
75f8fdb8372de873686e56706de88c2dae7dabd4e943520d8f2529bb55157149

SHA512
735cba05fcc9709ca40e44f1e330d8f752784d3ff15d44baad9c149d0c2b86ce610aceb4e1be68d2b1d5ac39b45ab56c48320aa4a3a02ca12e03ebe6bcc2739e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8BB1.exe

Filesize
16KB

MD5
78b83081b32baa93379388d5496342a4

SHA1
1f8468b0b579ae8063069a4be4a0a28d638b384e

SHA256
b934655f4198911e9d5270c417a15a86d36e571b24a6f9208dde08b1884c2655

SHA512
80c0df8d3a3a62451cd1dc101b41e960188d8d05ba7a042f059a710d15303b5aade7d1da3a7efd4cf995b3c5f50d40366cf2891d59b58aa785db343a1beccabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF73.exe

Filesize
16KB

MD5
20dbb062d378f1a6fd13b7ed13d51c8d

SHA1
cd124251d346d12c9d8fb5d9e3069838e0055ba5

SHA256
3d7feca94a4a033f1f5905bd473a890fdc91e796a1721ffba2c1d5ab7bc44db7

SHA512
ff45752de8ce512ca7a52733c367c7dda3694e1b0ec9f834e20ad2538c9bbe2e837e305415c181df07121328888c3d9c38fdf59abe98ec0690027417b1c396a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME172.exe

Filesize
16KB

MD5
dd95aa867ad867078d0706b4b612754f

SHA1
f5b1af01135a87bc1a1ed18001a7237d1c1e213f

SHA256
5179205599129c941f9c69f55b3cff7e8e9dd801b7d3d70d9c676a5202a55254

SHA512
1fb9e920a05e258a6179e804cb5a8b36c9a3d01b2d3d65e7f3b6344325935ab74f5f16efbbeaf3bb58da14a440579e91de9d254479404a389bb5e2a370f5b863

Download Submit

Analysis

Sharing