5b5311b75f67053c6df98825205f3badb5d80984fe9aa0e4c8b919e193f0af94

General

Target

2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe
Size

16KB
MD5

2970e1c26ef472285f0888308b7f6e73
SHA1

86953b3e9291f7a4585eef2e843055e2e2274744
SHA256

5b5311b75f67053c6df98825205f3badb5d80984fe9aa0e4c8b919e193f0af94
SHA512

87d7b25afc5c768092f5d6d0b99f9b10d56a2b696c29c9a9f3a78a1dad51901415652cc3b2edf2ab3e348af3a1b4d29f596b8c1f4e669639e2d42ed2e9f539aa
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlt:hDXWipuE+K3/SSHgxmlt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3F4B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM95C8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMEBA8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM41B7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM9769.exe

Executes dropped EXE 6 IoCs

pid	Process
2180	DEM3F4B.exe
4508	DEM95C8.exe
2416	DEMEBA8.exe
4924	DEM41B7.exe
4912	DEM9769.exe
2572	DEMED68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 2180	3576	2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe	96
PID 3576 wrote to memory of 2180	3576	2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe	96
PID 3576 wrote to memory of 2180	3576	2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe	96
PID 2180 wrote to memory of 4508	2180	DEM3F4B.exe	99
PID 2180 wrote to memory of 4508	2180	DEM3F4B.exe	99
PID 2180 wrote to memory of 4508	2180	DEM3F4B.exe	99
PID 4508 wrote to memory of 2416	4508	DEM95C8.exe	101
PID 4508 wrote to memory of 2416	4508	DEM95C8.exe	101
PID 4508 wrote to memory of 2416	4508	DEM95C8.exe	101
PID 2416 wrote to memory of 4924	2416	DEMEBA8.exe	103
PID 2416 wrote to memory of 4924	2416	DEMEBA8.exe	103
PID 2416 wrote to memory of 4924	2416	DEMEBA8.exe	103
PID 4924 wrote to memory of 4912	4924	DEM41B7.exe	105
PID 4924 wrote to memory of 4912	4924	DEM41B7.exe	105
PID 4924 wrote to memory of 4912	4924	DEM41B7.exe	105
PID 4912 wrote to memory of 2572	4912	DEM9769.exe	107
PID 4912 wrote to memory of 2572	4912	DEM9769.exe	107
PID 4912 wrote to memory of 2572	4912	DEM9769.exe	107

C:\Users\Admin\AppData\Local\Temp\2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2970e1c26ef472285f0888308b7f6e73_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\DEM3F4B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3F4B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\DEM95C8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM95C8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\DEMEBA8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEBA8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\DEM41B7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM41B7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\DEM9769.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9769.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\DEMED68.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMED68.exe"
        7⤵
        Executes dropped EXE
        
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F4B.exe

Filesize
16KB

MD5
30797d3a2af4c8b594e43b46ce1988b5

SHA1
5f17bed78ebb94d637f9c581d778012e36488781

SHA256
d6eba98d16c4a8f49c39a3458637005e9fc05c320b8d527bbabe6dc5b02032b4

SHA512
791022df155ae480ab99aa19d850e5829d4fbc2a5ba47fcd787da72ebea9049c9f03d43ea60b3274b9a63d0320326061562c3b0b831c5058984a3849199bb97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM41B7.exe

Filesize
16KB

MD5
423661317e09618afb2b418d299109cd

SHA1
7ccfdfdfd184ae11bf2de78cfa13b51a26ec5976

SHA256
81c227564a9738120410d143ddfeae1b6db0b4158d04211f648a4166e17195a4

SHA512
762edcde38b1734b68e25a3e7212b21c2f5c98d81e07066dbc217fc1fc1d3ad81c1152b4d545da5e337a04ec6ee0dc32851d61813e3f493b2f2c932815723ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM95C8.exe

Filesize
16KB

MD5
a80d0339f841725ed8b556e919e48905

SHA1
a6566462edd4bde1d375bada3ec3bcf32b1b15fe

SHA256
2151b2e9df645337ab4c8902f9e2fdb0a7229f505f51dec9fe0da5f7b783b2be

SHA512
19d7df0832d5ab5f291a4e49ef8b0201b0e449a068a2d96f9ee993ee58d7011e9ae1fbd98d266f0533f5682eb140434dd8c7f3f542fe2538cb614befd27bd5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9769.exe

Filesize
16KB

MD5
b2da84814acd57aa747bf7c055281d55

SHA1
1ff86e35ceb0852a7543f7d53990800f4cee7fe2

SHA256
536ebe42bb1f1c03d88aef511149779781054af5f53cd00c58dd2c287bff1bdf

SHA512
2b4c42c290d59925691cb43048de41c3a1c3abd4f4bdc75356754abcbe5e52b6a40a18b4a1aa29b555aaa358d106d3d2e2f8ad7a0e9c480e5d19030aed52ce85

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEBA8.exe

Filesize
16KB

MD5
df9703821e01786a6b526c28ac4d58d4

SHA1
73abce4352f53d4fe2dd0c13a7bdb1c1983b1418

SHA256
f3de19ac9cc2e09197ec0be007fc9ca064d02c0c4f4917464da3a5206f847c09

SHA512
1c25d63b283a3320fa91c7f458c53552317a2ffb4340a85ee9891206a5964f8a7ea1601c63fbaa5b29677d1cab5f4658d567fbef869929b1f9fa42e06e3cfb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMED68.exe

Filesize
16KB

MD5
f78aaf3de24892937e2b7594c3fde33c

SHA1
f5eae326cdd6dc8a2ba84797d4554ea53faa4dc1

SHA256
7a0395c7b5800793e4b7442715be57108ac60903253eb7bd4b2db31096c8d6d7

SHA512
61fca9d3cbf40f7ce180ba607f39ce7b679d81fb8dc72f949e0beb013ab81168cf39982a3773308a0935da9e94bb4d576df26a363304b4628cae0b4cdc5e1054

Download Submit

Analysis

Sharing