27f149e97ac738936a4141e9249efc4e38e00fb8940eaaf9016c633f1f6af00c

General

Target

289b23a2f8654b5b6035c90284fa8802_JaffaCakes118.exe
Size

16KB
MD5

289b23a2f8654b5b6035c90284fa8802
SHA1

1267a9d394a02f00b37d975ff4a33577421e5af0
SHA256

27f149e97ac738936a4141e9249efc4e38e00fb8940eaaf9016c633f1f6af00c
SHA512

687e2703cbc301164e57001b79d1df83ce96315ab9062a40fd2979eaafaba175cb6caba466944b283e74e12838aa51e803878d4a437fbf348fa53c82e529bb26
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzK:hDXWipuE+K3/SSHgxmHe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	289b23a2f8654b5b6035c90284fa8802_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM31ED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM882B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEMDE4A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM3469.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8A88.exe

Executes dropped EXE 6 IoCs

pid	Process
3576	DEM31ED.exe
4144	DEM882B.exe
3932	DEMDE4A.exe
1976	DEM3469.exe
2924	DEM8A88.exe
4396	DEME0F5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3576	4904	289b23a2f8654b5b6035c90284fa8802_JaffaCakes118.exe	98
PID 4904 wrote to memory of 3576	4904	289b23a2f8654b5b6035c90284fa8802_JaffaCakes118.exe	98
PID 4904 wrote to memory of 3576	4904	289b23a2f8654b5b6035c90284fa8802_JaffaCakes118.exe	98
PID 3576 wrote to memory of 4144	3576	DEM31ED.exe	101
PID 3576 wrote to memory of 4144	3576	DEM31ED.exe	101
PID 3576 wrote to memory of 4144	3576	DEM31ED.exe	101
PID 4144 wrote to memory of 3932	4144	DEM882B.exe	103
PID 4144 wrote to memory of 3932	4144	DEM882B.exe	103
PID 4144 wrote to memory of 3932	4144	DEM882B.exe	103
PID 3932 wrote to memory of 1976	3932	DEMDE4A.exe	105
PID 3932 wrote to memory of 1976	3932	DEMDE4A.exe	105
PID 3932 wrote to memory of 1976	3932	DEMDE4A.exe	105
PID 1976 wrote to memory of 2924	1976	DEM3469.exe	107
PID 1976 wrote to memory of 2924	1976	DEM3469.exe	107
PID 1976 wrote to memory of 2924	1976	DEM3469.exe	107
PID 2924 wrote to memory of 4396	2924	DEM8A88.exe	109
PID 2924 wrote to memory of 4396	2924	DEM8A88.exe	109
PID 2924 wrote to memory of 4396	2924	DEM8A88.exe	109

C:\Users\Admin\AppData\Local\Temp\289b23a2f8654b5b6035c90284fa8802_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\289b23a2f8654b5b6035c90284fa8802_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\DEM31ED.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM31ED.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\DEM882B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM882B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\DEMDE4A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDE4A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\DEM3469.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3469.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\DEM8A88.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A88.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\DEME0F5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME0F5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM31ED.exe

Filesize
16KB

MD5
e04219f79276526f5a148851a9fc1f9b

SHA1
ec56e00ec0f25a5d05021eadc9ca0ba6d2f30cd6

SHA256
17d9e30673da31548d82940fc8bd780a70962cea418707a9fc1113fb9fbe582c

SHA512
9549638d688b1d3e04fe453df84278f540aba87fd18e6ccb510ec7a0c947f97e4925257292d3abc348ecfc370bfb7a1f009fde963418893359f1386972ddf9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3469.exe

Filesize
16KB

MD5
3f3041adffda929567ba8fd19d242e9a

SHA1
5c80735cd9f155f68d1ad6cec697b7e795734b3c

SHA256
27fa2d318c2beb0e3eb6554fe30f83594fe2c8ec34fb5545de7ea540ecfeec25

SHA512
746440bfd283e83c0a5ffdf36b65413cc27d0872b8aa8ff5fd857e62252123150685e91c6b0acdf7df741200e0a373dd0f43e86a0722849b9123e129a7a8cfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM882B.exe

Filesize
16KB

MD5
f5fb8e8043712b63fa71f6c737d101b1

SHA1
bd6a4e6a4c09b45c3a2d8d1b3bee6a74ce1e8b4a

SHA256
7cea703cc80a14bec71048943080a55e2a7ffb73c06c9c390873e6b121b6eb82

SHA512
367943307bd0ce2429333bff12e92cf99b3d4ceae808f2f02af03678c12bcf464218e53afd2d971337cf89036c015247a7574fcf27e3fddb547e5eacbad7b631

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A88.exe

Filesize
16KB

MD5
bafffb85d767c046e4f536b3078f29cc

SHA1
fca254f38916f83c860df138da5e439e2eded0e7

SHA256
d381b5c033365bdc02c6dca931f677f433e1eda1664f332bf9568c6208526a33

SHA512
0a9b691afefd3c0963c907442befa9c246745b3726cd1055d331ac403de1af6d4e389793855bb6058e5819c3381cf7c924d46b787946400e354753f639ef8fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE4A.exe

Filesize
16KB

MD5
cdab03033c2f6c7253613e39d8e6b780

SHA1
82123b106aad530342483d4fee1c1ca6d83d5562

SHA256
f547aafc6dda85f96fd4b0d34a2e0265842e3a1d270e885321d34554d4ca4616

SHA512
3d745d3d93518b30048b6fc93cd75de279f40954936d5d63c50ac0439a65933840399eeb7369db0a1f9e4efb1bc7c02dc5e0bc59c556a7aac88ff621d45ec8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0F5.exe

Filesize
16KB

MD5
7a56a98dcfb7d60926f97417ea5f5ea7

SHA1
06d1edd96a3972e7d59b741cbbc9a5722464f4ab

SHA256
5ee8fc01183f13649cca4b987b2682b75b223444fd74223eb6a8bf5800f910f0

SHA512
f140adf0a3e2c0ac63b05f9ef8e928699bf71532b93e9f4960d4521c5c6cf5feb66f450d0ead92285f5cdf85e1de462c13eb4eab8176b5d8d772275fbd7053dc

Download Submit

Analysis

Sharing