b38c7845a1a1dca4b08318bbec8f646f3e19f7dc65156120c933835a5f501954

General

Target

29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe
Size

16KB
MD5

29ed5766c3c0f4017f646d01ae95ab89
SHA1

5d53769c07eaf0f117b7e1bdd35db2cb79c9e77a
SHA256

b38c7845a1a1dca4b08318bbec8f646f3e19f7dc65156120c933835a5f501954
SHA512

69de70a05d6d7922314382210acd5a7dd1094d1827c4dac6ec2f5d0381af472c672c7030db04ef007612164a48374916e4da3a945ab13ecea21bfa1cd4dda751
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5ZWu:hDXWipuE+K3/SSHgxl5n

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM8608.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMDF63.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM36DA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM8E8F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEME654.exe

Executes dropped EXE 6 IoCs

pid	Process
3596	DEM8608.exe
3192	DEMDF63.exe
4640	DEM36DA.exe
1216	DEM8E8F.exe
228	DEME654.exe
4228	DEM3D0F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3596	2840	29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe	96
PID 2840 wrote to memory of 3596	2840	29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe	96
PID 2840 wrote to memory of 3596	2840	29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe	96
PID 3596 wrote to memory of 3192	3596	DEM8608.exe	98
PID 3596 wrote to memory of 3192	3596	DEM8608.exe	98
PID 3596 wrote to memory of 3192	3596	DEM8608.exe	98
PID 3192 wrote to memory of 4640	3192	DEMDF63.exe	100
PID 3192 wrote to memory of 4640	3192	DEMDF63.exe	100
PID 3192 wrote to memory of 4640	3192	DEMDF63.exe	100
PID 4640 wrote to memory of 1216	4640	DEM36DA.exe	102
PID 4640 wrote to memory of 1216	4640	DEM36DA.exe	102
PID 4640 wrote to memory of 1216	4640	DEM36DA.exe	102
PID 1216 wrote to memory of 228	1216	DEM8E8F.exe	104
PID 1216 wrote to memory of 228	1216	DEM8E8F.exe	104
PID 1216 wrote to memory of 228	1216	DEM8E8F.exe	104
PID 228 wrote to memory of 4228	228	DEME654.exe	106
PID 228 wrote to memory of 4228	228	DEME654.exe	106
PID 228 wrote to memory of 4228	228	DEME654.exe	106

C:\Users\Admin\AppData\Local\Temp\29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29ed5766c3c0f4017f646d01ae95ab89_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\DEM8608.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8608.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\DEMDF63.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDF63.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\DEM36DA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM36DA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E8F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E8F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Users\Admin\AppData\Local\Temp\DEME654.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME654.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\DEM3D0F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3D0F.exe"
        7⤵
        Executes dropped EXE
        
        PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM36DA.exe

Filesize
16KB

MD5
83725d66c1ba1081c1f1318a3f5e864b

SHA1
7704bacb7f21699792382eed4bd0febb011f5849

SHA256
c2aeb03fce0a1b5b5b9b503fef5e577f6bad785be8c811c221662eaa8db417cd

SHA512
68167070c2d388a9e5dc3ad73f9b31634cee67be7b495b10c22feba60427cb92964fd5e420d41e9a9067cdc8b6326879100dfc3fae8fb2b66e85dcba8a51ab97

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3D0F.exe

Filesize
16KB

MD5
1a5a23335b17222813b832fe49d4c1d5

SHA1
64e5a6f029a660baa6664a00c4812edb268ed352

SHA256
df5d88e91bce59be73355bbd86419b6da5ae8b807fbd2e9a45f203b512c8f5c4

SHA512
ad00c5b9d3857a4e7006e2aeb6b0d176928552435b17a038572026e73c82d2614396e02df40b564d170f101fc68960bf05c530dec62ecd6285277dd82fc33f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8608.exe

Filesize
16KB

MD5
a1b5ab62a5c3b762294650ed028ee9f1

SHA1
6affcee5e6bde12d4cf8a0cedc8acb07624fb9ff

SHA256
a7123aa53ae56db7f945567404943776ef19d1005b8e7fcb9022f4b0cf3d76dd

SHA512
e4b2ef86e4e25bfc7fce0b005a0b3f3fdd873a2816c9d2bde3486909cfdf1bcaf13a1318fa7c6489961ed068228c711a6c31179f868234dd467bb26d2bab7c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E8F.exe

Filesize
16KB

MD5
4363042381d69b6843444f9ee5b8f54c

SHA1
8f6ed5aed4fa553e5a9b686f3f14c5b7cf6c7556

SHA256
d89cd30dd1dc4643cff2ee3d23f06f5c2c49c5f5553cab722a5992fa44fbc744

SHA512
8a7b6f93c9c9f0328441df2dc663fc06d4060dd2e1df3fa9902b5c757c095061488f5a6b8be2c866ac378859f30c83468f0fc64299077ae13ec67e11eb9f52e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF63.exe

Filesize
16KB

MD5
0361b772c22c52992fff41a68a9be90b

SHA1
8ed216174c718513c0bd75eff6d89f4457754ad7

SHA256
9722d5852501273873b6f2256fb1e7658515626d7d26130f45494174396736fa

SHA512
985f3f6f64440870ffa4bc93dcd3eeab6f2f3b67b64d159319492752efa118ba12ccef31397c7de46593ef3dd66a33296d8de97e61be6544e990b229235a6fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME654.exe

Filesize
16KB

MD5
67c258025f05bbcda4b170357d833f9f

SHA1
0b9ba0c5ddb677c46525e3963ea5ae2ceca8e9c8

SHA256
7b057b275e848f6e8fa4e466dda36d973b9a7b945b6d212f911ac5b96d54fa3e

SHA512
40c0d2a9687993dd69a918c86eb85b3651426b495425fa2264c0a14025d9c2300786c4b1896ed116b0a69e811cbdecea5daf581a58038de06b5455a94a0e95f6

Download Submit

Analysis

Sharing