61b33bd7d71751f8efa559821bcf2dc11a08829d991768060eee8c2873887afd

General

Target

29f195fcb47359761113890d3de10457_JaffaCakes118.exe
Size

14KB
MD5

29f195fcb47359761113890d3de10457
SHA1

77e7bc2ce00c2fd31aa1a12a4e0e2a6c128362e5
SHA256

61b33bd7d71751f8efa559821bcf2dc11a08829d991768060eee8c2873887afd
SHA512

3c71cbb99555096af298d3f5554043390e2764ff1dc0deeac9bab61a55306142172e169efa6a145ee5d4add8505ec09ead69f65375768c57d91d5a2c5d7ae6dc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhii:hDXWipuE+K3/SSHgxLii

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	29f195fcb47359761113890d3de10457_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3808.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM8E94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEME4A3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3AC2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM90C2.exe

Executes dropped EXE 6 IoCs

pid	Process
4800	DEM3808.exe
4372	DEM8E94.exe
772	DEME4A3.exe
2832	DEM3AC2.exe
636	DEM90C2.exe
960	DEME6C1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4800	400	29f195fcb47359761113890d3de10457_JaffaCakes118.exe	98
PID 400 wrote to memory of 4800	400	29f195fcb47359761113890d3de10457_JaffaCakes118.exe	98
PID 400 wrote to memory of 4800	400	29f195fcb47359761113890d3de10457_JaffaCakes118.exe	98
PID 4800 wrote to memory of 4372	4800	DEM3808.exe	101
PID 4800 wrote to memory of 4372	4800	DEM3808.exe	101
PID 4800 wrote to memory of 4372	4800	DEM3808.exe	101
PID 4372 wrote to memory of 772	4372	DEM8E94.exe	103
PID 4372 wrote to memory of 772	4372	DEM8E94.exe	103
PID 4372 wrote to memory of 772	4372	DEM8E94.exe	103
PID 772 wrote to memory of 2832	772	DEME4A3.exe	105
PID 772 wrote to memory of 2832	772	DEME4A3.exe	105
PID 772 wrote to memory of 2832	772	DEME4A3.exe	105
PID 2832 wrote to memory of 636	2832	DEM3AC2.exe	107
PID 2832 wrote to memory of 636	2832	DEM3AC2.exe	107
PID 2832 wrote to memory of 636	2832	DEM3AC2.exe	107
PID 636 wrote to memory of 960	636	DEM90C2.exe	109
PID 636 wrote to memory of 960	636	DEM90C2.exe	109
PID 636 wrote to memory of 960	636	DEM90C2.exe	109

C:\Users\Admin\AppData\Local\Temp\29f195fcb47359761113890d3de10457_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29f195fcb47359761113890d3de10457_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\DEM3808.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3808.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\DEM8E94.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8E94.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\DEME4A3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME4A3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Users\Admin\AppData\Local\Temp\DEM3AC2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3AC2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Users\Admin\AppData\Local\Temp\DEM90C2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM90C2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\DEME6C1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME6C1.exe"
        7⤵
        Executes dropped EXE
        
        PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3808.exe

Filesize
14KB

MD5
a59a04d413ca7c966d660eb26072eea3

SHA1
94a51a17e61224a3740963035160796bc09f503c

SHA256
f80ddc3457ab6672aa5daf5b32c6a882a97ac2cbeb2a8a343bbf454abd09b2d3

SHA512
bc912d6675717f624438b669faec3a41336502c0025f2335ce66d0d4d1c0f4a34de6f9ca49d698a5808063d5c460aa957ad09933e08884f7bebe1d675b6e1892

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3AC2.exe

Filesize
14KB

MD5
f28646788b31a8639883706d1181c057

SHA1
9a80b762069f1648b50d463b2ac5ff4bbbfbe54a

SHA256
e3ae6485e2d11c06d5d31c7c8e49c45275b69dbe8714b3045c7ab86aa495aefe

SHA512
602959b9b06f0754134d00b71be29e26ef8b65216cf548f2787a736d24f29146082935da9e32c9fe30d0cbca75e3d57d934a2f7c590f4866ab234818bed3ce96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E94.exe

Filesize
14KB

MD5
790e7743be0e31df775d472023ab8a90

SHA1
d4d651b9ac3bcac7b893f0f1ede59446519d4549

SHA256
31593cd165b7c17137da75b9542bcafe8a5ec99b2a6000dacfb8ec2470d2154f

SHA512
6c6bbe6aba55f757743e833ba37a42a3d58f74a4fdd53aecfdc43306e9415cc8585a6a3f849a14a85aba9153e73971fa2c96e21eed296dd2e7a6875a20c3b032

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM90C2.exe

Filesize
14KB

MD5
395cf2489221d3d12bbed59367fe5872

SHA1
ca2aca2060ea7abd1586313aa81c821a631d8629

SHA256
f6a7f301d1908ed33b81a430f6ca580b5a773726c345b1aeb79421915d6f416b

SHA512
09269c85b4ec16e73f14db49e0618aee840065209ac26d49858fcbd0dae08729d81233b30e546eda4cd7fb258b9e7694d909858eed6f18c70710f1801e759c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME4A3.exe

Filesize
14KB

MD5
b9fafbc880a70de72d8ca4238f275afd

SHA1
6da4c5eb10c0af4d0b38b4bb94e62371648efd03

SHA256
5f4eea6ebeaf91af9901a59b444bee62edb87e5d44a960b075cc4f950ce4b3f1

SHA512
3aa323c31a11516cc976b715d35217c82ec6b96be915ab23412c0c67e07747d1c7dd12ce54201828dde0ff7b79fce8ffd9c2221d3d87b96cf3b1fb3327a22b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME6C1.exe

Filesize
14KB

MD5
edb707a6d3f15801e3f948e4ef623c98

SHA1
f0d13662faca80d7a50e1e5bd39d2a129fe3a774

SHA256
531ce15b995252cdded6c73d45fc7491bc43b57421e307472850f99bc6ff6704

SHA512
15c54b4a17495e45d41ec9c8526ee77bc544893f37e1bdab1506a84dfcd5aaa9a8e9b025d1736c4aef4c2a5f1d64f1df3ca5196f390e064a3553233bb1aa2615

Download Submit

Analysis

Sharing