40ac8b0693ce54668588b9097e9764ed1d1c1505e9da69c7a8760e4fc0032311

General

Target

c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe
Size

20KB
MD5

c454e7e2f02b1bcf216f2739cf3c9d1d
SHA1

18a9185239b1da38ff414a2fd8e762ca5f1017c3
SHA256

40ac8b0693ce54668588b9097e9764ed1d1c1505e9da69c7a8760e4fc0032311
SHA512

bc9bfa3859383c79856df487e512ff719f70c392ef9997cbb456b3f65f18384e790f40b0a3bd4bf3897d5c96cba2c438a4cc5d954a0aa4dd42d6dafa12cf1cdb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4P8UzM:hDXWipuE+K3/SSHgxmHZPC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM65CE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMBF29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM16BF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM6EA3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMC639.exe

Executes dropped EXE 6 IoCs

pid	Process
4512	DEM65CE.exe
5036	DEMBF29.exe
2852	DEM16BF.exe
3456	DEM6EA3.exe
4660	DEMC639.exe
4564	DEM1DDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4512	4028	c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe	97
PID 4028 wrote to memory of 4512	4028	c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe	97
PID 4028 wrote to memory of 4512	4028	c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe	97
PID 4512 wrote to memory of 5036	4512	DEM65CE.exe	100
PID 4512 wrote to memory of 5036	4512	DEM65CE.exe	100
PID 4512 wrote to memory of 5036	4512	DEM65CE.exe	100
PID 5036 wrote to memory of 2852	5036	DEMBF29.exe	102
PID 5036 wrote to memory of 2852	5036	DEMBF29.exe	102
PID 5036 wrote to memory of 2852	5036	DEMBF29.exe	102
PID 2852 wrote to memory of 3456	2852	DEM16BF.exe	104
PID 2852 wrote to memory of 3456	2852	DEM16BF.exe	104
PID 2852 wrote to memory of 3456	2852	DEM16BF.exe	104
PID 3456 wrote to memory of 4660	3456	DEM6EA3.exe	106
PID 3456 wrote to memory of 4660	3456	DEM6EA3.exe	106
PID 3456 wrote to memory of 4660	3456	DEM6EA3.exe	106
PID 4660 wrote to memory of 4564	4660	DEMC639.exe	108
PID 4660 wrote to memory of 4564	4660	DEMC639.exe	108
PID 4660 wrote to memory of 4564	4660	DEMC639.exe	108

C:\Users\Admin\AppData\Local\Temp\c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c454e7e2f02b1bcf216f2739cf3c9d1d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\DEM65CE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM65CE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\DEMBF29.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBF29.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\DEM16BF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM16BF.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\DEM6EA3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6EA3.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Users\Admin\AppData\Local\Temp\DEMC639.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC639.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\DEM1DDF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1DDF.exe"
        7⤵
        Executes dropped EXE
        
        PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM16BF.exe

Filesize
20KB

MD5
430091cef33cba900dd1a4ee50739bae

SHA1
b6ab63a65dca63636c97af2cfbb9efe8f2a33b46

SHA256
5d1c77fa8743f013425c7d0e526ee78fdaaed82362b295611e300b77f6fa9389

SHA512
65d91ef595fa6a14817dfa43618191601fd87b9ac5b28629e72c7bb5b1be12d4f1a9c5ff70b353347f7cde52cb8ad986f7a675c091ade3b53d66417a6e6cd749

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1DDF.exe

Filesize
20KB

MD5
5c69abfa8c6053e3d5f0f9e2b31798db

SHA1
6cc522cfe07208e6768dfdee0e22c04bf96ba549

SHA256
c2c9ada3767d67a1449dcd03a3278dbd6ce3c689a8969461a4684a3436fec1b9

SHA512
73329011e5fab948bcc8256486aafdb8770f2f1f000e78b4a54c78449a7b3681ffb3106ea4a7786f6053d591eb317f2b7f421a618dadf58f1a4b15c6209218c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM65CE.exe

Filesize
20KB

MD5
d97bbd624534d4d618b2d6b13fe6ae99

SHA1
d87c25a0199bb9b0e30859b1157f0f7f3b9788cb

SHA256
c86a7a812d8e75884d4437fd978ad26f8d8552dc119395150acc4e68a0fc015f

SHA512
30fa98122d01b5cccc60ac59443da9794706025be4f5df0d632ba7094b2aa565e31080a0e118dbdcc59c69c05423c8847c5d547db710ba1d9eee35585bff487e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6EA3.exe

Filesize
20KB

MD5
6cbf9c0306f6a8b3ad78bf17a39dd2d0

SHA1
e5fada36219047419906082f3452c4f09f94127c

SHA256
8a189f8949e41667424333dd8f3725a73c763facd553e1efb48619a671871cd8

SHA512
db4320fcc801959721c6d2b7924e0d84e8d8c204235c8847b32d04f84252fd6e0529a5d82454e4c7823552f1875f0663d4dd3cb006f63621b753ef3b7e22bbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBF29.exe

Filesize
20KB

MD5
5e4e5aecd048b567452c1ad26ec25864

SHA1
101f786c4343206b95b1136d6fa8dc68f57a3ce5

SHA256
e3c09cad8745dc1ac9b4b44ee2839894b6523b55d50396c372e2c1846f6b2077

SHA512
7b43de907f1d483a24281e55c85567165227e3f88f7a4ff90307938e91223a710605f93c2d6489643dd4b9006b1e7dbd3df5967e8a4466e7af77bec3731f7684

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC639.exe

Filesize
20KB

MD5
e021ade6fcb96e44bc10a1bd2a87264f

SHA1
8c697547c48aadf42940cbaf8f88857c4099ee7d

SHA256
837215c956a60efa3fd81e482489ec6f74bbdc20f6ebd7ef20186612a3ea2287

SHA512
192dfd3075bbcc3f080d9b6d345fe398d8e8253092d3e55dbb1d1f1edc0a8c8fa1c8c63c17135ac5bad06ef19ff43b35c409847e2a868d5b1101e5c338cbe0e4

Download Submit

Analysis

Sharing