a3ddeaf31334322966da3d5125e79163713366dcb55d9d7d8382d9f25335159b

General

Target

c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe
Size

14KB
MD5

c465db23493cc8393f7f868f2f0ece3c
SHA1

0aa728e9b13b3c75a8e96d1c9a12483ab14cd84a
SHA256

a3ddeaf31334322966da3d5125e79163713366dcb55d9d7d8382d9f25335159b
SHA512

ae9b9f51e7af26ea107d4b6594f8224dbf3ce291e1870479cf832d91ada060c0912c5060f0a41c9012deaa2cab2a5aef26d22404521641b142e03b2e53cb1396
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh7qQ:hDXWipuE+K3/SSHgxzL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM8E65.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM390C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM9110.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEME8A6.exe

Executes dropped EXE 5 IoCs

pid	Process
2340	DEM8E65.exe
2292	DEM390C.exe
2212	DEM9110.exe
344	DEME8A6.exe
2104	DEM407A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 2340	4288	c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe	97
PID 4288 wrote to memory of 2340	4288	c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe	97
PID 4288 wrote to memory of 2340	4288	c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe	97
PID 2340 wrote to memory of 2292	2340	DEM8E65.exe	99
PID 2340 wrote to memory of 2292	2340	DEM8E65.exe	99
PID 2340 wrote to memory of 2292	2340	DEM8E65.exe	99
PID 2292 wrote to memory of 2212	2292	DEM390C.exe	101
PID 2292 wrote to memory of 2212	2292	DEM390C.exe	101
PID 2292 wrote to memory of 2212	2292	DEM390C.exe	101
PID 2212 wrote to memory of 344	2212	DEM9110.exe	103
PID 2212 wrote to memory of 344	2212	DEM9110.exe	103
PID 2212 wrote to memory of 344	2212	DEM9110.exe	103
PID 344 wrote to memory of 2104	344	DEME8A6.exe	105
PID 344 wrote to memory of 2104	344	DEME8A6.exe	105
PID 344 wrote to memory of 2104	344	DEME8A6.exe	105

C:\Users\Admin\AppData\Local\Temp\c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c465db23493cc8393f7f868f2f0ece3c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\DEM8E65.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8E65.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\DEM390C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM390C.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\DEM9110.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9110.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\DEME8A6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME8A6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:344
      - C:\Users\Admin\AppData\Local\Temp\DEM407A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM407A.exe"
        6⤵
        Executes dropped EXE
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM390C.exe

Filesize
14KB

MD5
8e32f0a50512368dba3f2c8e6b83f0fe

SHA1
e351250f7bbe5b7a277b6a5de3fdc65bec0ac932

SHA256
d1cc059ec8b3cfbd2faf9c0106d9e81673705e66dbea642e8184aadf61fc7582

SHA512
9e3a5cda9ba81729d990d54f8238db878a0debf556ba546db014278604385ddb62b00a45bd8ecfd1eb7310e785e215783213665e45ff32c2d9249be58dea010f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM407A.exe

Filesize
14KB

MD5
b57c451c630310aa881a9e44946e6ed0

SHA1
bd0367f44c2cc6ce45ba2f7a25ede3e0901ee211

SHA256
3fd86a1fabce4ea5aae8f85a8353e49cbd41c8727019d24bc72264422af95cff

SHA512
bc9abd2280e70dc1f15eaf370fd8751edc79943da57070826149b45245c0ae812787135d2eb8ccc37c217dac63cd54218949af1d33fa695b9c5a0b9d8d92691b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E65.exe

Filesize
14KB

MD5
d783b343746acd4334b7caeae06d31cf

SHA1
b139818d69a66f966b4b1106ffe23941d2e22b28

SHA256
0a9c38203b0035e171cbde950214ce3fee65e03b790554691ba380fe911a2ac9

SHA512
3181b5908594c91a31ccae01088927744e3e5d55b3afca2e483d4dfe44020e90c16b96cf77ce00325009607f3b7206786145c2da0a6ec26d9885b8b892790f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9110.exe

Filesize
14KB

MD5
72e86b81f10e0773486933031f43d6d8

SHA1
9baf47828eb60a9c3dc34aa55ad89a683b99ff35

SHA256
b4fcfe13587df4f0053781820ee4a739c78154a9f32e61d743fae361d1e68be4

SHA512
d9530f839febcb3fce55f7afd974c449419424d83d858700c06c032d948646758dcbeeb3b84b05283b7e2ade2cb31c4615811c603c7cead2235c0b223d0d0cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME8A6.exe

Filesize
14KB

MD5
63c39b97d59e97319f6bd11d32419977

SHA1
e91e5ac1925f62ba49c20b20c16a69b7f756c286

SHA256
5dab8fd5248d0c2ed54de33b0844b8f0e0130c68c4a8c600d1541c491a52dfa2

SHA512
7cef2115402f5b4e249fbe839e7ff2ee05bdf0c2200d0ad4274633a05ae35cfa3f1b3eaefa4eef3c6afdffad8c30fe8c105ce6dc1401a365b6a6cb657b0f464c

Download Submit

Analysis

Sharing