4591a087652354b0be79f081a76885b2f205b39eb3cdc6f2df93e3b7feed2078

General

Target

c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe
Size

16KB
MD5

c4d27c195cdcaad6a9d87adf7ed10b6d
SHA1

068c7b26cdd450497e9776df2fb46066fb80456d
SHA256

4591a087652354b0be79f081a76885b2f205b39eb3cdc6f2df93e3b7feed2078
SHA512

13339ed589733da1adad6d8e0096834dc1646141e518ce9c17dce8cfc8b7a9a714d948fe84198bdb83c5a0ae58c5d6f0d9cb79c99730879bfde37a0d5b8808b8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzo:hDXWipuE+K3/SSHgxmHs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM92BA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEME8AA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3EAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM94B9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3CBB.exe

Executes dropped EXE 6 IoCs

pid	Process
788	DEM3CBB.exe
2864	DEM92BA.exe
2980	DEME8AA.exe
4372	DEM3EAA.exe
4168	DEM94B9.exe
4956	DEMEA9A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 788	1316	c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe	98
PID 1316 wrote to memory of 788	1316	c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe	98
PID 1316 wrote to memory of 788	1316	c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe	98
PID 788 wrote to memory of 2864	788	DEM3CBB.exe	101
PID 788 wrote to memory of 2864	788	DEM3CBB.exe	101
PID 788 wrote to memory of 2864	788	DEM3CBB.exe	101
PID 2864 wrote to memory of 2980	2864	DEM92BA.exe	103
PID 2864 wrote to memory of 2980	2864	DEM92BA.exe	103
PID 2864 wrote to memory of 2980	2864	DEM92BA.exe	103
PID 2980 wrote to memory of 4372	2980	DEME8AA.exe	105
PID 2980 wrote to memory of 4372	2980	DEME8AA.exe	105
PID 2980 wrote to memory of 4372	2980	DEME8AA.exe	105
PID 4372 wrote to memory of 4168	4372	DEM3EAA.exe	107
PID 4372 wrote to memory of 4168	4372	DEM3EAA.exe	107
PID 4372 wrote to memory of 4168	4372	DEM3EAA.exe	107
PID 4168 wrote to memory of 4956	4168	DEM94B9.exe	109
PID 4168 wrote to memory of 4956	4168	DEM94B9.exe	109
PID 4168 wrote to memory of 4956	4168	DEM94B9.exe	109

C:\Users\Admin\AppData\Local\Temp\c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c4d27c195cdcaad6a9d87adf7ed10b6d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\DEM3CBB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3CBB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Users\Admin\AppData\Local\Temp\DEM92BA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM92BA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\DEME8AA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME8AA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\DEM3EAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3EAA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
      - C:\Users\Admin\AppData\Local\Temp\DEM94B9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM94B9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\DEMEA9A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEA9A.exe"
        7⤵
        Executes dropped EXE
        
        PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3CBB.exe

Filesize
16KB

MD5
4fe3e9a42ce866b2b821d901c75e1bdc

SHA1
a83c910ef10719e62ead8b75a111570eea4210e8

SHA256
d8b438638cadadac6bdfb75ce55e84945e8dbb472815369c63407186b883177f

SHA512
4fb9da783fb1484c12ec4590d854e82b66e44e15a5529f630a336b570f98b75c875d58d8f67c861be468a719cc1becac423ec31786aaba473f1e8faf1665af03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3EAA.exe

Filesize
16KB

MD5
f8e57ad64bd6a7378d278858c3948288

SHA1
1fa582f7e0ce5028933eb064b89d81cb1dd1b462

SHA256
9efbf4041842ddb61e783b6d9397a32c688556dae5286f18fd9d7652f7d6a659

SHA512
af68bd1300ee96c97d60598354829d580005639d7e8ffac5601fec1745329f289496b54ae57c6c70af88ad0d9ec697b634745255e4378c911e14ec9ca9d05b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM92BA.exe

Filesize
16KB

MD5
d221facd02a356b2da4de9cc0d6b0aec

SHA1
be5cebf1d2f4d64d7dc7592d0e3b0bdd525420b7

SHA256
91cefb61fbf2da2e0bde7ea311093ad1dbde441385257d2366ff2e1aa8ae8c9d

SHA512
12522e9108b527cac542a41fdd75880a0d7fcdbf484bd27818916a73cba5a33a2150cc5e16463bdb9a0137563ea7efa1f1eb1b95adcf7f15ec25d3443b44eeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM94B9.exe

Filesize
16KB

MD5
33399a81d1b868162a16629c5b744403

SHA1
53f11a7b25a45da50e1e849b304212ca1c1c3a24

SHA256
a9432eedd994f42dbfcacdc1741c811269286fdaf80267ae2c1a6c5bd66186fc

SHA512
ae049dc6e27e9dc5f7838c7eaa607d0cdfff6e161c9e38bff27272667910ede179dc809a690ae1cbe893e480fadc39cdbfaa9590b7d6c5d005e6bdd577aa24e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME8AA.exe

Filesize
16KB

MD5
e5f7dcd54ff208efcd4af45e54b6419a

SHA1
3b140f3377731b6f26ccb9bd6e829756034ae6f8

SHA256
b86c3a28a8fa9535201afd9ff82363129d0a4cae8ff7468b68c95c402432f5c2

SHA512
742d6d625ea81a6fd0db17658b8dc141f9cc8a16bd65d3f771e04d8bf0a52f5f44cc6021ae5e043fef04d129fa3702b0de51cd8c9299f26c78592d15edc3ede8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEA9A.exe

Filesize
16KB

MD5
911e23cab4eee70c8a36e47aa9a161d1

SHA1
4273df070995c8b550cba6ca551d3ad5be6a9186

SHA256
fbefc25e1c267da3989b6c58a15881f349277fb7820fc60b34f28fe7e8ccaa65

SHA512
8fb25ebe82f22a10763fea0347dd2d2e9ffb09357c132d7dda785e965bc824efa3d1833b92e5faae391e973d59397c16c04468ac533d73e22684d50590d48b27

Download Submit

Analysis

Sharing