8b711b3d7a0b1206eef8d167e62577ca885ff8b0bb659807dfb2c16d7a9354c4

General

Target

bd44d337008417426a4c0049c7590581_JaffaCakes118.exe
Size

15KB
MD5

bd44d337008417426a4c0049c7590581
SHA1

11717c07fc69254427f094257107456b55cbab22
SHA256

8b711b3d7a0b1206eef8d167e62577ca885ff8b0bb659807dfb2c16d7a9354c4
SHA512

abac18a21a393be2401a701910793be818c7ab23d860f1f1e620f2afc58135847762ffcb84373e24b3308c4b81910256494175cca5bb53b5d7ba36217fbe40a6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnw4:hDXWipuE+K3/SSHgx/w4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	bd44d337008417426a4c0049c7590581_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM5F66.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMB8A1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM1057.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM680C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMBED6.exe

Executes dropped EXE 6 IoCs

pid	Process
3208	DEM5F66.exe
2724	DEMB8A1.exe
3068	DEM1057.exe
680	DEM680C.exe
2616	DEMBED6.exe
4296	DEM16AB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 3208	852	bd44d337008417426a4c0049c7590581_JaffaCakes118.exe	97
PID 852 wrote to memory of 3208	852	bd44d337008417426a4c0049c7590581_JaffaCakes118.exe	97
PID 852 wrote to memory of 3208	852	bd44d337008417426a4c0049c7590581_JaffaCakes118.exe	97
PID 3208 wrote to memory of 2724	3208	DEM5F66.exe	100
PID 3208 wrote to memory of 2724	3208	DEM5F66.exe	100
PID 3208 wrote to memory of 2724	3208	DEM5F66.exe	100
PID 2724 wrote to memory of 3068	2724	DEMB8A1.exe	102
PID 2724 wrote to memory of 3068	2724	DEMB8A1.exe	102
PID 2724 wrote to memory of 3068	2724	DEMB8A1.exe	102
PID 3068 wrote to memory of 680	3068	DEM1057.exe	104
PID 3068 wrote to memory of 680	3068	DEM1057.exe	104
PID 3068 wrote to memory of 680	3068	DEM1057.exe	104
PID 680 wrote to memory of 2616	680	DEM680C.exe	106
PID 680 wrote to memory of 2616	680	DEM680C.exe	106
PID 680 wrote to memory of 2616	680	DEM680C.exe	106
PID 2616 wrote to memory of 4296	2616	DEMBED6.exe	108
PID 2616 wrote to memory of 4296	2616	DEMBED6.exe	108
PID 2616 wrote to memory of 4296	2616	DEMBED6.exe	108

C:\Users\Admin\AppData\Local\Temp\bd44d337008417426a4c0049c7590581_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd44d337008417426a4c0049c7590581_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\DEM5F66.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5F66.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\DEMB8A1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB8A1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\DEM1057.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1057.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\DEM680C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM680C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:680
      - C:\Users\Admin\AppData\Local\Temp\DEMBED6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBED6.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\DEM16AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM16AB.exe"
        7⤵
        Executes dropped EXE
        
        PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1057.exe

Filesize
15KB

MD5
b99c8d39a30d3ad3cf0576a0335fdd13

SHA1
d7b0499d8e2cda4a0f1bf597c352cb334921937c

SHA256
9552efe6d622801e12df61fadf8bd85de9a6ec947448d5e5aa270c6a3608b19b

SHA512
6f6f036b42d3c960eb0f4ab43b779fadd79ccce0e6f036d0ffee31a40c6214fcaeb76c872730b6928a804c00569af92f6fcaa0d08fcfcef783696c7ec90e2ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM16AB.exe

Filesize
15KB

MD5
435355f4864e95dc2fe5b3009670dcc4

SHA1
3ae0a0f00166b3f7da4e740b2024a48a3ca5f39e

SHA256
0f73f123206f3b7386cec40bac9fa4d8b26e2724181a02c2d16c8cf4f476a6e4

SHA512
b583269327035b9264049f5911a7594fb85df52efb555b9b43c0b5f961df6e90b24ad4c505b99030e6f26b8a63b28d660332110071963eb904fcdcf8fd620302

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5F66.exe

Filesize
15KB

MD5
b79a95b49580d1b65782245e1002852f

SHA1
bdb2df6457e5f4521bfe77bab1aa42e7175fd835

SHA256
707e655f5f155828ad3bf03a61e531132e5f554ea5fea92b4b9ab09b470227b9

SHA512
8e97f81ff9f06f064230597bc57584c65db3100948df335e03999f8daa597aaecd960855a588edd50965d2c7fb0d2856dc8cf6d9d0cc1605d283f1862fde53b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM680C.exe

Filesize
15KB

MD5
95cf92bec7d4e3b6822db8d76598c0c2

SHA1
2f581d6c42215d2a85c396baa4bd0155a0e08810

SHA256
903e3fa6c3adb485ab9015c9cdcd969009593e6bb4f92dadab6adea4eaf98141

SHA512
8db6523f6c637e9c49c629c56832ecffa6bccbe9f37616a20f8c7bb804623dba04f5d83ded39eccd64ba928bb921da9a846137faffc9128b158245248fe245fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB8A1.exe

Filesize
15KB

MD5
9c7709c483927a9a2fb3788451878445

SHA1
854d91c6a669fcc6a24b63d18edf4ace3b938948

SHA256
7cc4afc3e92f0d489722ae2328be2e712553ec0e521e8bd1d39e96523930e949

SHA512
685843ed26fd6d8fd7529f47eb7a53a96aab05a586857268b65d90569abefbdca5a9e55063849bf9dedf2a668e2eaacc17c5c4d0652a47e85d018e875ec2fa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBED6.exe

Filesize
15KB

MD5
ad367f37b543fb6ff61949283bf16731

SHA1
bd7047eeb595eb9f7e4b82b87d55bd51c6de1aaf

SHA256
8bfbc95da06434426c4d87deabf9f507d7d41856083e2631b83f26b5e6b6a105

SHA512
f7abcbdd2d073902041f6a21429ac1ebb6628dd74f572d2c07240f953e5cd948e7fa1f98eca7096ddf35497cffe8d854b5239afd2ba5757099a40861b6dd56a4

Download Submit

Analysis

Sharing