db4cff3dbca2206e4f9aac03dd43cc4af697c93c4104d98cbdd5b60f7d211e9d

General

Target

bde2d19379cab2b0b46f9f97e554b8e4_JaffaCakes118.exe
Size

16KB
MD5

bde2d19379cab2b0b46f9f97e554b8e4
SHA1

aa5d59a04c85ddedd437c0e692bf0e313ab19dfd
SHA256

db4cff3dbca2206e4f9aac03dd43cc4af697c93c4104d98cbdd5b60f7d211e9d
SHA512

a431c6c73a0964d982baabd70e80f0faa9effe019292a0e63cd173cb60a5660122b0dff83f98cdd97bfd313d075831aae21f2a428ec55492623a298a90438052
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzk:hDXWipuE+K3/SSHgxmHw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	bde2d19379cab2b0b46f9f97e554b8e4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM49DA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA076.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMF666.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4C85.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA2B3.exe

Executes dropped EXE 6 IoCs

pid	Process
2824	DEM49DA.exe
3012	DEMA076.exe
4352	DEMF666.exe
4440	DEM4C85.exe
412	DEMA2B3.exe
3084	DEMF8E2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2824	4556	bde2d19379cab2b0b46f9f97e554b8e4_JaffaCakes118.exe	94
PID 4556 wrote to memory of 2824	4556	bde2d19379cab2b0b46f9f97e554b8e4_JaffaCakes118.exe	94
PID 4556 wrote to memory of 2824	4556	bde2d19379cab2b0b46f9f97e554b8e4_JaffaCakes118.exe	94
PID 2824 wrote to memory of 3012	2824	DEM49DA.exe	97
PID 2824 wrote to memory of 3012	2824	DEM49DA.exe	97
PID 2824 wrote to memory of 3012	2824	DEM49DA.exe	97
PID 3012 wrote to memory of 4352	3012	DEMA076.exe	99
PID 3012 wrote to memory of 4352	3012	DEMA076.exe	99
PID 3012 wrote to memory of 4352	3012	DEMA076.exe	99
PID 4352 wrote to memory of 4440	4352	DEMF666.exe	101
PID 4352 wrote to memory of 4440	4352	DEMF666.exe	101
PID 4352 wrote to memory of 4440	4352	DEMF666.exe	101
PID 4440 wrote to memory of 412	4440	DEM4C85.exe	103
PID 4440 wrote to memory of 412	4440	DEM4C85.exe	103
PID 4440 wrote to memory of 412	4440	DEM4C85.exe	103
PID 412 wrote to memory of 3084	412	DEMA2B3.exe	105
PID 412 wrote to memory of 3084	412	DEMA2B3.exe	105
PID 412 wrote to memory of 3084	412	DEMA2B3.exe	105

C:\Users\Admin\AppData\Local\Temp\bde2d19379cab2b0b46f9f97e554b8e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bde2d19379cab2b0b46f9f97e554b8e4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\DEM49DA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM49DA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\DEMA076.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA076.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\DEMF666.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF666.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\DEM4C85.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4C85.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
      - C:\Users\Admin\AppData\Local\Temp\DEMA2B3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA2B3.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\DEMF8E2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF8E2.exe"
        7⤵
        Executes dropped EXE
        
        PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM49DA.exe

Filesize
16KB

MD5
e1ec92ed94868a0d73e93f1d7aa2aa63

SHA1
b79837cd8b4a3822cde635e522e53b482fc01fcc

SHA256
c1f4b214f749db59041be2893114246d723bc4096ace6d156fac87923c4e034b

SHA512
d51ce98b09bd3940c5d5871637bcfa0f0dab839b7376b6315f7d3a40f6dc6f60d1f0bb408249adddede532bb4c882afef86f6fcb84b1031f5d9b5a54a99ff0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4C85.exe

Filesize
16KB

MD5
468bad042c910546ab6cfbf607a64210

SHA1
283cc0d3728c7ac66d8d78302dfb3b867e7252a3

SHA256
23b0a8c7d7a90e08b4065f7a454183c29f8fb9363d640c0825f06e353c58cdae

SHA512
2cc16557cd69e98e581b1e7ffaec73b30da3ec925ddc7608448b4f7d88a766bfb2bedb6ebce4f51a730222025903c75ad8b539ae0baec43f672c0227524150be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA076.exe

Filesize
16KB

MD5
38e67f56334de7cc198e378bd9001fc8

SHA1
f2db27c17643c8bf932393ad09fcc79f090eb19e

SHA256
d7667a0a7b9aab275ff39b59abbd842130ac5736a4d8f439f99489333e1f5165

SHA512
677f17a82154fc632027a6ee9fa2a89154890ad98952d053219fcdc943de6e9dd38a2c35c2152f28eae5e1f49d37e26f7996eff2f0a9fc8bcf6e001727e9ffb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2B3.exe

Filesize
16KB

MD5
b48d8cc1a7c80159f2d48013c774d2d7

SHA1
0a52b0c491936c78be23271c2475845d42238518

SHA256
7e354eb3d38c2fabd336e23962beef0208f1a1eb829c00aec00a3e0b9f648d3c

SHA512
cdbdc2084a265683f610f98b96608474e0aa686e7c2e7c6ce878c3ada4de4e403f9207192e371e33742a2ccc493e6c33af7aa9a8210448c3a24cf2d0767af0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF666.exe

Filesize
16KB

MD5
9b7545f4064cb34e35f0593256ed3ab3

SHA1
930fa3cd2a839fddb2c0bf769db2164d78766114

SHA256
df34e53023dd5b828b7bb8518265754bd230faa068cde457160598f77eca01fb

SHA512
c466a7f711ef23837e1284bc1ace758b969abb16c0fbd958879f3892da0012868168a29d9cab32c5b9c90759e9ceb44be267cad6fefab82118f16e858b883bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF8E2.exe

Filesize
16KB

MD5
5adb740825ed168431d7df1c5a329dde

SHA1
d01813ccb95f72496ce76dc89be41179f8fa00d8

SHA256
d07dd3678d9d2947ca7d721870b03eceb702745f5a48b12ea485fdf9dabe73cd

SHA512
c2a60aa5ec732275045d23227140e82555668fb285df7c18788d3e349f7380c9946420a0884c228ce769fe1eb6f252c5452f7a96fdab29c12fd659979b30bcb1

Download Submit

Analysis

Sharing