a744cc046c02a5c0ba25f8caf085653ab9a9d4162d144c0d2771413c2a32d197

General

Target

be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe
Size

14KB
MD5

be485c9e6c60e3d5a332ce522817cc44
SHA1

4b4fc4f8ecfb1f5523fd74604e3362bec91048da
SHA256

a744cc046c02a5c0ba25f8caf085653ab9a9d4162d144c0d2771413c2a32d197
SHA512

073337ed75cd09ae090ca240780616db944afc0c985968789273d9083b724cf3c4ead51250af10f96d34f195be51b0e88cff939cc07dad18d28971c8fb78c418
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRJ:hDXWipuE+K3/SSHgxt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM9700.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMF0C8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM484F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM9FF4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMF70D.exe

Executes dropped EXE 6 IoCs

pid	Process
1800	DEM9700.exe
3580	DEMF0C8.exe
2660	DEM484F.exe
4500	DEM9FF4.exe
4368	DEMF70D.exe
3428	DEM4E36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 1800	4824	be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe	97
PID 4824 wrote to memory of 1800	4824	be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe	97
PID 4824 wrote to memory of 1800	4824	be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe	97
PID 1800 wrote to memory of 3580	1800	DEM9700.exe	100
PID 1800 wrote to memory of 3580	1800	DEM9700.exe	100
PID 1800 wrote to memory of 3580	1800	DEM9700.exe	100
PID 3580 wrote to memory of 2660	3580	DEMF0C8.exe	102
PID 3580 wrote to memory of 2660	3580	DEMF0C8.exe	102
PID 3580 wrote to memory of 2660	3580	DEMF0C8.exe	102
PID 2660 wrote to memory of 4500	2660	DEM484F.exe	104
PID 2660 wrote to memory of 4500	2660	DEM484F.exe	104
PID 2660 wrote to memory of 4500	2660	DEM484F.exe	104
PID 4500 wrote to memory of 4368	4500	DEM9FF4.exe	106
PID 4500 wrote to memory of 4368	4500	DEM9FF4.exe	106
PID 4500 wrote to memory of 4368	4500	DEM9FF4.exe	106
PID 4368 wrote to memory of 3428	4368	DEMF70D.exe	108
PID 4368 wrote to memory of 3428	4368	DEMF70D.exe	108
PID 4368 wrote to memory of 3428	4368	DEMF70D.exe	108

C:\Users\Admin\AppData\Local\Temp\be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be485c9e6c60e3d5a332ce522817cc44_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\DEM9700.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9700.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\DEMF0C8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF0C8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\DEM484F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM484F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\DEM9FF4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9FF4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Users\Admin\AppData\Local\Temp\DEMF70D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF70D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\DEM4E36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4E36.exe"
        7⤵
        Executes dropped EXE
        
        PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM484F.exe

Filesize
14KB

MD5
d35e402d0611350ebad14304e8c0c185

SHA1
2c2fc518985f99e7e1320843369228643f183d54

SHA256
2b4e5e4d14721cb3d2559ab43ff558fc652a27c7e1713d894fa217f020cb4a26

SHA512
c8cda4920c424336eb3456df998337a9cb189da346de05881d001a4d991892e297e64cbb76fb556bb5f1c9decf57d0607f250600bf4a5de2c9760b92b0291ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4E36.exe

Filesize
15KB

MD5
18eb465211738dd6b6e690dff4a42644

SHA1
d9fdcd0d5e94d76780507fcd245227562891f22b

SHA256
7999633182f18bb238b7a6afea394fa5266c2297ac2fae213d2c1cec114a9430

SHA512
c58311ccf301a8fd5ba1306ea6645c13e1f46cbe399ed60f5bdeef84f2b0250f481b0d73384a38dfed765d45afa113d033b0af88d028cfb94f8bc34645c7e753

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9700.exe

Filesize
14KB

MD5
57a1140dd295716412dfb04b2e9ea2dd

SHA1
fff9873a4492ba13950c54f3c0207cd7a17e9cb8

SHA256
e96efc7e9bc0cd9868e5e6941b0ac372d70dd53a4d00e3da34fcedafb0c0a7de

SHA512
05d952fd171f4639500c2e68a430a3a57aac557940ef20da6183f6cb0d0cfbcbfd1f852c9a083d2cfecc2a893644a75f24087744c3af66f3db8c7f52a919deee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9FF4.exe

Filesize
15KB

MD5
b52270bc38f7dede592be0ec039ce192

SHA1
7da6c00e13883282dac901276ec40b4bea439c4f

SHA256
d5e01f59e9af474fed9e702b6d9d646f9004658766dfca35ea467da158c02c39

SHA512
812c19eac9e270cdccb031a4012d2984e2d9799e4e45d25df1f647049f8d0d28e749df5871161620784d2572a533a279062dc2a526523bab7230431aee4645dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF0C8.exe

Filesize
14KB

MD5
676e76821b591a9350d936c8a71720c5

SHA1
f8a5c8fe870d0be0b8b772e4c83f5fc4de8ab736

SHA256
b181075d2f1a696ac34c9f61ef75068f36d408c6bec83ae9e1c1ca781b9165bb

SHA512
77c590fc01757050ce3463b3ab58c06db8fa10718a544519b974dbe226d24e6f66e62f403b2e11524cde04d45d3c23115f91baea4ad9c6e43e77a81a19637195

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF70D.exe

Filesize
15KB

MD5
c31b232e93201a32f976b2e7083ad588

SHA1
3216a0bcf13fd9a9ac418d8bb25039ebefcec1c1

SHA256
0fb963811acc502e90790103b45a449a06839e9062287f4eb19ea8d1f23a62e5

SHA512
7f8cc4f54d80efcac1d99bda2667c851f3d7dd536633d115734a5c7365be2e2ecb809dcb9794a16ba3aba51a6dc115832687e43a4991e9a35dbeedfeec3875de

Download Submit

Analysis

Sharing