523c20186335a3404f371a0cb04fc72e28c3e769939a91c42102886bc04e61a6

General

Target

c1aac0b36426476f357e7d2bf725897b_JaffaCakes118.exe
Size

16KB
MD5

c1aac0b36426476f357e7d2bf725897b
SHA1

c3dcba8f1a161a7cebacb9a9b6d754e5d4aa8557
SHA256

523c20186335a3404f371a0cb04fc72e28c3e769939a91c42102886bc04e61a6
SHA512

1923f21607f9273d8b2ec07857bf0620c256983a9d8c1639091596d566da1e0b1316d0317c9becc855900977590c816beeedecaef849acf3cc40a672c367fd94
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRzQC:hDXWipuE+K3/SSHgx3T

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	c1aac0b36426476f357e7d2bf725897b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM2ED0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM854D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEMDB6C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM31C9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM87C9.exe

Executes dropped EXE 6 IoCs

pid	Process
3228	DEM2ED0.exe
2552	DEM854D.exe
1132	DEMDB6C.exe
4760	DEM31C9.exe
2596	DEM87C9.exe
1124	DEMDDE8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3228	5064	c1aac0b36426476f357e7d2bf725897b_JaffaCakes118.exe	97
PID 5064 wrote to memory of 3228	5064	c1aac0b36426476f357e7d2bf725897b_JaffaCakes118.exe	97
PID 5064 wrote to memory of 3228	5064	c1aac0b36426476f357e7d2bf725897b_JaffaCakes118.exe	97
PID 3228 wrote to memory of 2552	3228	DEM2ED0.exe	100
PID 3228 wrote to memory of 2552	3228	DEM2ED0.exe	100
PID 3228 wrote to memory of 2552	3228	DEM2ED0.exe	100
PID 2552 wrote to memory of 1132	2552	DEM854D.exe	102
PID 2552 wrote to memory of 1132	2552	DEM854D.exe	102
PID 2552 wrote to memory of 1132	2552	DEM854D.exe	102
PID 1132 wrote to memory of 4760	1132	DEMDB6C.exe	104
PID 1132 wrote to memory of 4760	1132	DEMDB6C.exe	104
PID 1132 wrote to memory of 4760	1132	DEMDB6C.exe	104
PID 4760 wrote to memory of 2596	4760	DEM31C9.exe	106
PID 4760 wrote to memory of 2596	4760	DEM31C9.exe	106
PID 4760 wrote to memory of 2596	4760	DEM31C9.exe	106
PID 2596 wrote to memory of 1124	2596	DEM87C9.exe	108
PID 2596 wrote to memory of 1124	2596	DEM87C9.exe	108
PID 2596 wrote to memory of 1124	2596	DEM87C9.exe	108

C:\Users\Admin\AppData\Local\Temp\c1aac0b36426476f357e7d2bf725897b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1aac0b36426476f357e7d2bf725897b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\DEM2ED0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2ED0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\DEM854D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM854D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\DEMDB6C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDB6C.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\DEM31C9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM31C9.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Users\Admin\AppData\Local\Temp\DEM87C9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM87C9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\DEMDDE8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDDE8.exe"
        7⤵
        Executes dropped EXE
        
        PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2ED0.exe

Filesize
16KB

MD5
ae604303069f0dba4bf9477ae690b2a3

SHA1
f5361a21dc7a3a67cfca5e19ad5f6173571c4f9d

SHA256
5933357d5239828baa42cf4b56d55a4d4967c9ecefc8d5b09d34619efc461f80

SHA512
d05d4de33fae9fb9d6b6fe1264089ce0604a340344d7acf40fe4fe4934b479a4539493f5e98bc7f29543a186008132a05bbe8530c4dac3339ebd7cc7b37b189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM31C9.exe

Filesize
16KB

MD5
8344fae335da5c2171aaede0a1008793

SHA1
537d6fde7a54ec1d77e786b400aa80f63783eb27

SHA256
a41e4c2bc9b88891bdc72c345c9c8663465ed9bd87f8e86935a31eee79619424

SHA512
a72998d00483b455ddf70774346e079a874096e611657b2a5f64d6a7fec5cb464e80663ed459bc7199747811f35633b729eea16276131e6b4671948ff0f1f4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM854D.exe

Filesize
16KB

MD5
563271e93772cd87b9b2a1e892732188

SHA1
e7b961d715d06b16c7459822119845a1040e6516

SHA256
df93625ffa2d4ec69300ed63392fda798df7750a696b35578a4f61bbbbd9a4e6

SHA512
5e4ef01244d0fb0d3b4390237797136b201b3b5fb6a050ffe613f9970abe7501729b1dbbf977b7ab601e1d29af6c757ca29cf6faeef1efa088d7c24f7c513b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM87C9.exe

Filesize
16KB

MD5
a3679afbd8e2a764337f870db5192323

SHA1
098100e443760b99e7584a4f58c3ce7618f4616a

SHA256
5ff9f672e3de394d1458522265b4b870da32a1cf3c74dcb55769e34eee6b5f43

SHA512
688991b036774677c0f1b3845d2c36cdb153f91c987dfba7f452b4a73e961c52bd878fe29aacadbd804561c5b305e61d60c1e7185df383e67e5f4fe842510c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDB6C.exe

Filesize
16KB

MD5
e1124fdc2415d0ff60721f6996eb60b5

SHA1
8b81065f7f7fee2ddd98dfd47735c62242a39e7a

SHA256
ab3a03e1957e440b2281b204d6714ce535e114aef1759ff051b83d51d8d33be5

SHA512
cfe3d3092a19d94f82eab225eaccb74ad40444e3c0348c3b75a85909487574719332024e510e0fa4c8a609cc6ffb1c81bd1e0fee68f680f5c1d276dfa6602dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDDE8.exe

Filesize
16KB

MD5
ea93a4a0340815ddd8610e6d328daef4

SHA1
6e6294ae8b93e7a2e8d76b1710e49d64789f86f4

SHA256
d92c07390c02649c2c2a96a4fef51c5c6b8bad756fd04b4edba379478e9b2bf2

SHA512
34b12dc7df0edeaf37ea4739034f8710fce1e0832b2f336e7777adcff61f3eed2717864a45655e0bd3e5cdf7d6abe9fbb629997e76aad5c94781874a4799d728

Download Submit

Analysis

Sharing