bcd4214d5868076033e55b88ea068bb5f1e0009a12aa1cea3026518370d359c1

General

Target

c2e68cd7a6fe8f9a927d39ce54681a83_JaffaCakes118.exe
Size

14KB
MD5

c2e68cd7a6fe8f9a927d39ce54681a83
SHA1

734e99f78d155230abbfc8eabe05728c964a1cb2
SHA256

bcd4214d5868076033e55b88ea068bb5f1e0009a12aa1cea3026518370d359c1
SHA512

6e1925f48749d8e8637baaf6fb9f84fba1cafbc7fb7b89a3725e6850dcdcfb6b1d2b09a583ed5746aef520d50a6b66ba9ec846db588de67e7ac4c688136ee39b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhOFCoK++vH:hDXWipuE+K3/SSHgxWCR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	c2e68cd7a6fe8f9a927d39ce54681a83_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3A0B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM903A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEME61A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3BEB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM91FA.exe

Executes dropped EXE 6 IoCs

pid	Process
3012	DEM3A0B.exe
3200	DEM903A.exe
1328	DEME61A.exe
4304	DEM3BEB.exe
4076	DEM91FA.exe
4120	DEME829.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 3012	4544	c2e68cd7a6fe8f9a927d39ce54681a83_JaffaCakes118.exe	96
PID 4544 wrote to memory of 3012	4544	c2e68cd7a6fe8f9a927d39ce54681a83_JaffaCakes118.exe	96
PID 4544 wrote to memory of 3012	4544	c2e68cd7a6fe8f9a927d39ce54681a83_JaffaCakes118.exe	96
PID 3012 wrote to memory of 3200	3012	DEM3A0B.exe	99
PID 3012 wrote to memory of 3200	3012	DEM3A0B.exe	99
PID 3012 wrote to memory of 3200	3012	DEM3A0B.exe	99
PID 3200 wrote to memory of 1328	3200	DEM903A.exe	101
PID 3200 wrote to memory of 1328	3200	DEM903A.exe	101
PID 3200 wrote to memory of 1328	3200	DEM903A.exe	101
PID 1328 wrote to memory of 4304	1328	DEME61A.exe	103
PID 1328 wrote to memory of 4304	1328	DEME61A.exe	103
PID 1328 wrote to memory of 4304	1328	DEME61A.exe	103
PID 4304 wrote to memory of 4076	4304	DEM3BEB.exe	105
PID 4304 wrote to memory of 4076	4304	DEM3BEB.exe	105
PID 4304 wrote to memory of 4076	4304	DEM3BEB.exe	105
PID 4076 wrote to memory of 4120	4076	DEM91FA.exe	107
PID 4076 wrote to memory of 4120	4076	DEM91FA.exe	107
PID 4076 wrote to memory of 4120	4076	DEM91FA.exe	107

C:\Users\Admin\AppData\Local\Temp\c2e68cd7a6fe8f9a927d39ce54681a83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2e68cd7a6fe8f9a927d39ce54681a83_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Local\Temp\DEM3A0B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3A0B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\DEM903A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM903A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\DEME61A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME61A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\DEM3BEB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3BEB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\DEM91FA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM91FA.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\DEME829.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME829.exe"
        7⤵
        Executes dropped EXE
        
        PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3A0B.exe

Filesize
14KB

MD5
0c4c1c3b830a49b592665cc8e637ae6c

SHA1
eff63465acda01138ad092a5655444d9588dc8df

SHA256
6654e46fe09e836c3d0996372ed2067c95485fd90479a85f8817659caa59f0c7

SHA512
d7548ec3cf294a3af54791622ac7de89200cb13ce66bcaf699c65bfab830a87a92efcef2c8713683adcc49691311ef260dc0d281a0634e773ea852484c96909d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3BEB.exe

Filesize
14KB

MD5
d93e0b1e347041382ca334dccbb25480

SHA1
6b0e6f2e3427c10fae565f9b9cd1ddab05890135

SHA256
98edaf0856e0b87443a52195770cbd68e46118d91126002e3fca2a5abe67adfd

SHA512
b015c7b6286057438e1d72c8e58c2c33cdf4f8fdd34adcb9b51137a6ee832a56b7dc076e377d6c5beb7dc5bd812f146d8edec8843315cd130e4877ee73449e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM903A.exe

Filesize
14KB

MD5
52cac21f68cf1ed37a648110e7816880

SHA1
8b4604e0db33b00954f1f808b4da310054dfb562

SHA256
9100a051c21149baf1b0871190a201d70e345c7c18292dde50ee236466b5dbd3

SHA512
e1205e469eba29efdfc2927a15a6a19b60b9973ff3f712630aef38c916e1e05f2044cdd2297d649b9693cd1ccad676d4b1b9a875b940cc6909eb5ae6fd3b9f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM91FA.exe

Filesize
14KB

MD5
56d3396e1f257a107d754704d7e94b2d

SHA1
81c297d01d4f3bf52bd4a303feffa1ea302ad469

SHA256
30f523101360db359d2a49c1316e1d96aee59fccbc3ac16f4a10d97e553fdbf4

SHA512
9be921873b190e5a6a26fe490573243b860e2e4de51cb2f7c76d4e89c9df08540df94b6a1e9e2847d7ae80084b1bfa45262ca444c8b80d3b86137d47913e4422

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME61A.exe

Filesize
14KB

MD5
8853b6b2f0e89e5858632e17241586af

SHA1
9f9baa6450a596a5ca0a32d19410aa07360dbe39

SHA256
102ac19e2dbc1f6843b5f03ceb3b6dfd3fc24e22081fcf80f663a267e27d2d84

SHA512
4a37313afd8ecf10886ad746900c4e8165df76a24a7c327b12fecde10c7f94ffac0b6afd06f92b723eff91fc50e811939eafebae93130221ac3a2ccd3f29fc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME829.exe

Filesize
14KB

MD5
0dfd778b60c6048ed62ef38fde07d322

SHA1
36b0644d0d3d9ce9f6aa36fb5ca2848e6b73cdc9

SHA256
c78073ac1240f45b5f73710a902a48a569e4d0e4797ead40ab4f62aa1a4d682b

SHA512
a3f730cd1ff5508a7926fc44233d132dc6dc6eb66f109cf9ea8e9c00b7a23407773ef90409fc929585560573f0d366dc103d7ca6d7a1003569a9ffd2b1f43871

Download Submit

Analysis

Sharing