611ca5bc235fb7c66841b8193ddb83b66d6741a6d53909613a4457abd43a6162

General

Target

c7de435ec78f03bd2e0876f3ff25803b_JaffaCakes118.exe
Size

16KB
MD5

c7de435ec78f03bd2e0876f3ff25803b
SHA1

1e46a980e988cf8a6224e5f2a3f75e816cc3275b
SHA256

611ca5bc235fb7c66841b8193ddb83b66d6741a6d53909613a4457abd43a6162
SHA512

2c9034d768259775b3d052126b06a790dbb65258cc2f5419e277dbc506c369c29b894bfa82c43a0b62674f3c8bf6c1a6bdbd67d181489f9e163b56904e18323f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhK8:hDXWipuE+K3/SSHgxb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	c7de435ec78f03bd2e0876f3ff25803b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM47C7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM9EFF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMF55C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM4C56.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMA2F2.exe

Executes dropped EXE 6 IoCs

pid	Process
1312	DEM47C7.exe
3000	DEM9EFF.exe
4120	DEMF55C.exe
4964	DEM4C56.exe
2804	DEMA2F2.exe
3556	DEMF99D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 1312	232	c7de435ec78f03bd2e0876f3ff25803b_JaffaCakes118.exe	97
PID 232 wrote to memory of 1312	232	c7de435ec78f03bd2e0876f3ff25803b_JaffaCakes118.exe	97
PID 232 wrote to memory of 1312	232	c7de435ec78f03bd2e0876f3ff25803b_JaffaCakes118.exe	97
PID 1312 wrote to memory of 3000	1312	DEM47C7.exe	100
PID 1312 wrote to memory of 3000	1312	DEM47C7.exe	100
PID 1312 wrote to memory of 3000	1312	DEM47C7.exe	100
PID 3000 wrote to memory of 4120	3000	DEM9EFF.exe	102
PID 3000 wrote to memory of 4120	3000	DEM9EFF.exe	102
PID 3000 wrote to memory of 4120	3000	DEM9EFF.exe	102
PID 4120 wrote to memory of 4964	4120	DEMF55C.exe	104
PID 4120 wrote to memory of 4964	4120	DEMF55C.exe	104
PID 4120 wrote to memory of 4964	4120	DEMF55C.exe	104
PID 4964 wrote to memory of 2804	4964	DEM4C56.exe	106
PID 4964 wrote to memory of 2804	4964	DEM4C56.exe	106
PID 4964 wrote to memory of 2804	4964	DEM4C56.exe	106
PID 2804 wrote to memory of 3556	2804	DEMA2F2.exe	108
PID 2804 wrote to memory of 3556	2804	DEMA2F2.exe	108
PID 2804 wrote to memory of 3556	2804	DEMA2F2.exe	108

C:\Users\Admin\AppData\Local\Temp\c7de435ec78f03bd2e0876f3ff25803b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7de435ec78f03bd2e0876f3ff25803b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\DEM47C7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM47C7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\DEM9EFF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9EFF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\DEMF55C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF55C.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\DEM4C56.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4C56.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Users\Admin\AppData\Local\Temp\DEMA2F2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA2F2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\DEMF99D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF99D.exe"
        7⤵
        Executes dropped EXE
        
        PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM47C7.exe

Filesize
16KB

MD5
cdb374312c803f1b93155757ee84830c

SHA1
0ae8e3589cdb5d512cefc5ce0c2d7bb15515dcec

SHA256
712a4c12bcad242f29e744425b7de20d83849db063a378760fac5cf49071849a

SHA512
06006815b32bc1ed0a6282ab1945eaafa50ae0d416228f3bf63fd9c14594351440733ab2d6e57fd7577b5c2c31769e96ece088fd6c4e5baa718dde2891d300dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4C56.exe

Filesize
16KB

MD5
1558c40fb230de4cee3aa1afa95760dd

SHA1
23f3aa7519f7574dbca974f85636270c85d60af6

SHA256
c9fd3651769593a8a7abe7c148bfde5656c3e5ebcb9e8d86f8e5a52cc0fe12b5

SHA512
01f436f22ee2e434c2e9d6761a48eaa2c8f0bfa2ba0fe05d05bdfbcdce3747aeabe11a0d3d8672d188f8f7f2d4cf0d25fc0623d7caefa39f01ce15d1aed8b6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9EFF.exe

Filesize
16KB

MD5
0bd87486d1816056aec0f21141c84678

SHA1
2074703dee1cb80f127e888520b14884d7d46c9c

SHA256
e216ca0722b20664d354ec77496511f7736d6f53ae570eace365b7d0d96530de

SHA512
90a0ae80abe310e64cf600596d1c2c22c4b6fd8b45040d01e91faf134de1169773f571fb24261576f83007ba700ee2a8722e1078058c72b4d4d1516379135fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2F2.exe

Filesize
16KB

MD5
37f96c9fb3a5a753e468357166a96300

SHA1
aef7426c7d13db048c7b63198313424d6de809c1

SHA256
8849e58b4986db499fb064d4c82a009b8042be829f79c29b1fd029f8ca29f4d5

SHA512
587175e7b58bf8d369cc0982f106fb4930ffb143d91c28379b24cd4bc7cc44f40341fca02b3c734f6c1aa4bd909f0bce3d78ad96c0683f8f85a1b7b6ab7edfda

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF55C.exe

Filesize
16KB

MD5
c660c6c668141ac22b04f61988b99fae

SHA1
2c2749ea8acdba9bb901f5ee24a14b3f78cda42c

SHA256
1d7ce188bafb78d239c02aa32cbbbe8f9e3b5e7854be1eba07d55443693e6ae7

SHA512
3f3ffa1b0ae6c60b0061554d9f81b77f6a8f8279d72bfcfa4a23938c410f5c5117c8b3fa419eae9344f659c11e21faec7da06c101e476163e99a02987096a000

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF99D.exe

Filesize
16KB

MD5
ba70512953a1dde97215b7f2977988f4

SHA1
4921138812b30e714658e8cc2e7d89c7d598f3bc

SHA256
73076725aeffc90f85a749556ce598df41bd38ff7a3381529668da706e492dc3

SHA512
056f97d39ad619021f435b06fbdba68f1b8a24aab9a365026db452b828b95c31988f1b62578ca19fe62d0e755a426a3475d611c138f7d883f71215dde7f08037

Download Submit

Analysis

Sharing