39897d9370763b63b14ff3e57abd9bd7f590d7a19586ee32afe2f9df191ba009

General

Target

c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe
Size

14KB
MD5

c9e277601c4bedaba072f547c145c3c5
SHA1

a4b725665c0f7ce654989b80fdba168096de776d
SHA256

39897d9370763b63b14ff3e57abd9bd7f590d7a19586ee32afe2f9df191ba009
SHA512

dbbd47e998fce696d72efc82083537bc39eda85aad03d331b880959ef864ae66640680e895360d904a630c4db01fbd617dcb79bef8644e506fe1a4c1ec1a8495
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdH2Q:hDXWipuE+K3/SSHgx3NH2Q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM61D7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMBB70.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM1354.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM6B19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMC31C.exe

Executes dropped EXE 6 IoCs

pid	Process
3620	DEM61D7.exe
2964	DEMBB70.exe
832	DEM1354.exe
3760	DEM6B19.exe
3684	DEMC31C.exe
920	DEM1B10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 3620	4004	c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe	97
PID 4004 wrote to memory of 3620	4004	c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe	97
PID 4004 wrote to memory of 3620	4004	c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe	97
PID 3620 wrote to memory of 2964	3620	DEM61D7.exe	100
PID 3620 wrote to memory of 2964	3620	DEM61D7.exe	100
PID 3620 wrote to memory of 2964	3620	DEM61D7.exe	100
PID 2964 wrote to memory of 832	2964	DEMBB70.exe	102
PID 2964 wrote to memory of 832	2964	DEMBB70.exe	102
PID 2964 wrote to memory of 832	2964	DEMBB70.exe	102
PID 832 wrote to memory of 3760	832	DEM1354.exe	104
PID 832 wrote to memory of 3760	832	DEM1354.exe	104
PID 832 wrote to memory of 3760	832	DEM1354.exe	104
PID 3760 wrote to memory of 3684	3760	DEM6B19.exe	106
PID 3760 wrote to memory of 3684	3760	DEM6B19.exe	106
PID 3760 wrote to memory of 3684	3760	DEM6B19.exe	106
PID 3684 wrote to memory of 920	3684	DEMC31C.exe	108
PID 3684 wrote to memory of 920	3684	DEMC31C.exe	108
PID 3684 wrote to memory of 920	3684	DEMC31C.exe	108

C:\Users\Admin\AppData\Local\Temp\c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\DEM61D7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM61D7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\DEMBB70.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBB70.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\DEM1354.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1354.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Users\Admin\AppData\Local\Temp\DEM6B19.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6B19.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Users\Admin\AppData\Local\Temp\DEMC31C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC31C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\DEM1B10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1B10.exe"
        7⤵
        Executes dropped EXE
        
        PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1354.exe

Filesize
14KB

MD5
ce280ed8be3abc90f7afe6ebe7cebe76

SHA1
2c382169e13dd25dcf0a9deb4e439b5e428b824b

SHA256
067efe206d85249fed614c427e645bd6858066fbd6e30e14bff32ea47b84efa5

SHA512
54fd6b1ea2f327056b4d4e50ab7407c6b153957f4f13a3a0a163221b4ec12aa91d4067673ca3f11d159daac8d0805225a1310ba0cb13a5f7c35986ac385051bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1B10.exe

Filesize
14KB

MD5
e3f6cae6dca2d6b745a965ac6533e179

SHA1
488a6f83e799e39852330000983fd6a3b33899fa

SHA256
e9414c293e95491e007f858d47dc90bcb7e370fa3c82553a417655ca52d06b0e

SHA512
d73132020fab3da753bcd917790ba3b845858b83635eb6b93ccfa43b21b3bc9b88ef0d5c588e04494d814c0053299da3bff719f51bca9fe3b30f291ad9618f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM61D7.exe

Filesize
14KB

MD5
ad4543877e0019077c73ebe4d39f3269

SHA1
8bdffd0c4c43333cb56f03e7a5c983eaae063760

SHA256
6e01b2f6364e2f9be213600f0fc98f1d345979a46abcd3da6e87443597881c6e

SHA512
b54e56233b7b11b04bbd69e1db395dc2f6d597750f084733b6835594ea071c0a86c03a4cfad4880a2a464ed1fa1f228bf2c590b284f29356c00f3c6e0624494f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B19.exe

Filesize
14KB

MD5
a84dfb4d611e425678151dddec66e063

SHA1
023d046c7b8dd355e6b402b44a9241a05d3778af

SHA256
6579e99403a585838f59e66e3a0331b4a243e9c37ce198da8caff8e382634c21

SHA512
cf77b2c066fbfbdd777b33a7a12d051124cc56ad1a66e63301317b25176ba5cff792d3124f474d3f2553c2bbac8673f499e8a670460475c330335bc37c492fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB70.exe

Filesize
14KB

MD5
c0c022f467801e0b78e8468dfd72da32

SHA1
3d818ffb413689a5fb0c77e81e486b6429fa182f

SHA256
df2fc795bcf34380f1f48bce5907f72ac639bccce9d22f232eaeb3f2785420b8

SHA512
8abe141a19696a46faf21f7d9e83e4361efbe73e3b01e0f14841ce9bdb7036ae72c27ecf80ecff0b62724f369c5a2e1d9d3411a7a050c3a327bd0d1b246b2ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC31C.exe

Filesize
14KB

MD5
784a8642f7673e5d908c5896c715d772

SHA1
bad168ecfde8399e89c299b6b8333ed18d118862

SHA256
1a0921c63349150ec70dc88bdc907995aee9759b43f73d9e59a2cea1e53ce6da

SHA512
e67478cb911816a07bdcf834d272b0b25d6f44a453dbcf0796898983542ab120545ea82d8279e6db81de78b2070092376bf523791a689553c226d17295dba491

Download Submit

Analysis

Sharing