0637614a6435f4e920a9e7092a81a79aa0c3cb30f9d51c7edd006d05153d9990

General

Target

c907f71b178844b755774b2beb667f2a_JaffaCakes118.exe
Size

14KB
MD5

c907f71b178844b755774b2beb667f2a
SHA1

ac0c7e03912666c68826e512c60fa0cc363f4127
SHA256

0637614a6435f4e920a9e7092a81a79aa0c3cb30f9d51c7edd006d05153d9990
SHA512

d6e9d1217499fe34fe30bbd0780ee200f9e9820821a44716fc7e23eeebb90375a65175a78f3fbeb90f58619c2752aec6213a6d02c8b31a0de3e1c3e1a5904229
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhIFi6Z:hDXWipuE+K3/SSHgxyFv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	c907f71b178844b755774b2beb667f2a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM707D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMC90D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM2100.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM78C5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMD0B9.exe

Executes dropped EXE 6 IoCs

pid	Process
5036	DEM707D.exe
5104	DEMC90D.exe
4084	DEM2100.exe
3716	DEM78C5.exe
1544	DEMD0B9.exe
2640	DEM288D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 5036	4888	c907f71b178844b755774b2beb667f2a_JaffaCakes118.exe	96
PID 4888 wrote to memory of 5036	4888	c907f71b178844b755774b2beb667f2a_JaffaCakes118.exe	96
PID 4888 wrote to memory of 5036	4888	c907f71b178844b755774b2beb667f2a_JaffaCakes118.exe	96
PID 5036 wrote to memory of 5104	5036	DEM707D.exe	99
PID 5036 wrote to memory of 5104	5036	DEM707D.exe	99
PID 5036 wrote to memory of 5104	5036	DEM707D.exe	99
PID 5104 wrote to memory of 4084	5104	DEMC90D.exe	101
PID 5104 wrote to memory of 4084	5104	DEMC90D.exe	101
PID 5104 wrote to memory of 4084	5104	DEMC90D.exe	101
PID 4084 wrote to memory of 3716	4084	DEM2100.exe	103
PID 4084 wrote to memory of 3716	4084	DEM2100.exe	103
PID 4084 wrote to memory of 3716	4084	DEM2100.exe	103
PID 3716 wrote to memory of 1544	3716	DEM78C5.exe	105
PID 3716 wrote to memory of 1544	3716	DEM78C5.exe	105
PID 3716 wrote to memory of 1544	3716	DEM78C5.exe	105
PID 1544 wrote to memory of 2640	1544	DEMD0B9.exe	107
PID 1544 wrote to memory of 2640	1544	DEMD0B9.exe	107
PID 1544 wrote to memory of 2640	1544	DEMD0B9.exe	107

C:\Users\Admin\AppData\Local\Temp\c907f71b178844b755774b2beb667f2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c907f71b178844b755774b2beb667f2a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\DEM707D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM707D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\DEMC90D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC90D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\DEM2100.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2100.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Users\Admin\AppData\Local\Temp\DEM78C5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM78C5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\DEMD0B9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD0B9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\DEM288D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM288D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2100.exe

Filesize
14KB

MD5
2959b7f99429fd5d5ae24f52f01efac9

SHA1
3aa3a31013373e2a3f51889afa91c0bbf6c5948a

SHA256
7d28d30e3e9cfe359111013dc35d5cdb7e96cf92fdacb10a1155f87f0a75cc1d

SHA512
f2bbb6fbd9af2dc671a5451ec32c675e82b85b9b938495adfc99d14690f9dcc51310550d2e74b347346b402d7d6e00a69c81e7a5fd6b5152840b54f684281119

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM288D.exe

Filesize
14KB

MD5
36b346fd04e7461da4cd7446c4e0b3a7

SHA1
49c2506550282c168d4dfe265b0909bfde1f6f31

SHA256
6a3f5a7a3225c0fd44a59e23fc66fca5ebe2133aeb2452b2e28ae05bd80da590

SHA512
1304611fb37b0164d0302bf43587d520ce905ad07b2053ea81d312b5b646dae5113a4964fdc4b298e645f206c0048e26cb929816d1d80efbf56f055ea2cae4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM707D.exe

Filesize
14KB

MD5
730d0cbb4435becc7301f4b33c241e6d

SHA1
7d5243f6220a6d4d9e38f57581cdfd4b7c82f20d

SHA256
b912b20d686a82ebfabc2e0dfacaf497a697241db9a364ac4c4723ebe1f6d452

SHA512
7dd2e1815ecfd2bdc4b7ffb6d950c626396eff825dd169286c2c1b4cc51951fd1457914672d7249ffb3c5e46a901251cf5ec5fc14c4e70fe7ac7a98715545c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM78C5.exe

Filesize
14KB

MD5
6a2e5aafb81ec6be37707b3b6c42da0b

SHA1
4b697659c77f8b16f2725b98c39a4aca7d06d336

SHA256
8c6e26b5bbc0d0dc155bcfc09819b3cee786c9b5503ed49abe6a66ff230f5d3e

SHA512
a14fbdd7fca241b10881dae7d15fd193ca00d3cca6d97cb3c03302ade90b85937ee0b01ec9c2ccd935ce295b50a6791a3c1d33a1baaef9d4c54abe50c3d332bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC90D.exe

Filesize
14KB

MD5
a2a0a01d7b46d6f4231bdfb9eb9cf317

SHA1
da82daa4fda4b65d659f06cd1d2c6eaca72fbe5b

SHA256
71ad68122e37788678a147fe5e926eeffd13c124ba83614f07239cf0caa3c1c2

SHA512
be7f748bd8303fa96a229d0441e13996add3518fc16cd6a2aaf2ec8b32ce8d8f9a18f1f837dd443a261a5cd630b5c7e815e2bed2420f5b1d49850c389a0322fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD0B9.exe

Filesize
14KB

MD5
a6f8f101572cb399620fa2a1dc5ccc2a

SHA1
6fbbd0a6b9b65327f08cd0bb8d241893cab61268

SHA256
9fb1e04b91099da5024dd8f06cac322b982a055fb699b1073a5e9732f3e19eeb

SHA512
506ed624b0de4ccc0e17f7c6243de9a6c875e120f176ae43264b87cba5dfe6b7d77fd52ff6841377c67b9c654d32f3a1e582a115d54adc73d8567fb4d0e0db4d

Download Submit

Analysis

Sharing