2c9d0c1c0573b0ef0eeef58b6f756f8e278005ab069ec69d0f7711166a66caec

General

Target

caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe
Size

20KB
MD5

caefd4838a129e8561b80141652c7ca5
SHA1

fd04d80f69c97ed0da031d4938466d2e189c9015
SHA256

2c9d0c1c0573b0ef0eeef58b6f756f8e278005ab069ec69d0f7711166a66caec
SHA512

c386c7ad531218b02d38963cba54c7c1a80f54778e2b69c021bfa963310b956fde62f621c633f51756d1dbc910edac5026586b72f3241ed22097912ad7095080
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PSL:hDXWipuE+K3/SSHgxmHZPSL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3F5B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM95B8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMEBA8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM41C7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM97C6.exe

Executes dropped EXE 6 IoCs

pid	Process
468	DEM3F5B.exe
4100	DEM95B8.exe
1132	DEMEBA8.exe
1988	DEM41C7.exe
3724	DEM97C6.exe
1952	DEMEE05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 468	3924	caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe	96
PID 3924 wrote to memory of 468	3924	caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe	96
PID 3924 wrote to memory of 468	3924	caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe	96
PID 468 wrote to memory of 4100	468	DEM3F5B.exe	99
PID 468 wrote to memory of 4100	468	DEM3F5B.exe	99
PID 468 wrote to memory of 4100	468	DEM3F5B.exe	99
PID 4100 wrote to memory of 1132	4100	DEM95B8.exe	101
PID 4100 wrote to memory of 1132	4100	DEM95B8.exe	101
PID 4100 wrote to memory of 1132	4100	DEM95B8.exe	101
PID 1132 wrote to memory of 1988	1132	DEMEBA8.exe	103
PID 1132 wrote to memory of 1988	1132	DEMEBA8.exe	103
PID 1132 wrote to memory of 1988	1132	DEMEBA8.exe	103
PID 1988 wrote to memory of 3724	1988	DEM41C7.exe	105
PID 1988 wrote to memory of 3724	1988	DEM41C7.exe	105
PID 1988 wrote to memory of 3724	1988	DEM41C7.exe	105
PID 3724 wrote to memory of 1952	3724	DEM97C6.exe	107
PID 3724 wrote to memory of 1952	3724	DEM97C6.exe	107
PID 3724 wrote to memory of 1952	3724	DEM97C6.exe	107

C:\Users\Admin\AppData\Local\Temp\caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\caefd4838a129e8561b80141652c7ca5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\DEM3F5B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3F5B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\DEM95B8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM95B8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\DEMEBA8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEBA8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\DEM41C7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM41C7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\DEM97C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM97C6.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\DEMEE05.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEE05.exe"
        7⤵
        Executes dropped EXE
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F5B.exe

Filesize
20KB

MD5
9c7aa85e1d4ba6e859cecc13d8182f6f

SHA1
17e36db95ee92ef1e5ae4891593f93fed8c9cb6b

SHA256
20400034d9bb456e14d8dd2fe69f791e81bb3deeb5bb2e3d24dba94e2490be39

SHA512
243976273df8580e6e04d7720e7a40b331be0379126cdffa40327a4c1c2c25afbd51f4e211237e7ebe15f294f1c6312cf3b33726c75501723161f0c1443eb5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM41C7.exe

Filesize
20KB

MD5
1028ca16157f575b7beec255875cba1b

SHA1
e8ba7ad8f4c95d2160953de1fd594bc5fe84ba83

SHA256
a0b46cb3335e5af3f828a297ede172d00e08b87f3c6024805317d1b3f3d523ed

SHA512
0e2315c7220ab9933b1929f821a3ce7f40a6506ce168c29ea5cd7d205b1f474b59601e0b99f46d1997cda4ee73027aa30cf06ae462f94f5efe601327fb3c092d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM95B8.exe

Filesize
20KB

MD5
1a61cf2309234b6e02f66497ab7227c3

SHA1
987c9bbb1329ddc5b600f3386891d85bb9458a83

SHA256
10746491db60f63edb8b0a45e9f3e2320a86d3afcfc74b386fe33709f453a943

SHA512
80a10f5989f8d2f05d50a1b83277a09547857365b28f15ca80cacc032a246942e814b3c09b37f92ce6f5a7324c0bfe00163d172d9bb64a4fb1f7b0dcbc6a4487

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM97C6.exe

Filesize
20KB

MD5
b9539bd58844046af940d54ba19cad4d

SHA1
d069087319dbd625e89d5d805cdc3cb2c5a6c609

SHA256
4f5ab92c2c353e469179f2f06085d6404392cb959729d31b3ec6ca71cd413390

SHA512
32b55d6a192a7199eaf08d83d82ec9e4678bb8baa38fdb63f20736fb12697c50e37e56a0a0f5d0f6ecf914f848ed9a38f3feda313589c1b6e46f8022cc231525

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEBA8.exe

Filesize
20KB

MD5
3932857147575f4f6c57694fb5fd0288

SHA1
35ecaa92b7e858438028b4639a7053688c5b7635

SHA256
41e07ca8f9257ddffd5e5c16b9975a1187ac4d60042552b36262148a2deb8973

SHA512
553315991202fd75b792792671584b22758ceda2d4a9b639553e960b953ca083e74c7d13fb4737a547343555cb268aed2a0798831e5449492def8b781ffb54fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE05.exe

Filesize
20KB

MD5
82d3a7b89f5bb2db35030b519c8516d4

SHA1
e35b9be003ad412607b6fac3b1f09636aae8a85d

SHA256
ee549446525dc0c3e8d481e0711b2ba5c2e25ec7a37d6d3f73e0109f34e26b55

SHA512
846c2c0d7c1c1c7e08666fffd2d5fd0e21e734a415626f36d457180216bc7957cbd68b760c402eac59a8f400d5b3c5dbe89ccbada35b2154d4febc7a148d7db8

Download Submit

Analysis

Sharing