5c0f017148ab8aba86568978960c0ea3b3686def7f6185fb241b84d58dfca034

General

Target

cc3a7be66005c90c345823ffce665e91_JaffaCakes118.exe
Size

15KB
MD5

cc3a7be66005c90c345823ffce665e91
SHA1

4e18176348d251d110c914a50c08cb54bd4b552a
SHA256

5c0f017148ab8aba86568978960c0ea3b3686def7f6185fb241b84d58dfca034
SHA512

1961cf137bf1b42d87ef7257dcce1b3e5700a46f0a7a9f8f369e3885b55697910489a11af0cfa47d2fc4440bfa0fd3e64d16f92a7c1cfc848228f3d2f0d34409
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhkRwju:hDXWipuE+K3/SSHgxDju

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	cc3a7be66005c90c345823ffce665e91_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM4B41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMA2C8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMF954.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM508C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMA7B5.exe

Executes dropped EXE 6 IoCs

pid	Process
3784	DEM4B41.exe
4684	DEMA2C8.exe
2728	DEMF954.exe
4364	DEM508C.exe
4424	DEMA7B5.exe
2656	DEMFE41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3784	1516	cc3a7be66005c90c345823ffce665e91_JaffaCakes118.exe	96
PID 1516 wrote to memory of 3784	1516	cc3a7be66005c90c345823ffce665e91_JaffaCakes118.exe	96
PID 1516 wrote to memory of 3784	1516	cc3a7be66005c90c345823ffce665e91_JaffaCakes118.exe	96
PID 3784 wrote to memory of 4684	3784	DEM4B41.exe	99
PID 3784 wrote to memory of 4684	3784	DEM4B41.exe	99
PID 3784 wrote to memory of 4684	3784	DEM4B41.exe	99
PID 4684 wrote to memory of 2728	4684	DEMA2C8.exe	101
PID 4684 wrote to memory of 2728	4684	DEMA2C8.exe	101
PID 4684 wrote to memory of 2728	4684	DEMA2C8.exe	101
PID 2728 wrote to memory of 4364	2728	DEMF954.exe	103
PID 2728 wrote to memory of 4364	2728	DEMF954.exe	103
PID 2728 wrote to memory of 4364	2728	DEMF954.exe	103
PID 4364 wrote to memory of 4424	4364	DEM508C.exe	105
PID 4364 wrote to memory of 4424	4364	DEM508C.exe	105
PID 4364 wrote to memory of 4424	4364	DEM508C.exe	105
PID 4424 wrote to memory of 2656	4424	DEMA7B5.exe	107
PID 4424 wrote to memory of 2656	4424	DEMA7B5.exe	107
PID 4424 wrote to memory of 2656	4424	DEMA7B5.exe	107

C:\Users\Admin\AppData\Local\Temp\cc3a7be66005c90c345823ffce665e91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc3a7be66005c90c345823ffce665e91_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\DEM4B41.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4B41.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Users\Admin\AppData\Local\Temp\DEMA2C8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA2C8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\DEMF954.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF954.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\DEM508C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM508C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\DEMA7B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA7B5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\DEMFE41.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE41.exe"
        7⤵
        Executes dropped EXE
        
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4B41.exe

Filesize
15KB

MD5
05fdfc6b5210c6f75e20cee769cd73a1

SHA1
ce55dee0b4765a6fac4afa4356c55ab8aa312054

SHA256
9db2dd2697addfe4cd91228ce4583d4ccaadce9c01385498f6ee02a2a936640e

SHA512
7304cac16537a05c7c453687a47e6ad9d5243a850b2eb4a590c9752957e596cb2f0e69835aec769e11c2a76813c5105cd91810aa82c2af2ba0d71a69678ac22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM508C.exe

Filesize
15KB

MD5
240833aeddc980db5e979a58f795a5ef

SHA1
3dc1539403c0f6d7aa5ce61b48fae62e2c556d44

SHA256
409164cbc2c4e906a8a890b78e528f63959f5c55b8769b3dbb6bd86e4b02ae57

SHA512
4b3705e1e728cb28090d7b9f5457aeea37abfa36b5251796341d4ba5a9b27f9b1a9847db142184c7e658e4b9c81c593ce5f79361e0800db0d7ddea0d194f5068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2C8.exe

Filesize
15KB

MD5
607344d6e001b8750693d73962ab8a95

SHA1
de05b6b62b2bd266cc7b756abe8fff9aa0d4ea49

SHA256
041fe1b831fac53f39360f720ac3f93df30209700dd1d4cb927fc670d6ae707a

SHA512
3af1c768059c6786309b25c892967daf38a534fdd16274d8f45947a136f5bb866cbb8c04ca2c373cec8c805ec8efdd33770d13e3d5f038aa1bcf2a719a81edd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA7B5.exe

Filesize
15KB

MD5
47304e871a3164c1348dea32ea31399b

SHA1
02e5c300dbb4a1012283786535d73cdad270af3f

SHA256
0201ac5c4aa7031f4df4a9445c88404175e88eab45d3845377d0cb6cd92f6a90

SHA512
2e4921e04ea4b70ba916e373e3d3b197ec99f2e95f9826a7c35e6a2abf7d8304c64945f5360e51a77ead7e3aea900a7ead776eeaf95f8ddc410a1c81c9b643d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF954.exe

Filesize
15KB

MD5
7c84c3b104984a9e5afce53579981328

SHA1
1c204d3f63badd3151324ab15ec6b226495f850d

SHA256
02ceffb6905c531af79c83d50aef7b946497ded101793e27c2001c2db7401b51

SHA512
f41f73129f4b540f15f58f562071b6e65ef377bf85771c0b8cacb4d9e990c2300f752e96d1718f85799208c19eda2595a3efd261567a9c8bfc756fe56fc84b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE41.exe

Filesize
15KB

MD5
385e0d32c5b7d2881de941ce407fdfac

SHA1
30537ee1d0b2dabf7df41f9e28c11bfec47b6171

SHA256
42289652303c21059700acb1a1d19b0d87720a716b000f3d194725f8bd615756

SHA512
0f741f138ecaccf8d8d2335296ad8e8e845d2688eafe2459423b823e8075354af97326d70add555c88c8a41c577285e9eabea8d4dca0d1ef46ad06a48fda1e99

Download Submit

Analysis

Sharing