c3e31f5882bbcb632d18ec1f59d7f04858e3178bdb4885fbf79e2d8c1deb2743

General

Target

cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe
Size

20KB
MD5

cf72aac49d80d49c2007b5b0c25b1c63
SHA1

043302305055bea72fec2b327140ce4656ebc508
SHA256

c3e31f5882bbcb632d18ec1f59d7f04858e3178bdb4885fbf79e2d8c1deb2743
SHA512

da75b154854d1eabbb1c85e557b767895fb1ed5c2a9b05c84517284787ab5593c1e288b162ad787f430bb1cd4e52d20cc82dfaf136f700b0ae6a48c46b95880b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PST:hDXWipuE+K3/SSHgxmHZPST

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM996C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM40C2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM973F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEMED5D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM436D.exe

Executes dropped EXE 6 IoCs

pid	Process
4700	DEM40C2.exe
2940	DEM973F.exe
4816	DEMED5D.exe
3600	DEM436D.exe
3008	DEM996C.exe
2012	DEMEFAA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4700	4464	cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe	97
PID 4464 wrote to memory of 4700	4464	cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe	97
PID 4464 wrote to memory of 4700	4464	cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe	97
PID 4700 wrote to memory of 2940	4700	DEM40C2.exe	100
PID 4700 wrote to memory of 2940	4700	DEM40C2.exe	100
PID 4700 wrote to memory of 2940	4700	DEM40C2.exe	100
PID 2940 wrote to memory of 4816	2940	DEM973F.exe	102
PID 2940 wrote to memory of 4816	2940	DEM973F.exe	102
PID 2940 wrote to memory of 4816	2940	DEM973F.exe	102
PID 4816 wrote to memory of 3600	4816	DEMED5D.exe	104
PID 4816 wrote to memory of 3600	4816	DEMED5D.exe	104
PID 4816 wrote to memory of 3600	4816	DEMED5D.exe	104
PID 3600 wrote to memory of 3008	3600	DEM436D.exe	106
PID 3600 wrote to memory of 3008	3600	DEM436D.exe	106
PID 3600 wrote to memory of 3008	3600	DEM436D.exe	106
PID 3008 wrote to memory of 2012	3008	DEM996C.exe	108
PID 3008 wrote to memory of 2012	3008	DEM996C.exe	108
PID 3008 wrote to memory of 2012	3008	DEM996C.exe	108

C:\Users\Admin\AppData\Local\Temp\cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf72aac49d80d49c2007b5b0c25b1c63_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\DEM40C2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM40C2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\DEM973F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM973F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\DEMED5D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMED5D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Users\Admin\AppData\Local\Temp\DEM436D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM436D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\DEM996C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM996C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\DEMEFAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEFAA.exe"
        7⤵
        Executes dropped EXE
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM40C2.exe

Filesize
20KB

MD5
a243f7e9d0f3f368e2ec03416eb5f63b

SHA1
3ba615dd65b752c02c0e9ac218ccbc34883923b3

SHA256
55248adf861b54f3d230fc7586cb0d4d42efa21d7e3f14df9ca8a7892cad4c67

SHA512
624eafa259fc02b90014409fec3b315c56933740d92dc65127efa15cbfe3af38a2dfee6d192f6a2329b991a95a42a78b8758a2448f5e3dcb3ca6d552701b4f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM436D.exe

Filesize
20KB

MD5
4f5ad5cfbb6f7f81cdec2300820b7805

SHA1
f34ed633e8551a11a7678c56c2b0ab635e33e2a9

SHA256
1822b94e2167381c71d70590ebfbf570090630bec07b1625f07345add2c2d7f7

SHA512
5c8ae778e1c7f65216697f8d419d6a6e25d9f9e13d5612f111925ed10d69416fe5a8e5705b9bdd2b5d6f199e34b15058d9cc3803597591f7eda4eb5b4f85f43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM973F.exe

Filesize
20KB

MD5
92e01bdb7c67aa1de61e020705f405e9

SHA1
47d1411072da82daaf42e8d6f5c814cb4d143b7b

SHA256
696a4e5d533861aa723099a5059f63a35cd10db70c07eac629c70f69e2b835ed

SHA512
01e35d0720919e635eb44709b03c5003606490e1ad6c5a73f9226ab9768e8d7fc0bd14d743663e534e15e665eea6876d753eab1cbc72d06ca395bab3f9ab6044

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM996C.exe

Filesize
20KB

MD5
61a5da4424bb98dfbc79307f2f8d7037

SHA1
0eb0331611d16cdfc6df5865e9081f4d538747e9

SHA256
358e69d3a697be6289bf19031767a95d3d8868b783a6c7c94aa6191af62eae30

SHA512
431d349aa27bf2abe7202fc11687ef2f1e3f266f46496cadc193b5b53011141259fad67cc9b1684a0429e53e42340d1f438284c4a65724a57cc27b39a90bd49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMED5D.exe

Filesize
20KB

MD5
13be385177f4f1682551eb2c7d041e48

SHA1
fbebb004d1be8da4bc6fecf8c3ee6af76fffbf5e

SHA256
0491afd3ddab3b6b6532f515098aeeda4807fd32a10324b081eb79543b94cdb4

SHA512
2a983f2ac210ebc2b48a0ea9d8e5c843c1958931a66e1ad5c24da9c1ab7c30589e8fad1f0763348d69b9348d48f0a270ca34e80cf04ed3fc1f647bd063a23fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEFAA.exe

Filesize
20KB

MD5
4faee6de41524e00022225a308a401a9

SHA1
39647f2b6e8260cdbf9532062180348b0749f2be

SHA256
fda8325c03653e59de6ba3164e4c27a43552c0b1f53e08bfab66075f6ceeb91b

SHA512
8399921b4efda840daa89b86e5400c1d968ab81fbabf40db53a76329be1049071f6506c643418c479c8cbad69a94ae451627bfe76e7fd932d77f108d1df67aff

Download Submit

Analysis

Sharing