d7f35a6633ec1915b647b4c59dbd5522f07dd331509bcae8f19326c480aaa64f

General

Target

d0148111e92b7b4efa5465958ca2ed2f_JaffaCakes118.exe
Size

20KB
MD5

d0148111e92b7b4efa5465958ca2ed2f
SHA1

d6b54d68402cff53cf525ed2efb4e3bfb7dbab4d
SHA256

d7f35a6633ec1915b647b4c59dbd5522f07dd331509bcae8f19326c480aaa64f
SHA512

b654d7e000bfed23c24908cda05920da134e5c36cb18ab3bc96ba4416bfe22eb5f77bb595d3de53c72c09068f25aafec5035b148e7778b55e5ad0987fb882e45
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L411:hDXWipuE+K3/SSHgxmHZ11

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	d0148111e92b7b4efa5465958ca2ed2f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM3B82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM91A1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEME7D0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM3DEE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM93FE.exe

Executes dropped EXE 6 IoCs

pid	Process
3332	DEM3B82.exe
2944	DEM91A1.exe
4668	DEME7D0.exe
3196	DEM3DEE.exe
4996	DEM93FE.exe
3572	DEMEA0D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3332	1132	d0148111e92b7b4efa5465958ca2ed2f_JaffaCakes118.exe	98
PID 1132 wrote to memory of 3332	1132	d0148111e92b7b4efa5465958ca2ed2f_JaffaCakes118.exe	98
PID 1132 wrote to memory of 3332	1132	d0148111e92b7b4efa5465958ca2ed2f_JaffaCakes118.exe	98
PID 3332 wrote to memory of 2944	3332	DEM3B82.exe	101
PID 3332 wrote to memory of 2944	3332	DEM3B82.exe	101
PID 3332 wrote to memory of 2944	3332	DEM3B82.exe	101
PID 2944 wrote to memory of 4668	2944	DEM91A1.exe	103
PID 2944 wrote to memory of 4668	2944	DEM91A1.exe	103
PID 2944 wrote to memory of 4668	2944	DEM91A1.exe	103
PID 4668 wrote to memory of 3196	4668	DEME7D0.exe	105
PID 4668 wrote to memory of 3196	4668	DEME7D0.exe	105
PID 4668 wrote to memory of 3196	4668	DEME7D0.exe	105
PID 3196 wrote to memory of 4996	3196	DEM3DEE.exe	107
PID 3196 wrote to memory of 4996	3196	DEM3DEE.exe	107
PID 3196 wrote to memory of 4996	3196	DEM3DEE.exe	107
PID 4996 wrote to memory of 3572	4996	DEM93FE.exe	109
PID 4996 wrote to memory of 3572	4996	DEM93FE.exe	109
PID 4996 wrote to memory of 3572	4996	DEM93FE.exe	109

C:\Users\Admin\AppData\Local\Temp\d0148111e92b7b4efa5465958ca2ed2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0148111e92b7b4efa5465958ca2ed2f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\DEM3B82.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3B82.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Users\Admin\AppData\Local\Temp\DEM91A1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM91A1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\DEME7D0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME7D0.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\DEM3DEE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3DEE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
      - C:\Users\Admin\AppData\Local\Temp\DEM93FE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM93FE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\DEMEA0D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEA0D.exe"
        7⤵
        Executes dropped EXE
        
        PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3B82.exe

Filesize
20KB

MD5
c564f6fc3509b1e79fa8f32ff51dac9e

SHA1
a3632e6241478b3639888e11ed48149bd1647ebd

SHA256
bb9f4a4ef4798bc0a2d9870e31f48ce8d7865ff4f742e19b32b247b8ab05a97c

SHA512
f6f09e260b397cd8fce017f8409e588f67efb27f27960a1fee9e4480e5d48c5005d951949ae30e969cc53566bea02b45c94e46e3b892bf1ef7eea38c4447f161

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3DEE.exe

Filesize
20KB

MD5
0df31eb35feeab423963a659b1dbd2ff

SHA1
abd258fb3ba9a5bbcf1aa25ddc9a6ee59a2b7a0a

SHA256
d68e9f36b9174e073fc608f753a82cfdfb9267a658c557a29ffa8fe4a927a314

SHA512
590990aa6f5aae331aca39caa8d79f663317d72258d78473d846c1402e3a7690a8406dc17bf999dcb3efa0bcc132d7b8ae4aecbbc30940ba16b542ebfeef6110

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM91A1.exe

Filesize
20KB

MD5
3ca443542348d1785f4f2ae7cbc0b7cc

SHA1
050001c4996594d5ac8ceb6a87fe70159fe6bc15

SHA256
926d7430302569ca7e6c7d5558475f40705aaca1cc8153bd119c778a2fcc855e

SHA512
e1f051842361ea3a778b05fcc8c27126da53eb6d47159765f6986865cef5aa2529faf64b87a4a06008ecad150949fb574961a82a910ac75c66ba6964a8bbb4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM93FE.exe

Filesize
20KB

MD5
0f1f0dca1fc029ddc4bcdbde4db3e7b4

SHA1
410a3f9b1e3c26211b2aad271bd81986fa27d71a

SHA256
1e07898724d18f91e002a6487f34dc8cc7886629991febee323f2b4eaba0e982

SHA512
9ac8a52ac61326a8962f953f1bb7f35298a25fc13b726bbdaea095be8b7daf0b038f37d5022abc351f85e2f7f2169f1a837aac9072fd317691d93b3d1411f151

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME7D0.exe

Filesize
20KB

MD5
4d82ce4fafa8e6d1e4b99993de70fb3f

SHA1
5e95148a97b60b15062b9df58cdfe81b74db4914

SHA256
0bf141da58b5a9223e276c2c9b0fc2f84da9b9045531e6d6254a5a0a8ef8b88a

SHA512
f971aacfd842c8835ed5e9dd929a01742241f394f54a1dd013e0f4bc9a63048d4f98c240fe20edb94435c37a42536ed61d5806c06dc738620672b80159130b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEA0D.exe

Filesize
20KB

MD5
ab21a23e86aad1dd0d9eaab5f06d06b2

SHA1
2df081b9b6564085319cb057835d0d03e54bf4e1

SHA256
83b7be51a5f7dd176de62b1e4b36a2e6f91bd22bd2774dd307454ef5da6fac06

SHA512
1be11933927155eb8185ae71d5939edc2a57e741949ba48b9dbec047bc42ca627f22fc86495a09f1c275a0e4d88a9836f04604a50cbceeb78efc71f0a68e7de1

Download Submit

Analysis

Sharing