ab77c77bc3704e6c86fb9732bc1d1dc3a6ad1da957f3afba21ed80101a5b5dd5

General

Target

d038c262d1b68196cfe4c5cd85873860_JaffaCakes118.exe
Size

14KB
MD5

d038c262d1b68196cfe4c5cd85873860
SHA1

fcac8951ce7c3fb0fdb880d5e3be0cef24e90b75
SHA256

ab77c77bc3704e6c86fb9732bc1d1dc3a6ad1da957f3afba21ed80101a5b5dd5
SHA512

0762fc8527c75e49b29efea5bd9a52642c4b60600aa2ec272c3c647de1dd39e47e96439377d4676b7e01e0f5a89fd9318e0b06af76ea256c2f0e01927d265959
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5im:hDXWipuE+K3/SSHgxl5im

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	d038c262d1b68196cfe4c5cd85873860_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM74D2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMCDB0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM25A4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM7DA7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMD51E.exe

Executes dropped EXE 6 IoCs

pid	Process
3720	DEM74D2.exe
4536	DEMCDB0.exe
4680	DEM25A4.exe
932	DEM7DA7.exe
5044	DEMD51E.exe
1616	DEM2CB3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 3720	3292	d038c262d1b68196cfe4c5cd85873860_JaffaCakes118.exe	96
PID 3292 wrote to memory of 3720	3292	d038c262d1b68196cfe4c5cd85873860_JaffaCakes118.exe	96
PID 3292 wrote to memory of 3720	3292	d038c262d1b68196cfe4c5cd85873860_JaffaCakes118.exe	96
PID 3720 wrote to memory of 4536	3720	DEM74D2.exe	99
PID 3720 wrote to memory of 4536	3720	DEM74D2.exe	99
PID 3720 wrote to memory of 4536	3720	DEM74D2.exe	99
PID 4536 wrote to memory of 4680	4536	DEMCDB0.exe	101
PID 4536 wrote to memory of 4680	4536	DEMCDB0.exe	101
PID 4536 wrote to memory of 4680	4536	DEMCDB0.exe	101
PID 4680 wrote to memory of 932	4680	DEM25A4.exe	103
PID 4680 wrote to memory of 932	4680	DEM25A4.exe	103
PID 4680 wrote to memory of 932	4680	DEM25A4.exe	103
PID 932 wrote to memory of 5044	932	DEM7DA7.exe	105
PID 932 wrote to memory of 5044	932	DEM7DA7.exe	105
PID 932 wrote to memory of 5044	932	DEM7DA7.exe	105
PID 5044 wrote to memory of 1616	5044	DEMD51E.exe	107
PID 5044 wrote to memory of 1616	5044	DEMD51E.exe	107
PID 5044 wrote to memory of 1616	5044	DEMD51E.exe	107

C:\Users\Admin\AppData\Local\Temp\d038c262d1b68196cfe4c5cd85873860_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d038c262d1b68196cfe4c5cd85873860_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Local\Temp\DEM74D2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM74D2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\DEMCDB0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCDB0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\DEM25A4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM25A4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Users\Admin\AppData\Local\Temp\DEM7DA7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7DA7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Users\Admin\AppData\Local\Temp\DEMD51E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD51E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\DEM2CB3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2CB3.exe"
        7⤵
        Executes dropped EXE
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM25A4.exe

Filesize
14KB

MD5
5a2abec5240852adae12ec3759b0fb8c

SHA1
12b7d877e95e56f9f2cf54c68d6b10d470d26104

SHA256
1daf7cfa9af21da60e23e6f773824194281cea28b415d8db5fad7d823144130c

SHA512
4cbe495670dd8576330aaadb19d12aa2f3f5b27f54e414fa2f2401a4683a28cd7ccb7fa01e7d905207f44d1113aa0066053ac0006519df6533b62ce64297a184

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2CB3.exe

Filesize
14KB

MD5
fc50aa3b2baa8824272999624270bd43

SHA1
fac735ea3c37d9b0f6e9e486f56b8940519f847d

SHA256
24f02576cf4650d31b18dbd9ec4ee0ee13a4fb5fd3f063c2d95f057d1b2fd24c

SHA512
1632fcad0e30bb3b1f7b88c139ac5e9f904f1c30bb4bb327821c66c4843c34f37cddf69661c266ac32525ecb57d2cd4bde45976a860ca219bb4f4025bb986d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM74D2.exe

Filesize
14KB

MD5
53630d7272840223e35f6393bb155011

SHA1
111f9a1248ea0cac0265c27529ab2d2adb4e5643

SHA256
6373ae5778f8f4a3b67e6c1ad28790bed96cdccf1e93a7de2e910c9547129267

SHA512
6227f81ed32bc15d3a1294c8ffc08e15615c28fdb4be198ac189cc19f2f69fd9d8df036a0457a71c9f7a42bcc3af51f09203e2c2ff68c2dfc951ca51ef9c1faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7DA7.exe

Filesize
14KB

MD5
53a28ef29de1a4f0f82e518c3dc0c1eb

SHA1
b5f97dc2056dfeb65cd5bed6b4ef4483aa39e9ac

SHA256
1cf643ef7da4965586cc9d57ba871cc7f6dbce46ff7ead3f1f93ed340c18488f

SHA512
8bbd16acac5fe6c875d5013e64cf09718fd890b5ad92d3a871786382f0d1a37990a8c314f2efe38fed63e0048b33319cceb832bb7ab08deda1f873972d6db5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCDB0.exe

Filesize
14KB

MD5
8bf4eaebc2908908f4f4ab3130aaf1d4

SHA1
35563a84a73da42ae681b7a2a5b59c73725fadb9

SHA256
f84310522ddae9bd088e6c2a648f978b7ff85ed11f0576f50a10c13b3c93fff1

SHA512
eb3f21dd23a4d37ebdd3ec349e3f98944f3b5a8d03d9df220ab14fdf5d66ea80a61a21a762f06826fb8969ff5393703182d2f04df1b3c82060308e6378fbd640

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD51E.exe

Filesize
14KB

MD5
1a59ade3bc71709b4305bd522843c467

SHA1
c4682914829b7f1cf43c916d395f025ac8c7de80

SHA256
4a9d38756288bf88d6772c6912ce88b05520131144a8693685cade17e02f5894

SHA512
42cc11de98db637c9d576cd60f7477fdf1643aae5d68a015cf5aa96a8b9386ef41e6d9944445683f63a96a66ea34de1751354ce75f8c958220b6269b4ba4ba5b

Download Submit

Analysis

Sharing