1344738bf87e7ca0bc72773ce2a22150adeaa77dcd064d9eb5cb382989d31e8a

General

Target

d42833235c89a3476e1df437bece3eb4_JaffaCakes118.exe
Size

16KB
MD5

d42833235c89a3476e1df437bece3eb4
SHA1

896154f919f93c1ee32fdc8a3ecfb2e88503d78b
SHA256

1344738bf87e7ca0bc72773ce2a22150adeaa77dcd064d9eb5cb382989d31e8a
SHA512

7c74962834398c5344386085115066d8352a1ea206bf8fbc3b81f969ee2a3ae25258c075abe6a7e15e82347dbe1d2544c955b139e18e7ae929ea5e69cd410600
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYTP:hDXWipuE+K3/SSHgxm7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	d42833235c89a3476e1df437bece3eb4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM5E9B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMB7E6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMF4D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM657B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMBD50.exe

Executes dropped EXE 6 IoCs

pid	Process
3052	DEM5E9B.exe
4336	DEMB7E6.exe
4696	DEMF4D.exe
4276	DEM657B.exe
3852	DEMBD50.exe
4008	DEM14E6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3052	5112	d42833235c89a3476e1df437bece3eb4_JaffaCakes118.exe	96
PID 5112 wrote to memory of 3052	5112	d42833235c89a3476e1df437bece3eb4_JaffaCakes118.exe	96
PID 5112 wrote to memory of 3052	5112	d42833235c89a3476e1df437bece3eb4_JaffaCakes118.exe	96
PID 3052 wrote to memory of 4336	3052	DEM5E9B.exe	99
PID 3052 wrote to memory of 4336	3052	DEM5E9B.exe	99
PID 3052 wrote to memory of 4336	3052	DEM5E9B.exe	99
PID 4336 wrote to memory of 4696	4336	DEMB7E6.exe	101
PID 4336 wrote to memory of 4696	4336	DEMB7E6.exe	101
PID 4336 wrote to memory of 4696	4336	DEMB7E6.exe	101
PID 4696 wrote to memory of 4276	4696	DEMF4D.exe	103
PID 4696 wrote to memory of 4276	4696	DEMF4D.exe	103
PID 4696 wrote to memory of 4276	4696	DEMF4D.exe	103
PID 4276 wrote to memory of 3852	4276	DEM657B.exe	105
PID 4276 wrote to memory of 3852	4276	DEM657B.exe	105
PID 4276 wrote to memory of 3852	4276	DEM657B.exe	105
PID 3852 wrote to memory of 4008	3852	DEMBD50.exe	107
PID 3852 wrote to memory of 4008	3852	DEMBD50.exe	107
PID 3852 wrote to memory of 4008	3852	DEMBD50.exe	107

C:\Users\Admin\AppData\Local\Temp\d42833235c89a3476e1df437bece3eb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d42833235c89a3476e1df437bece3eb4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\DEM5E9B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5E9B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\DEMB7E6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB7E6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\DEMF4D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF4D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\DEM657B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM657B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Users\Admin\AppData\Local\Temp\DEMBD50.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD50.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\DEM14E6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM14E6.exe"
        7⤵
        Executes dropped EXE
        
        PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM14E6.exe

Filesize
16KB

MD5
5fee0fcddcaaf91b560a62801fc17c5b

SHA1
b40e907b5ac056f3db50c53f24d4b277bbc6582d

SHA256
c44b9e0c21b51a934720125ef7c60017f17895e619ff0b59a94c7bac18371843

SHA512
d31cb97b0ea57800317c61aaca3f32cfdfd7b85bf309559e1ea367201722fade03830d4b65b670af120273423caa1926f580999e82dc0fa9939a19f88480aaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5E9B.exe

Filesize
16KB

MD5
a57a6326e7359b90baa73d4b56ae6acc

SHA1
faf490ff062d4fec21f2d71bf51ea032cb3e3bad

SHA256
f248585fac8bf0abe97a912aaf7e0d1e73f8f106949d889b7e3e596b9513b7cc

SHA512
68a64f10fdd8b6a40e6d9b5e1e7a378b79af15095186aa6443b20751e4ab81c3f9ed00bb3e974382d65dc2928440659843f6011d7232fac04d783ce7d433e32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM657B.exe

Filesize
16KB

MD5
d2d57d6b2587b753b69c5c2b30b3b6e3

SHA1
1971cafdd4fc4af15af5bbe3f8c6f6b4d7775d40

SHA256
ebddfab03e2ccb544893554ee093a238a9bb910628c40fb77730ca7d38c98c5b

SHA512
5ffabd7697fd6963b668e4891cf65d157793a61d362664e0f6320655a7641b8779282d1367fa3c0843d0f821680602d49d5bd6bf6859584851d32a7706facdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB7E6.exe

Filesize
16KB

MD5
04b9100e0f4131d1a8b3a09a015e9d8a

SHA1
303f6d68cfbbc2b2cce15ae4d390c2ac6f6d712b

SHA256
62d76bd292a8020ae97932500b620c18d9656da4a852cac0dcc32b7a9c146e32

SHA512
31d3a479c0484d4edde839ca102f8ca03135258c743452d992967bbb076f4c59f7c94b65a7b581efeca100be51b154ec3ccb7782f04eb15792e529b5c1d20a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD50.exe

Filesize
16KB

MD5
6d69453c952f4c7387c31b18106c1035

SHA1
e9dc04c72e7b3f499dfa51a26c0cfa22894aace8

SHA256
e74582cd008627506c7e0d264d82599926ec2a27dece28477b977fde50a78f0e

SHA512
fd0cbb4c51aefbd43e1240ed0050d3ec700b8ee38dce5a8d8b6b8af6e3ba29e233a7c26fa260e66147753c003fde3c1bae81783ffa5249e2a0bf46a9d5ebab78

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF4D.exe

Filesize
16KB

MD5
0c629cea3cbc6774f0c0fd17243fb29c

SHA1
154d024e168bc23be90bdee9810a36a20afe8a52

SHA256
aa79ade582c4d0a200313d269ceb87227f30ca0567357f84aa2106054b3d451f

SHA512
4b51af622bdd5133625e96625085314994704a5b749a0944b232a9c380c02866f7f22da38ac2f77502c777b83bb11af3af22bb03af95446ae0caf19229f49ea6

Download Submit

Analysis

Sharing