05a4984b51df62026ee4de460a6aeadc8d2ef6e983f4cbc7d4258cb78446eb6c

General

Target

d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe
Size

15KB
MD5

d46b3d5df7559b6f99a05e51ac83d4ee
SHA1

0691d60fd9575a57c93ef822693b7c2c89e13a5b
SHA256

05a4984b51df62026ee4de460a6aeadc8d2ef6e983f4cbc7d4258cb78446eb6c
SHA512

14da3f7b804cc220e15f23c4f52174d65c137502a8e90bb157af57910a13ec3b132f276f2b753eb9cc72feee5f5db94adbf3a2df30ba02698f65739c711f1d13
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhHcLB5:hDXWipuE+K3/SSHgxzHW/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM3B9D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM91AC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM38A4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8F4F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEME59D.exe

Executes dropped EXE 6 IoCs

pid	Process
2268	DEM38A4.exe
4352	DEM8F4F.exe
1632	DEME59D.exe
3224	DEM3B9D.exe
3832	DEM91AC.exe
3788	DEME809.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 2268	3184	d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe	97
PID 3184 wrote to memory of 2268	3184	d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe	97
PID 3184 wrote to memory of 2268	3184	d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe	97
PID 2268 wrote to memory of 4352	2268	DEM38A4.exe	100
PID 2268 wrote to memory of 4352	2268	DEM38A4.exe	100
PID 2268 wrote to memory of 4352	2268	DEM38A4.exe	100
PID 4352 wrote to memory of 1632	4352	DEM8F4F.exe	102
PID 4352 wrote to memory of 1632	4352	DEM8F4F.exe	102
PID 4352 wrote to memory of 1632	4352	DEM8F4F.exe	102
PID 1632 wrote to memory of 3224	1632	DEME59D.exe	104
PID 1632 wrote to memory of 3224	1632	DEME59D.exe	104
PID 1632 wrote to memory of 3224	1632	DEME59D.exe	104
PID 3224 wrote to memory of 3832	3224	DEM3B9D.exe	106
PID 3224 wrote to memory of 3832	3224	DEM3B9D.exe	106
PID 3224 wrote to memory of 3832	3224	DEM3B9D.exe	106
PID 3832 wrote to memory of 3788	3832	DEM91AC.exe	108
PID 3832 wrote to memory of 3788	3832	DEM91AC.exe	108
PID 3832 wrote to memory of 3788	3832	DEM91AC.exe	108

C:\Users\Admin\AppData\Local\Temp\d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d46b3d5df7559b6f99a05e51ac83d4ee_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\DEM38A4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM38A4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\DEM8F4F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8F4F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\DEME59D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME59D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Users\Admin\AppData\Local\Temp\DEM3B9D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3B9D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3224
      - C:\Users\Admin\AppData\Local\Temp\DEM91AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM91AC.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\DEME809.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME809.exe"
        7⤵
        Executes dropped EXE
        
        PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM38A4.exe

Filesize
15KB

MD5
195f1712006604d328911ccf422345c8

SHA1
dfded0a0e405483f0e4b45c79165a4f93549510f

SHA256
d63540f7afe15a97193c6aaf74dfbf2c407c7504625293005900ba386e661c29

SHA512
bfa218510b03197a11b99ba9cd18b7233bc433625b2d06450e4a36ed5cd7e970181c9c9abf089dbcb981b8c018df96391808e763db98b31a497f3f0754abc3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3B9D.exe

Filesize
15KB

MD5
2266e63798ba4c05a30c40268ea2997c

SHA1
6ad6bd4faa0b5ab73bd6138e35838ccad4849068

SHA256
0537f87e3dfb721be0284ddb27cd67f7a37eefa4aebef85b66ac0459ab412edc

SHA512
a8512bec82bf562e06e09592f4c016f140a8110447d911884fff2a0f80c36f00071ba70885db905f64bc49c364f9844228058f6a2d66ee9e1d2e0bfccda41fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8F4F.exe

Filesize
15KB

MD5
4bb8e765f7cb929337ba0e828b0e06c9

SHA1
e9fca9653fbfaa1501360a11ca3696216beab97e

SHA256
64686ad5a3362fc568d00adeffc1d97c3f57bbc828700ddf9feaaa467bcc6d54

SHA512
f1d3db60b5acc8c93e0efd3db80038add2f955d36678597a7c593297a716b4e1e2b220afc985da92a906fbe8927ad863ad53effcd439cc2fccd51b1bac83861b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM91AC.exe

Filesize
15KB

MD5
f08680670dce29ce5b972f8355ec1376

SHA1
a89825bf1a25964eb67b645bc9c5fbfa89f999cc

SHA256
8a8eb406fb7f5d2177787f3e44174bab1e4c7069fb4ca7eb5b12b3e3d3fc89d0

SHA512
558f14459fb47ee6982c7ccfce9761f299ba8def42fb31c353142f46d9255c547bee5a4e370d2b1afadba110924643d9c63fb0d6f42abb9ab6d3529cd86ac75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME59D.exe

Filesize
15KB

MD5
2ebc8bfb8c84352aa31a95cecdbd4f9d

SHA1
785eb2f1df88eb61243ffc0f36875b1caea1391a

SHA256
b6c71bf9cf7574273c2ea6563c298b9d3bfba4c908e165a65215b45c4e3b026c

SHA512
8bcf63ef75cfbf0549d187e5ee8237f6b0f729372f5b4179d2fd9543f081c2d14b28512f6b5c7a5e63790eb1736aca40b7cfd410f4326cf8c41aff52f94dfd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME809.exe

Filesize
15KB

MD5
9cfb8067fd7b30a3d60e7b88174b7974

SHA1
2419e21b9d46c8df25e5a8f19e23b2adc7a4906b

SHA256
913c7475673a474046e858e6fd77acc228850d11c17b5b160a675b4b776500b4

SHA512
fc490782717888db89a43bdfd0ab9eb9a283681b6dd3f6199c5dcf851f178388438f606bdc26d7adbcb882412acc3560bc52aaca6b6e56924f738248fde2f9c7

Download Submit

Analysis

Sharing