e324e4af676490fbd7c6550b8ec6e92132a45b0e97b7b0afef86fa6eaf905677

General

Target

d37674994241971820fdf7b2253b83be_JaffaCakes118.exe
Size

15KB
MD5

d37674994241971820fdf7b2253b83be
SHA1

6119d40142c7463ad082be949e135a109aa7aba0
SHA256

e324e4af676490fbd7c6550b8ec6e92132a45b0e97b7b0afef86fa6eaf905677
SHA512

6a6cc022f37c98fe2188724691324c44fabb60742639a8309dc7a3aee0a2877f386ade4782394324acbf40194cd79ec997d7c54cf5516e0c1b048b85b68dd669
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cn/vb:hDXWipuE+K3/SSHgx//vb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	d37674994241971820fdf7b2253b83be_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM659F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMC0CF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM1884.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM7049.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMC81D.exe

Executes dropped EXE 6 IoCs

pid	Process
1712	DEM659F.exe
2900	DEMC0CF.exe
3520	DEM1884.exe
4848	DEM7049.exe
3860	DEMC81D.exe
4028	DEM2011.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 1712	4432	d37674994241971820fdf7b2253b83be_JaffaCakes118.exe	97
PID 4432 wrote to memory of 1712	4432	d37674994241971820fdf7b2253b83be_JaffaCakes118.exe	97
PID 4432 wrote to memory of 1712	4432	d37674994241971820fdf7b2253b83be_JaffaCakes118.exe	97
PID 1712 wrote to memory of 2900	1712	DEM659F.exe	100
PID 1712 wrote to memory of 2900	1712	DEM659F.exe	100
PID 1712 wrote to memory of 2900	1712	DEM659F.exe	100
PID 2900 wrote to memory of 3520	2900	DEMC0CF.exe	102
PID 2900 wrote to memory of 3520	2900	DEMC0CF.exe	102
PID 2900 wrote to memory of 3520	2900	DEMC0CF.exe	102
PID 3520 wrote to memory of 4848	3520	DEM1884.exe	104
PID 3520 wrote to memory of 4848	3520	DEM1884.exe	104
PID 3520 wrote to memory of 4848	3520	DEM1884.exe	104
PID 4848 wrote to memory of 3860	4848	DEM7049.exe	106
PID 4848 wrote to memory of 3860	4848	DEM7049.exe	106
PID 4848 wrote to memory of 3860	4848	DEM7049.exe	106
PID 3860 wrote to memory of 4028	3860	DEMC81D.exe	108
PID 3860 wrote to memory of 4028	3860	DEMC81D.exe	108
PID 3860 wrote to memory of 4028	3860	DEMC81D.exe	108

C:\Users\Admin\AppData\Local\Temp\d37674994241971820fdf7b2253b83be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d37674994241971820fdf7b2253b83be_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\DEM659F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM659F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\DEMC0CF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC0CF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\DEM1884.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1884.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\DEM7049.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7049.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\DEMC81D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC81D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\DEM2011.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2011.exe"
        7⤵
        Executes dropped EXE
        
        PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1884.exe

Filesize
15KB

MD5
9f63105947c3774b3081805c5d2a40d7

SHA1
da80abce5f7f9f924ebd89c4680ca3fa3a26b48a

SHA256
6f6c91166c0152cd95a48faffbcc6443c72a3829b5f3b896404cc0fb9a4ee95c

SHA512
a21d71269fff6dd423866c24ad7b2705a4876b335b290dab75d8e467574e2a53cfe814b7a302ffd3dbd03fd40c4eb6df73d70a898dd2e37b94385a11153ac432

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2011.exe

Filesize
15KB

MD5
3dda6a176b01ba87f08940d1e6904d96

SHA1
04e52986d5f58522079da911a47dbf74088083c8

SHA256
b293d05b9d45718488f794ed2625acb765a07eef1caf3f631e3973a5b199f978

SHA512
0b20e37c8d9e1fc3cf527dab4e010b262dc2c0dfbdd0f5b3e5affab86ad1a905e4661255854e8ef42783c4331c670638a224dcd6bceffc640f5b4d525f5f20bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM659F.exe

Filesize
15KB

MD5
ba8f8744dc3724b15ae7da9d8318ebaa

SHA1
6e0197d75b948c75d7c7060df6df2776640760e0

SHA256
17b7c9bf4a6b827eec2182fafb57a3dc6985bced045ef33f4afc727a140e8be1

SHA512
d23c7e8e15d1ffc8a623308e2035d87c3af3184307a78968082084d66d7b92b5688f07549a7cdb674c30efaae87a2512784853dad3d7e1e2a6d407d6d19ec905

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7049.exe

Filesize
15KB

MD5
1342b9e123ba5e5ab71809266a9dd0f2

SHA1
140f33dda56e2887aaf5f48ed68facc079f56636

SHA256
099002d2b0c58cd63716534d76855c9d1e73a8e95de06a48a3bfac06ae0899be

SHA512
0d28e50be193f00e9d8a734a270e7c1a8e20f43e0abeaca172907a5b11732a635553359f0b343098c9f2c9c2a35422e2a336f3d4d31f39f113a17580df20d55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC0CF.exe

Filesize
15KB

MD5
71d21da17b2b16616dbbdebe5b0d323e

SHA1
d4ce142def90dffad25a82801684038d80c0070c

SHA256
e39b4598ec1566486e10aa3b72ec4c7b99d7325c94621ce9eb95d35cf7497f8c

SHA512
33cbf10bfd7ce8dd5c0466024e816d796ca72704dc7d7e705c1cec954681f0831b65f01cd209e7aedbb0eed7f70638e7ddf932a8ea4379d72a0f65b6e78d2d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC81D.exe

Filesize
15KB

MD5
1f5148268a8d1d50fdebe98a072273af

SHA1
ecaef45e3f8a0d61035b5f5c3355489a516cd189

SHA256
8ef894c22cd0aa520ab1d12cfd63dc79cf2323d03acf2423c82f7757e1c49a92

SHA512
4a242977db044bba5275dd299edf0d4b4c6d7ff675b7452eb7dde3c395ad5c3fca6300ebaa6b2e9a5e90400e76d08026ec14e4ed2a85c7e8a0a2b92dc05d11be

Download Submit

Analysis

Sharing