213490b0d8c2f7aa6bbee9e06102eb4f5874f60eadbdd199ef0f807492e0b003

General

Target

d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe
Size

16KB
MD5

d3fb8f8a10121324d0bce428e86611b0
SHA1

ae755337babeddb7b55f6e8be212dde73be628d0
SHA256

213490b0d8c2f7aa6bbee9e06102eb4f5874f60eadbdd199ef0f807492e0b003
SHA512

c2e6b8126665e305d9073df8c70bf7030bbdef0b054519b867263f9c9b409d09f0382b4e79bc0268b4ad9e6e3895d9146229e298606cfc31aac09a86b50c4144
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD8t:hDXWipuE+K3/SSHgxty

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM87DD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMDE0C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM8A97.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3112.exe

Executes dropped EXE 6 IoCs

pid	Process
3324	DEM3112.exe
4048	DEM87DD.exe
2668	DEMDE0C.exe
4300	DEM3459.exe
4108	DEM8A97.exe
1476	DEME0C6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 3324	224	d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe	97
PID 224 wrote to memory of 3324	224	d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe	97
PID 224 wrote to memory of 3324	224	d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe	97
PID 3324 wrote to memory of 4048	3324	DEM3112.exe	100
PID 3324 wrote to memory of 4048	3324	DEM3112.exe	100
PID 3324 wrote to memory of 4048	3324	DEM3112.exe	100
PID 4048 wrote to memory of 2668	4048	DEM87DD.exe	102
PID 4048 wrote to memory of 2668	4048	DEM87DD.exe	102
PID 4048 wrote to memory of 2668	4048	DEM87DD.exe	102
PID 2668 wrote to memory of 4300	2668	DEMDE0C.exe	104
PID 2668 wrote to memory of 4300	2668	DEMDE0C.exe	104
PID 2668 wrote to memory of 4300	2668	DEMDE0C.exe	104
PID 4300 wrote to memory of 4108	4300	DEM3459.exe	106
PID 4300 wrote to memory of 4108	4300	DEM3459.exe	106
PID 4300 wrote to memory of 4108	4300	DEM3459.exe	106
PID 4108 wrote to memory of 1476	4108	DEM8A97.exe	108
PID 4108 wrote to memory of 1476	4108	DEM8A97.exe	108
PID 4108 wrote to memory of 1476	4108	DEM8A97.exe	108

C:\Users\Admin\AppData\Local\Temp\d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3fb8f8a10121324d0bce428e86611b0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\DEM3112.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3112.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\DEM87DD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM87DD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\DEMDE0C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDE0C.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\DEM3459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3459.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4300
      - C:\Users\Admin\AppData\Local\Temp\DEM8A97.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A97.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\DEME0C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME0C6.exe"
        7⤵
        Executes dropped EXE
        
        PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3112.exe

Filesize
16KB

MD5
2167153785307b8ebe9c300595ce876f

SHA1
e5b4c90b4e0501aff6c2b56cada48e535684faae

SHA256
c039caa8b4c048934366c8fee2e901b446571bac96fbf40a6da155dfa526e04b

SHA512
c95578eb5d6c8054208ccecdbf5265f814c57856f4efb83f19be8e02846d6da7a4e985fdb5689d2307f82bd4ef199ceca09913cdabbfa7710cfb409343556b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3459.exe

Filesize
16KB

MD5
4f3ac66e5ae2bd909df463be110a8d9a

SHA1
652f5d225d0fed214b3e3ca458cd119961c63f01

SHA256
b821233c8d17b957c516ab73136682177ef104542d2b6057ff0f0e95dc73c621

SHA512
eff92690038c51853bb3956a1439a55fb70ddb5260cb181c521ea87d547402fecc5e16c4e6637aac61aae7f047554f668aa9ca3ff43cb35fd1d6d6c8d0a8c86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM87DD.exe

Filesize
16KB

MD5
42928620e6c6a79ab3c4d9f385164eab

SHA1
e3943e4aa3f0be299af500c29db882b0790f8c15

SHA256
fb3b987751d0d050ecf49d2c895486e69c8bd6e33f7cceff1f9a9ac4bc5f7785

SHA512
ff031479cdbdb4efbc040da8b5e8990c15fff27b8c650ed6241bfdd0b79898d685286976688144932538b88de70c822ca13a2428aa58def690cb64e7b7b5fd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A97.exe

Filesize
16KB

MD5
257677f37560eea2d6de8ce0bcd6c4ac

SHA1
76f2ac4392824e785e6751b3d4ab5ad994713ec2

SHA256
e72d16f3bc0899c946dc570b544d6854b45d52fbc9a9472059dd0ccdea6e68f3

SHA512
d3e18cd3cc4e06e19cebf12aa776600cee0884ddf44e5a94225aea647e863a3c396c7abea2d9a84742b9d0dc975232b1e86a95ab6cbb426cc347a98181f24f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE0C.exe

Filesize
16KB

MD5
acabf9639da41884f0db47f350f8534e

SHA1
ad077599efb001f4041bf7ea2a1824f7a549f030

SHA256
0ea7fed42f1713322dd4f489a6818f7e08321206279e41c4ee8c8fee4ab840d1

SHA512
1cb9289d9f94f5e147d576dfb7e7dac88bed8407c289d2c745661235c48dd84fca908bea702294c77b604b46ca0b19c0d72071d9de617b8b12e9c883a37ad4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0C6.exe

Filesize
16KB

MD5
0aec39bf0a28e991244f65e5f8931b84

SHA1
905fbc6b5f43f830cb3f81802ef3671378829afe

SHA256
f940c572ca8f3bdc0d899c6228412a69a44145293753ac73d90b26d3d21f1adc

SHA512
c6f8328bdd364e4f210b6fbe52586cb10e851a11d49f6da108d59d89c9bad08e4b6895fb99aa682c64b736bea7118ee554586862ba3b8feb7c517772f0ebfa85

Download Submit

Analysis

Sharing