5b9a700b4972ff944d3b4fd2564cf484099f8bea4d4de84575b94e9dd80084ee

General

Target

d6bc49b4f8ac9597768388cf08a3f639_JaffaCakes118.exe
Size

16KB
MD5

d6bc49b4f8ac9597768388cf08a3f639
SHA1

e4412e98946c254783f631fdd420a95139b108cc
SHA256

5b9a700b4972ff944d3b4fd2564cf484099f8bea4d4de84575b94e9dd80084ee
SHA512

42eb03856d4042e25a1464f2054eb6ad778a1d24bfc6931ae99ae29d908bc9015f98d8aab0039c205ce043ddc8cfb72230ea504a23c92fb55257fbe04fb8d84f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZ/:hDXWipuE+K3/SSHgxX/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM9E34.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMF51E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM4BAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMA2A4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	d6bc49b4f8ac9597768388cf08a3f639_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM4798.exe

Executes dropped EXE 6 IoCs

pid	Process
4436	DEM4798.exe
4008	DEM9E34.exe
1048	DEMF51E.exe
3612	DEM4BAA.exe
3936	DEMA2A4.exe
3880	DEMF94F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 4436	1444	d6bc49b4f8ac9597768388cf08a3f639_JaffaCakes118.exe	96
PID 1444 wrote to memory of 4436	1444	d6bc49b4f8ac9597768388cf08a3f639_JaffaCakes118.exe	96
PID 1444 wrote to memory of 4436	1444	d6bc49b4f8ac9597768388cf08a3f639_JaffaCakes118.exe	96
PID 4436 wrote to memory of 4008	4436	DEM4798.exe	99
PID 4436 wrote to memory of 4008	4436	DEM4798.exe	99
PID 4436 wrote to memory of 4008	4436	DEM4798.exe	99
PID 4008 wrote to memory of 1048	4008	DEM9E34.exe	101
PID 4008 wrote to memory of 1048	4008	DEM9E34.exe	101
PID 4008 wrote to memory of 1048	4008	DEM9E34.exe	101
PID 1048 wrote to memory of 3612	1048	DEMF51E.exe	103
PID 1048 wrote to memory of 3612	1048	DEMF51E.exe	103
PID 1048 wrote to memory of 3612	1048	DEMF51E.exe	103
PID 3612 wrote to memory of 3936	3612	DEM4BAA.exe	105
PID 3612 wrote to memory of 3936	3612	DEM4BAA.exe	105
PID 3612 wrote to memory of 3936	3612	DEM4BAA.exe	105
PID 3936 wrote to memory of 3880	3936	DEMA2A4.exe	107
PID 3936 wrote to memory of 3880	3936	DEMA2A4.exe	107
PID 3936 wrote to memory of 3880	3936	DEMA2A4.exe	107

C:\Users\Admin\AppData\Local\Temp\d6bc49b4f8ac9597768388cf08a3f639_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6bc49b4f8ac9597768388cf08a3f639_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\DEM4798.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4798.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\DEM9E34.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9E34.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\DEMF51E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF51E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Users\Admin\AppData\Local\Temp\DEM4BAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4BAA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3612
      - C:\Users\Admin\AppData\Local\Temp\DEMA2A4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA2A4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\DEMF94F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF94F.exe"
        7⤵
        Executes dropped EXE
        
        PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4798.exe

Filesize
16KB

MD5
b7a52e2d4f2c3708cd1818816a6086bc

SHA1
b40a437a0fb341e723e701e3fb29f362bfe2b758

SHA256
b4cc4971038fd543a9546ce644d58b91839ad55016a9e5a4893ae3e832e76e79

SHA512
bef1297b84d0c83fd1199c30e1f6e5093345000d8e957e27543884f1b7a410f4c0d8ec2c7c6e1b6a2000767f3f95ae381ea5afef6a6f23ba86c624b4fded0eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4BAA.exe

Filesize
16KB

MD5
7e4ea3ba851d160d63a30265ed2c6178

SHA1
7a9ec00d4b0b39e2ef85ec624f8e1de9b31f2060

SHA256
733735a2ff7aeaeee130ff030e17e9d6a9dcd729c0a381b50fbaafc604a504ad

SHA512
a0facb30cc8986c8b939a51cb9ae73aafd9887aec4274a1a80c4458bf333d84fa3599b7f842157b7bbd3efa28f4a24991e5571db8fa2067c39710eebc0b72bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9E34.exe

Filesize
16KB

MD5
51a9fdcefa5e4de460db4b6af17cb0ea

SHA1
8f5b7823d4262be49ba35cc4437b69a86bc622ea

SHA256
55c28e3010b16d27c7c400f9402c59a51c1eab7045150daaff984a4ed0062f02

SHA512
0bc1fc6be29fe20fd2498deeff24687f2998eae585ff437254933ee2368a9e20f1421b186c5f4982fdb832523f1e006482eaa79f4593d53729de34d982f9e5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2A4.exe

Filesize
16KB

MD5
46d0ab641e57bc2de7beb430fa0761f4

SHA1
8f33565a6e3f4a61392281670953e61780381163

SHA256
e64ce8f560bb4653feb4e67b79370a912daf214de315b6dc8b87cf9050b75274

SHA512
581f5c2cef623e4979bdd8b63c83b7f8d9d2b25f2895560e2132ca1b379e1b2658bc7b1fc805e47355f2c58c62d41969a0785080d2d12d86a42479fc4b5bcb21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF51E.exe

Filesize
16KB

MD5
bf8cca8427646378a6adaeaf1722a7fb

SHA1
75644bd1ca558d72fcf3c19b9b6726e988d2c091

SHA256
2769fc359e2b4cca0af4840996920c0e82d49fa232602de81ed02ced35ed0481

SHA512
7ec707e4e23f35eb6022187da42decdbf26a74078f6a56b9909c778a8ec0a211c7ed8a993d2d341dacb30aba4488b9fe7f681797275da3c4a252e9d38586d728

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF94F.exe

Filesize
16KB

MD5
e9f0a6bb9c24872ff3b411eab3db4171

SHA1
b3e781bc4ba57bf9e017a86d6d8535516032bdd5

SHA256
4400d1d965b07af6bfb8897cece649853ba6863aa1d9c0dd633e2ad766428894

SHA512
84cf0fd8ca383423fd316ef97f78896184fc9f8a9080c518abc8e3bcd98a669d8ec53e7790f13870b94eae2dd8573810c8cd5847905ddb750e54871cb836eac9

Download Submit

Analysis

Sharing