cf0285d6570c1e64f746f162222cbce0a38ccd305ba9a988e098915d7106e464

General

Target

d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe
Size

15KB
MD5

d838dbde2eff15a2b510dc3a73727f0a
SHA1

004e95943268ce35ea9be694d8fce09b75b2fee6
SHA256

cf0285d6570c1e64f746f162222cbce0a38ccd305ba9a988e098915d7106e464
SHA512

4b27d2bf7c9b3203eb7d80aee005244d083014635f98dcb154feaaf8bb47642a8e2070da1b6fbd7ff8f3b22ffc6c9a8338f946ae0d01dd262ba59d5b0f6fe578
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhz:hDXWipuE+K3/SSHgxzz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM5C1A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMB536.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMD49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM655C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMBD11.exe

Executes dropped EXE 6 IoCs

pid	Process
3620	DEM5C1A.exe
540	DEMB536.exe
2432	DEMD49.exe
392	DEM655C.exe
1956	DEMBD11.exe
2104	DEM140B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3620	5004	d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe	95
PID 5004 wrote to memory of 3620	5004	d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe	95
PID 5004 wrote to memory of 3620	5004	d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe	95
PID 3620 wrote to memory of 540	3620	DEM5C1A.exe	98
PID 3620 wrote to memory of 540	3620	DEM5C1A.exe	98
PID 3620 wrote to memory of 540	3620	DEM5C1A.exe	98
PID 540 wrote to memory of 2432	540	DEMB536.exe	100
PID 540 wrote to memory of 2432	540	DEMB536.exe	100
PID 540 wrote to memory of 2432	540	DEMB536.exe	100
PID 2432 wrote to memory of 392	2432	DEMD49.exe	102
PID 2432 wrote to memory of 392	2432	DEMD49.exe	102
PID 2432 wrote to memory of 392	2432	DEMD49.exe	102
PID 392 wrote to memory of 1956	392	DEM655C.exe	104
PID 392 wrote to memory of 1956	392	DEM655C.exe	104
PID 392 wrote to memory of 1956	392	DEM655C.exe	104
PID 1956 wrote to memory of 2104	1956	DEMBD11.exe	106
PID 1956 wrote to memory of 2104	1956	DEMBD11.exe	106
PID 1956 wrote to memory of 2104	1956	DEMBD11.exe	106

C:\Users\Admin\AppData\Local\Temp\d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d838dbde2eff15a2b510dc3a73727f0a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\DEM5C1A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5C1A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\DEMB536.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB536.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\DEMD49.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD49.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Users\Admin\AppData\Local\Temp\DEM655C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM655C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:392
      - C:\Users\Admin\AppData\Local\Temp\DEMBD11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD11.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\DEM140B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM140B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM140B.exe

Filesize
15KB

MD5
54733192bbd20223c9a2a669e48778e3

SHA1
6e7bfeda077c91b37732502545905998ae33fd91

SHA256
9ef796445f1d4e8442d5278fb77432378d887d3baf48da7d05a7c2ff12297c3f

SHA512
caf723de2d1852c2e8eba42cf6ed74e16d4b6217f30c08d21d3016e09e55dd9dc7763f238d239f3eaf420f20107afd91f0c80e0b5e2be7080783bb33006d8363

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5C1A.exe

Filesize
15KB

MD5
8a1c22ae1fae117b98602c67fe134959

SHA1
1b63a516ee15957bfebcd870d4924916da00964b

SHA256
890fc367517f1ca6a5876282251831c26324f6300dc891064e26078b6c974699

SHA512
2d738907272126d226472a46e5e45463d3c0a64aeb6e4dabe3d068e0d6bea46aee89a65941a1da69052e5ac3ce41d210b17dd4b93507ddffd59e5d4d13f98eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM655C.exe

Filesize
15KB

MD5
156c592e29dd830850fecd894eae760f

SHA1
9be5a812b9d6ebf4c63cf48232ed9bfb683f59b2

SHA256
22f79449cd8786d3a4becaec90175b6ffff2dfc105a5e7d2ff15b00b6402609e

SHA512
c1bf8172eee9b38cc5ae987e727bcdb279a860dfe8adb18456b84ef73dfb052f486198bfc442b5fcb7ab0ba9de23bdb5c141255b0200d1e38f64b7585d88ae1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB536.exe

Filesize
15KB

MD5
f9d008d3679bd80efed269bb93c4e802

SHA1
3001e0db56c6ba245b374f75b4460bf10dea88a4

SHA256
f829db2d39180ab9788a6ff4d1440b011bd0bef3cadc9ebbd79d6d5aa0083016

SHA512
3c138e91d2b13117437c393d885e518b2c0b6cd71843f18623a0baad86296637f7b3659a4b96a4163b1ea9a1a98121d8ebc8c6387a0263db93c3f36f078234e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD11.exe

Filesize
15KB

MD5
fe68092f674fa631672bb6f9db9ec687

SHA1
78c42f58e315e3478e8c1324ecd782f80679bebd

SHA256
1cfe543294c30a2b45c3834aab36159efc325337cb994ec41511f17b202456a4

SHA512
160e4bd511cfee93a3a3d09cd3b47a971cf6365dc51340cd04ff03750d012dc16730d37f8c9f03817708dba53cc209828cfac7a7356b51b126f6da017c486cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD49.exe

Filesize
15KB

MD5
d57a0b1be8ee501f29987cd6afbc92ad

SHA1
3bf8f499c56bc84267c02563677a37e0e7545398

SHA256
38e3c038422831791c25d217053b3014c58933d1254fada335103eace179a0d3

SHA512
ccad986451d24f5a56891e7d75b80d9c3dc424f43bfc1e9073846b8af796722788bb106e0ae8f15f518ec6628bd1bc22426e3355aa9fde0a8e4f6f44b64ad726

Download Submit

Analysis

Sharing