28d2855fef460def7b6bc7076cfe050a79bb9734196c9e53fc0cdecb7b566c9f

General

Target

d8618418bb39af8e2bd6ed51511b507d_JaffaCakes118.exe
Size

16KB
MD5

d8618418bb39af8e2bd6ed51511b507d
SHA1

99fd145b776809fa0904a9adeb0b028aae607a3f
SHA256

28d2855fef460def7b6bc7076cfe050a79bb9734196c9e53fc0cdecb7b566c9f
SHA512

6372657b5cbb103ebdbcc09f3e29a25df51e1cf936a0a78dd31fae8d1da32df35b91e8198ae8cadb71f64f2ab2f41748a5e727ec2322260e2423479f853763c6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhucj:hDXWipuE+K3/SSHgxIcj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	d8618418bb39af8e2bd6ed51511b507d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3BFF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM928B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEME8BA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3EBA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM94E8.exe

Executes dropped EXE 6 IoCs

pid	Process
1172	DEM3BFF.exe
4424	DEM928B.exe
5084	DEME8BA.exe
2300	DEM3EBA.exe
4876	DEM94E8.exe
1980	DEMEB07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1172	4784	d8618418bb39af8e2bd6ed51511b507d_JaffaCakes118.exe	97
PID 4784 wrote to memory of 1172	4784	d8618418bb39af8e2bd6ed51511b507d_JaffaCakes118.exe	97
PID 4784 wrote to memory of 1172	4784	d8618418bb39af8e2bd6ed51511b507d_JaffaCakes118.exe	97
PID 1172 wrote to memory of 4424	1172	DEM3BFF.exe	100
PID 1172 wrote to memory of 4424	1172	DEM3BFF.exe	100
PID 1172 wrote to memory of 4424	1172	DEM3BFF.exe	100
PID 4424 wrote to memory of 5084	4424	DEM928B.exe	102
PID 4424 wrote to memory of 5084	4424	DEM928B.exe	102
PID 4424 wrote to memory of 5084	4424	DEM928B.exe	102
PID 5084 wrote to memory of 2300	5084	DEME8BA.exe	104
PID 5084 wrote to memory of 2300	5084	DEME8BA.exe	104
PID 5084 wrote to memory of 2300	5084	DEME8BA.exe	104
PID 2300 wrote to memory of 4876	2300	DEM3EBA.exe	106
PID 2300 wrote to memory of 4876	2300	DEM3EBA.exe	106
PID 2300 wrote to memory of 4876	2300	DEM3EBA.exe	106
PID 4876 wrote to memory of 1980	4876	DEM94E8.exe	108
PID 4876 wrote to memory of 1980	4876	DEM94E8.exe	108
PID 4876 wrote to memory of 1980	4876	DEM94E8.exe	108

C:\Users\Admin\AppData\Local\Temp\d8618418bb39af8e2bd6ed51511b507d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d8618418bb39af8e2bd6ed51511b507d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\DEM3BFF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3BFF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\DEM928B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM928B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\DEME8BA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME8BA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\DEM3EBA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3EBA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\DEM94E8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM94E8.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\DEMEB07.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEB07.exe"
        7⤵
        Executes dropped EXE
        
        PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3BFF.exe

Filesize
16KB

MD5
e2280b135fd5b40794d3ab0ed20859ed

SHA1
383f35f4f28dc7fd492cc547790e157f4ce24aff

SHA256
50867cef631c9cb75e05d1c9d1b4142e8c8c5621aa0f7b6fc068fa9e48926481

SHA512
2d08c3142ad2a6f6f4c6419a5f599a4311b115fb7ae1f8e473233d353a2fd25295a45c2dd8dd8e7cb69cc874d3536a9590f62b3aaf7c121bf4def1fbc219b39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3EBA.exe

Filesize
16KB

MD5
d60acaa4d911644eda135df517f5d680

SHA1
1421c11aa70350c40ec80a3caf2bcee14d325fd7

SHA256
993449cabb30aa8f898a46de3560f08db9811d258f505453ac489a26e063458a

SHA512
1d418db26ad831e33d4a0f28cf4278d571ec08fd7f433652daad853830609d40e413565ee279919db97963c4a045cce986a9def752436a9097dc9289e2bc4366

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM928B.exe

Filesize
16KB

MD5
4ec44a31f5658c4d82a2e7794d99606e

SHA1
52c34cd76676aa398165cd4ffe5d4c6d5f1d2c8b

SHA256
f31552bcafad4be026b5339e5259a063252156e8f3be7a91f5d49bf48755dd97

SHA512
3dd9ed110af0f06982f9529a99de38046208d12c2ddbd9bdd89b055a72565bd470c92352fe18dcc0c2ead40752b5b372ade1d9a9726390aa5742cce6033b8cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM94E8.exe

Filesize
16KB

MD5
996adaff2bcab55434ac2acb3c2dfbc5

SHA1
354b7bddac4f48fb250bf05c76d45356906edff4

SHA256
a65e3e04cad7639aa1dfabb4371e46d3c7f8e92366887476063a046ad5f3f800

SHA512
7ad427e3b60bb2a094744c0a702b8c4c23ae2e0bf9aee22196143a0e22f5265b8458b9f01e706fd9ce3a6b0417a1d267e3171d2f7145ca3d3e49d63fed80b707

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME8BA.exe

Filesize
16KB

MD5
b016e4aead2976d3826eb61f59aee38c

SHA1
2835e6cabc2c9b217a1353594f667de53681330c

SHA256
9278a77bcd0201a7de6448c7914deb45ddbbf3824e5af14f37e7f5fa9efd4203

SHA512
c0c23bf2c35441e2d797ae3d50f2cb832e20883aab84835c10be622a44fcc5ad303c613fc35ec4c8924c1cf32e1796f1a9e8bc49ec70d56cfc5de0105b413727

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEB07.exe

Filesize
16KB

MD5
39469ab50849acd727c691cfac5bc1ff

SHA1
7eda1e9da154ef09fc6ae0ddb854819d0c91728c

SHA256
fead42ed4b96cd6180b3f374c63c2cda86110c19961778dafcbc3cdb96fef781

SHA512
4ac3ce122d9c0f6dfa8bc302babf301f534be89d24304c92e4f872befc1da0b8168b4ec0e8684fe2134d5fbe54d9fd2606a738d01de3f2c0c0037ea55ad6f6e7

Download Submit

Analysis

Sharing