d3e2c15ce7ba4a05d6e9652675af8bd8562336f6618882be67f6b73627e94bbb

General

Target

da364f34d534ac1178d35b1fd4c50518_JaffaCakes118.exe
Size

20KB
MD5

da364f34d534ac1178d35b1fd4c50518
SHA1

ce699c4d0ba35b705bec49915e23365770c43cbf
SHA256

d3e2c15ce7ba4a05d6e9652675af8bd8562336f6618882be67f6b73627e94bbb
SHA512

71f2d5023ebe8b7f79e6378f5a2dbef0034aecb626aaa178704b620ef22cf6cb3eee19c05ff22c5a78747443451a7e950944ff01c4e0f21d7ac18adbc76f3597
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4k0:hDXWipuE+K3/SSHgxmHZk0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM4277.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM9904.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEMEF13.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM4532.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM9B60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	da364f34d534ac1178d35b1fd4c50518_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3804	DEM4277.exe
1500	DEM9904.exe
2384	DEMEF13.exe
4092	DEM4532.exe
1028	DEM9B60.exe
2432	DEMF18F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 3804	1524	da364f34d534ac1178d35b1fd4c50518_JaffaCakes118.exe	98
PID 1524 wrote to memory of 3804	1524	da364f34d534ac1178d35b1fd4c50518_JaffaCakes118.exe	98
PID 1524 wrote to memory of 3804	1524	da364f34d534ac1178d35b1fd4c50518_JaffaCakes118.exe	98
PID 3804 wrote to memory of 1500	3804	DEM4277.exe	101
PID 3804 wrote to memory of 1500	3804	DEM4277.exe	101
PID 3804 wrote to memory of 1500	3804	DEM4277.exe	101
PID 1500 wrote to memory of 2384	1500	DEM9904.exe	103
PID 1500 wrote to memory of 2384	1500	DEM9904.exe	103
PID 1500 wrote to memory of 2384	1500	DEM9904.exe	103
PID 2384 wrote to memory of 4092	2384	DEMEF13.exe	105
PID 2384 wrote to memory of 4092	2384	DEMEF13.exe	105
PID 2384 wrote to memory of 4092	2384	DEMEF13.exe	105
PID 4092 wrote to memory of 1028	4092	DEM4532.exe	107
PID 4092 wrote to memory of 1028	4092	DEM4532.exe	107
PID 4092 wrote to memory of 1028	4092	DEM4532.exe	107
PID 1028 wrote to memory of 2432	1028	DEM9B60.exe	109
PID 1028 wrote to memory of 2432	1028	DEM9B60.exe	109
PID 1028 wrote to memory of 2432	1028	DEM9B60.exe	109

C:\Users\Admin\AppData\Local\Temp\da364f34d534ac1178d35b1fd4c50518_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da364f34d534ac1178d35b1fd4c50518_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\DEM4277.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4277.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\DEM9904.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9904.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\DEMEF13.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEF13.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\DEM4532.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4532.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
      - C:\Users\Admin\AppData\Local\Temp\DEM9B60.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9B60.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\DEMF18F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF18F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4277.exe

Filesize
20KB

MD5
f3afbc4904bafe531fb20902a615f68a

SHA1
8ad94464aa1fe5b34243b11b21c741c4f9fd9df3

SHA256
5e504e0ef583c59b9e5bf28719112a8797614b316ec7cb7074f0a40368cd9d8c

SHA512
85f9238e561c5b7c6419fe5463fe3c1d963ef41fb1591e161eb29efa8111e8538c09aef6e90f98e143c38b67cf86cba064170876ec858ab00d83788facd5d05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4532.exe

Filesize
20KB

MD5
f8cc2fc2dea82d2db1fea5850e88e6d2

SHA1
aaafabbfbecbc02bc91765da7171f3e09b5401c3

SHA256
eea77b7d2fd0de0394167ff69ec86b44efee7453bd5993e60aad9e28a7655b54

SHA512
f27a24df3a13f08ca1db7828aa1703cd9b8417fa83073e5f3df2bd78ed77df3626f873bfa12d016137d6c5988e9b43ee39d08db989202e35e1a654af7e1ac546

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9904.exe

Filesize
20KB

MD5
8c7a852ef664c2f27cb216fd33102e53

SHA1
8eee60d8611b8843f5b3a62a8064a25183644ff3

SHA256
824b6427f6e1c3e06d803d2332fd2dd83d367a8eebc6ec2e67036bde6044e05e

SHA512
447edd0a4911017422c36f777ce06363e4e2066d2f9be8dde9e0d6005ca0d6a5bd565d940a910eae56a94829ba61bfec7e3a6e95c6595e3c39c9188010175a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B60.exe

Filesize
20KB

MD5
1c7d3f344759bb41d466b3ed567af65e

SHA1
3a6ec02bd41c7497bb15814a2fc9702846276898

SHA256
4ac2ace65e66b2a696f59bb73fefb129a100b63ef1c8bfdda0b57c9572a3af65

SHA512
d95e68e4c56e25bc449a1be5efa3f4f51eb8532ec9b96a7d4907b4f171bb6003921c01ec809345e36bcf89987242389abdc850f5041f8047d68b74e8238f7ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEF13.exe

Filesize
20KB

MD5
1eeb3eed846faf850eef2841df84a124

SHA1
aa3d4279eb610bb96c181e082cc0050463c526df

SHA256
f1dc9a2d7ddb5022b55c3440a0be8b899f9ce6d428111778fd91d6fd68c92b4f

SHA512
5bd67ac683f7f25c76de4899addba4d43519c22345c5dc9767bf30a6373bef36cfae4b621712f16905c0dc5dfb19bdad591c36bd3eb85466a6773c0d6fc22024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF18F.exe

Filesize
20KB

MD5
58cfc91a4d7e946d00d472dd90e9116f

SHA1
92154d5fc421990eee16aeff8a21c34cc853b758

SHA256
8d922c300aac0d2bc7989990b936e69c5c1ddd2422f12cc9d3417f6be7bf1d91

SHA512
e827808a28c89bd0af9bb173c2887c53a913e4ea7a024c5ac98b58190ffa56e1ea8d5b39ac845b7ba0f1feb46b91f0252ae3290cb4c04f13a662a40d05831a58

Download Submit

Analysis

Sharing