e2201e28ccda76d68bdbb39c80bf1479cf0ed95d04ee14accc607e474e958191

General

Target

d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe
Size

14KB
MD5

d9ff59836649af5710c2746eda8893b9
SHA1

10af06349e619e77fcc51f23f5c21e3236ceaee7
SHA256

e2201e28ccda76d68bdbb39c80bf1479cf0ed95d04ee14accc607e474e958191
SHA512

aa336adb61e84067ce838f3005a8d5fcd2778ab7562c4b9a4879e00a8141bbda9a353206f4bde436f34783e967c317891aaf6b87d0fed55b16b519f97b3ba191
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlU:hDXWipuE+K3/SSHgxmlU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEME2BF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM38AF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8EFC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM3633.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8CCF.exe

Executes dropped EXE 6 IoCs

pid	Process
1540	DEM3633.exe
4224	DEM8CCF.exe
2380	DEME2BF.exe
2024	DEM38AF.exe
2880	DEM8EFC.exe
2068	DEME4DD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 1540	3236	d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe	98
PID 3236 wrote to memory of 1540	3236	d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe	98
PID 3236 wrote to memory of 1540	3236	d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe	98
PID 1540 wrote to memory of 4224	1540	DEM3633.exe	101
PID 1540 wrote to memory of 4224	1540	DEM3633.exe	101
PID 1540 wrote to memory of 4224	1540	DEM3633.exe	101
PID 4224 wrote to memory of 2380	4224	DEM8CCF.exe	103
PID 4224 wrote to memory of 2380	4224	DEM8CCF.exe	103
PID 4224 wrote to memory of 2380	4224	DEM8CCF.exe	103
PID 2380 wrote to memory of 2024	2380	DEME2BF.exe	105
PID 2380 wrote to memory of 2024	2380	DEME2BF.exe	105
PID 2380 wrote to memory of 2024	2380	DEME2BF.exe	105
PID 2024 wrote to memory of 2880	2024	DEM38AF.exe	107
PID 2024 wrote to memory of 2880	2024	DEM38AF.exe	107
PID 2024 wrote to memory of 2880	2024	DEM38AF.exe	107
PID 2880 wrote to memory of 2068	2880	DEM8EFC.exe	109
PID 2880 wrote to memory of 2068	2880	DEM8EFC.exe	109
PID 2880 wrote to memory of 2068	2880	DEM8EFC.exe	109

C:\Users\Admin\AppData\Local\Temp\d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9ff59836649af5710c2746eda8893b9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\DEM3633.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3633.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\DEM8CCF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8CCF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\DEME2BF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME2BF.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\DEM38AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM38AF.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\DEM8EFC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8EFC.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\DEME4DD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME4DD.exe"
        7⤵
        Executes dropped EXE
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3633.exe

Filesize
14KB

MD5
67c29252e33d089108b4dc200091d5d7

SHA1
a13b9be155a2041cfb274a17932a387e31eeb3a8

SHA256
c79e2ccaa792f7b6e36f84b989da29719b84837b066e3c3cd2ce8202c728b58a

SHA512
39ed154cc1bbd29573b6bfb0d706b9789b6d87ed67323c21b7e8869cbf7eb6a22e52781515c64c0cee212a7d2b25c27bc3097b5177753e4f0a3c27359b380bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM38AF.exe

Filesize
14KB

MD5
dd457d5078973ceb5f003101138a855a

SHA1
d889559c1846618322407930e2f344b2a8a5c532

SHA256
1794530102bfb64edf6e8029bdf333700db9af6c7cad4fedf577038a516e5c45

SHA512
a59cda8a743e8490c9a06c264db8a58c26f42c66dbdfd238b73eae9404133a3151569af7934072607db9222295b8ecac06bb1f3c1bcb6dcb451ad6891cd59ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CCF.exe

Filesize
14KB

MD5
4341da7d29c9e8e16654d976e8390298

SHA1
f3bb9cce9ce9c585ad9e1c9dcc558f269ec634e5

SHA256
a17d782a7a8c742ded07150969465ade78a0d720f213d62026b1470f77c78c8b

SHA512
9d55372915e224d6463d7bac2fa71a4d7987cc5414f742e7ae874086c161796f31e6e17c230255f08ea9e81be577d08b9059c8a51b95d663a4c5062665e5507a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8EFC.exe

Filesize
14KB

MD5
6b903acc5b1648cae414fabf5f876ada

SHA1
79a78c86a54e324eb3f745e8f77b03181ac37ee8

SHA256
e86ba2ef9296be26b2821f3048d1a2314abfa7b3d1776c07618e34c2c33345be

SHA512
c0305ef0398f98502f7bb7c536303d10adc33a7d0b66841c8860fcb8a4a3d603e927f7b1dfaeaeb7fc6da7c3d8f901412223d83209d85aeafb2ced13dee37690

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME2BF.exe

Filesize
14KB

MD5
ef5d4fbc1fc97dd9f85cd5dffbd6b072

SHA1
e7d4a51880c8c98a5ae48da3b077237c635b62dc

SHA256
cba0d4a2e3c5204bf9b6e82d005784f42da4f424e13f51dc4af59234bddf47a2

SHA512
7a50a9c3a567985c7c16b6fba6550b0abffcd7c5d200b2db5b86be918810c14a90c09b2f76ccfa4a51c29c8a1cfd0121340765c859500408e13950c2e7524cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME4DD.exe

Filesize
14KB

MD5
12b4515994f53b3c4c31b789b220c7e9

SHA1
7da1ad471d98cc8dba865d4b04a6c5c9ff14f344

SHA256
8234476436ff48290a670a38efa0ff5897537ccf6bb6bd4da0fccd69f1303f4b

SHA512
59ca27dbb7c8afb14ce9b89ae8ec3d86521eab0117f952e4169a25b1d19a89fb0646d39a681b5e1648fbe7f41f0dfa40ffe9cc54864093eb076e4525254f655a

Download Submit

Analysis

Sharing