1062105e98743a8a45276d24f7ebce25565df818e8f2ad58d7a436a527beb921

General

Target

dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe
Size

13KB
MD5

dc3cf8388b866c3b471ca69c285a1dc1
SHA1

455c0f474597214e46f85fdf9fbb22109e4ce54a
SHA256

1062105e98743a8a45276d24f7ebce25565df818e8f2ad58d7a436a527beb921
SHA512

b9ade17b402194a2c52899d4f825593782514da3b7b25c123723a7fd7671ad4655fe6ea8abe64e2664e0e1f428fe34e0619bddcdd26bcc0b404cd9815e9842c1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhz0:hDXWipuE+K3/SSHgxx0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM6B48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMC261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM6254.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMBBAF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM1383.exe

Executes dropped EXE 6 IoCs

pid	Process
3384	DEM6254.exe
3368	DEMBBAF.exe
440	DEM1383.exe
1644	DEM6B48.exe
4100	DEMC261.exe
1584	DEM19F7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 3384	1124	dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe	96
PID 1124 wrote to memory of 3384	1124	dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe	96
PID 1124 wrote to memory of 3384	1124	dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe	96
PID 3384 wrote to memory of 3368	3384	DEM6254.exe	99
PID 3384 wrote to memory of 3368	3384	DEM6254.exe	99
PID 3384 wrote to memory of 3368	3384	DEM6254.exe	99
PID 3368 wrote to memory of 440	3368	DEMBBAF.exe	101
PID 3368 wrote to memory of 440	3368	DEMBBAF.exe	101
PID 3368 wrote to memory of 440	3368	DEMBBAF.exe	101
PID 440 wrote to memory of 1644	440	DEM1383.exe	103
PID 440 wrote to memory of 1644	440	DEM1383.exe	103
PID 440 wrote to memory of 1644	440	DEM1383.exe	103
PID 1644 wrote to memory of 4100	1644	DEM6B48.exe	105
PID 1644 wrote to memory of 4100	1644	DEM6B48.exe	105
PID 1644 wrote to memory of 4100	1644	DEM6B48.exe	105
PID 4100 wrote to memory of 1584	4100	DEMC261.exe	107
PID 4100 wrote to memory of 1584	4100	DEMC261.exe	107
PID 4100 wrote to memory of 1584	4100	DEMC261.exe	107

C:\Users\Admin\AppData\Local\Temp\dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\DEM6254.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6254.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Users\Admin\AppData\Local\Temp\DEMBBAF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBBAF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\DEM1383.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1383.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Users\Admin\AppData\Local\Temp\DEM6B48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6B48.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Users\Admin\AppData\Local\Temp\DEMC261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC261.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\DEM19F7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM19F7.exe"
        7⤵
        Executes dropped EXE
        
        PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1383.exe

Filesize
13KB

MD5
ce641b26afaaaa2a7fe881db3e999c2f

SHA1
a7b8c6a5cd4a6e79ae2b95627d8af07279b7d8fa

SHA256
9352f2950b42a708ad97a10a268972a030ad94bbcecaef56aabb634715f680c1

SHA512
1c5d717f2131769108743df7a594a51b2eacd04371a80ff9fb429af9a1d0202009a1617af2eb671808f02957658e94aea252f1e841afe65f06569d0481bca9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM19F7.exe

Filesize
13KB

MD5
5ce3449cd06d2c7e0ae9a0586fe63f25

SHA1
fed8ce8f85813dbca35550b2ce4cfa8652c10e82

SHA256
90bdb0a9b7d0650996353700a1b7594734e3c63b84373f3314ca4be1307b1ca5

SHA512
20704008935577bfd35fbdc6168c6534853b3f3cf317333f36bc9ff6c0d8633b9c707ad995a6c66438ffd239ba1d65fe0c46ef5cdcec9f01aaa8b590a5481b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6254.exe

Filesize
13KB

MD5
8faea36f31cdc08e3ce8b996d238b710

SHA1
9df3f971402150413a6852dc3aa2fe47a0938cc6

SHA256
86ade246754996c2b49b798435ec6937cdf7c71fdca614a45058e46ed8bb5610

SHA512
ad86c80c5da6e2aaa891f91b3b547c9bb0c768a47b1dd728f8c8d9d41b669f7fe14e03c745b45f1c66be43ed8b5a69cb3fc3dff5c47e5effb9472f7ab2e5c107

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B48.exe

Filesize
13KB

MD5
344a1edc2393a90069462cb6e8b4afd1

SHA1
92a9bb57efe8aaab704aca888e963bfeb40d7db5

SHA256
330ff1b8f49a9682b7929780be9a047946dbb11e6cbf8cd99f798b6d384eb9c3

SHA512
24a4eefc731530652152c316de0926e1eee98638cb06ab28e22cd57abb3cc54d8411e5db857e7a49d75614a7aeee300856a2eccbb7e3d461a49361baf0bc776c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBBAF.exe

Filesize
13KB

MD5
ca1d81f878927cda38ae7ecf8f3c5697

SHA1
53daa5743187729a8e01cd82aa434f2f48605136

SHA256
feaa4e39bf3f880e91ec6a8adc0fcc8f39f4b8c2e9c00fd85f4d094894fa6808

SHA512
ae74211e7f53c4a3aedf9756a1a670e755df69898a0f5dd9a232bf09c7f30c3c33eb3fe0d8ab3ad9b338b8f490b26411f729aafe59c953594cf2c57169c83029

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC261.exe

Filesize
13KB

MD5
2e854b69a68f1b0f12402e7c6ff898bf

SHA1
b5c858ed685890a34ed16490c8e15318e98cf153

SHA256
d494dfbeed5ab6b218338aefa0720bfda9c7be82d2198cd28c61389d3adfde92

SHA512
fb71a7151397b6c202c07b7546dbe18dd05afb108a9398fa06be31ba8ede917437756bbf3b96b6093c3d8ec436a7bafc74e66f1cb29157d0e613e58aad21af36

Download Submit

Analysis

Sharing