b05612ac84cc9812362d85e3c1a0495163e6eb5c552aacbacfb4af94c4753758

General

Target

e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe
Size

15KB
MD5

e1083124cfdc87844d334cf6ff13d855
SHA1

1bdf971aec527214edd01eb31b4d93b2f3a783f4
SHA256

b05612ac84cc9812362d85e3c1a0495163e6eb5c552aacbacfb4af94c4753758
SHA512

cdda7b338b2c0a0ce23a1371448ad981af9bea138a8268d583024ded3f695d85ef45907073c04de9553cbabbc7721dfd3ae97e237e37b202d7d5fb231414f2a2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJBK:hDXWipuE+K3/SSHgxmbK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM5275.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMAA1B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMC6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM5704.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMAD91.exe

Executes dropped EXE 6 IoCs

pid	Process
4124	DEM5275.exe
940	DEMAA1B.exe
4484	DEMC6.exe
3040	DEM5704.exe
4476	DEMAD91.exe
4768	DEM3EE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 4124	3136	e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe	96
PID 3136 wrote to memory of 4124	3136	e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe	96
PID 3136 wrote to memory of 4124	3136	e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe	96
PID 4124 wrote to memory of 940	4124	DEM5275.exe	99
PID 4124 wrote to memory of 940	4124	DEM5275.exe	99
PID 4124 wrote to memory of 940	4124	DEM5275.exe	99
PID 940 wrote to memory of 4484	940	DEMAA1B.exe	101
PID 940 wrote to memory of 4484	940	DEMAA1B.exe	101
PID 940 wrote to memory of 4484	940	DEMAA1B.exe	101
PID 4484 wrote to memory of 3040	4484	DEMC6.exe	103
PID 4484 wrote to memory of 3040	4484	DEMC6.exe	103
PID 4484 wrote to memory of 3040	4484	DEMC6.exe	103
PID 3040 wrote to memory of 4476	3040	DEM5704.exe	105
PID 3040 wrote to memory of 4476	3040	DEM5704.exe	105
PID 3040 wrote to memory of 4476	3040	DEM5704.exe	105
PID 4476 wrote to memory of 4768	4476	DEMAD91.exe	107
PID 4476 wrote to memory of 4768	4476	DEMAD91.exe	107
PID 4476 wrote to memory of 4768	4476	DEMAD91.exe	107

C:\Users\Admin\AppData\Local\Temp\e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\AppData\Local\Temp\DEM5275.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5275.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\DEMAA1B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAA1B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\DEMC6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\DEM5704.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5704.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Users\Admin\AppData\Local\Temp\DEMAD91.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAD91.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\DEM3EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3EE.exe"
        7⤵
        Executes dropped EXE
        
        PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3EE.exe

Filesize
15KB

MD5
9aa6309f6a71063172adaad6c870193a

SHA1
948421ac6d6a80a574c34081ea3abfcf774dd450

SHA256
430fece1ded0e78b6fff40ff8d6c3ef5384aa8418c9d683961dd4b27a86d99ab

SHA512
bea25dbbcd86df22f95193ca4f7fdc4bf4a212db836410ed6ffe1fccf9d2811ad6982ceb5ad39d6c8dd1bc6c5115536706e932d712aa0d50fdfe2f6a3b16e9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5275.exe

Filesize
15KB

MD5
08fbb9e3c2540711de3286293980ef3b

SHA1
89614e91210e7f0a906a91a8168e3b1155c2aa7e

SHA256
99b1b0941e3aea612a937119dc9e73384a93688c7e982ea8c97809ff23dc3df5

SHA512
ae3fc5ef7eaa18030188b96c2b68e7dc304eb4616e285fd4895b0400b202ac4eb12f27dec1eccbfaa1fef930ad709fdcb0c16118610a02f14a7da2f991151640

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5704.exe

Filesize
15KB

MD5
318bb424738502633d52e6293374f98b

SHA1
50c92859536c3255eca2e2595d0cf79cc830bc36

SHA256
89b37cdbc214ebcd78d4a63a0ed532ea9b33d5bb43385c75f3b52498efc52ae8

SHA512
019abbacac318adccc58e9f3d71138034b578855dbfbd5b8988c02898e47024d20af65a6675e6bc2299ca978023a1e0a23a7bbfd84a6059d58376c7c5aeec33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAA1B.exe

Filesize
15KB

MD5
00ab97a8a649b13ad70808a08bdc9089

SHA1
9414433a949c63ea42deddf4e7841a7ea4a4c5b4

SHA256
ec2933916cbdddb4bec00f7b948e69c8a6c8b12ca50399bccc7741bcafc6ff23

SHA512
5e6b1d0d2ab31c633a8970e15420ada53d46af2ef3eb70e8473171c881f43d448c1b5ecf2429d42547a6b942ce973c7ca7ef019e0e322effe99e41d7ddfca311

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAD91.exe

Filesize
15KB

MD5
85542f35cbd2f18c61381c1c66babdce

SHA1
0c51469b48b8bdbeb2831c5425924a8b972156d6

SHA256
ce16ff9be02ca56dda6b11cd13b4f4a4cb8241780c2dc3505b96d752559a0cc4

SHA512
ee66567777f9a48d1d39ea70400791fac1f2265ae3d2d1b2eb4f3330156d97d660a68fba45d709a925174c029de3c27506b24d8ad3a97c9c5091e85327915634

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC6.exe

Filesize
15KB

MD5
a6caa81a96ac8923851f3ac45aa61537

SHA1
ae4e44e01bffb0b7aa398dfa565bd37ba50837a0

SHA256
2669d0bb6d1b5e666882e7d72fdeabd124460d217e224698cea248c9c5a4f5d6

SHA512
d7673ad56280bc05e9a1496bf4047859436e1a2becebac413313bc0169170fef538434ade50b73e7ee1db5b6a86b62cb72ec60c662d9d01e8b295cda57be02ef

Download Submit

Analysis

Sharing