1e26013d2acdcd11dde5c336e7f031c17460a0f45b7ef1c4becf5d860e1d03b6

General

Target

e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe
Size

15KB
MD5

e050f9bc8dc86a9027677e536b68bb5f
SHA1

429549303e0fc1a3bfa145a7df4a2fbbad00295b
SHA256

1e26013d2acdcd11dde5c336e7f031c17460a0f45b7ef1c4becf5d860e1d03b6
SHA512

c6675aed9be6e21842107610f51f4cc86e6bcdc0132e1ca136232595af3a29e0bdb9e463747efd972fc935fec727cdf7d9dd52d54150a72f8ff95c274272b17a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4l+aF:hDXWipuE+K3/SSHgxmg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM491F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9F1E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMF482.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM49C6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9FD5.exe

Executes dropped EXE 6 IoCs

pid	Process
1632	DEM491F.exe
2168	DEM9F1E.exe
4972	DEMF482.exe
3868	DEM49C6.exe
604	DEM9FD5.exe
4092	DEMF5D5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1632	4092	e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe	92
PID 4092 wrote to memory of 1632	4092	e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe	92
PID 4092 wrote to memory of 1632	4092	e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe	92
PID 1632 wrote to memory of 2168	1632	DEM491F.exe	97
PID 1632 wrote to memory of 2168	1632	DEM491F.exe	97
PID 1632 wrote to memory of 2168	1632	DEM491F.exe	97
PID 2168 wrote to memory of 4972	2168	DEM9F1E.exe	99
PID 2168 wrote to memory of 4972	2168	DEM9F1E.exe	99
PID 2168 wrote to memory of 4972	2168	DEM9F1E.exe	99
PID 4972 wrote to memory of 3868	4972	DEMF482.exe	101
PID 4972 wrote to memory of 3868	4972	DEMF482.exe	101
PID 4972 wrote to memory of 3868	4972	DEMF482.exe	101
PID 3868 wrote to memory of 604	3868	DEM49C6.exe	103
PID 3868 wrote to memory of 604	3868	DEM49C6.exe	103
PID 3868 wrote to memory of 604	3868	DEM49C6.exe	103
PID 604 wrote to memory of 4092	604	DEM9FD5.exe	105
PID 604 wrote to memory of 4092	604	DEM9FD5.exe	105
PID 604 wrote to memory of 4092	604	DEM9FD5.exe	105

C:\Users\Admin\AppData\Local\Temp\e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e050f9bc8dc86a9027677e536b68bb5f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\DEM491F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM491F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\DEM9F1E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9F1E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\DEMF482.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF482.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Users\Admin\AppData\Local\Temp\DEM49C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM49C6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\DEM9FD5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9FD5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\DEMF5D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF5D5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM491F.exe

Filesize
15KB

MD5
612f950fc4118366e2cf5bb40d580335

SHA1
f4cd62e0af0dfc2104450295712215038515d7ec

SHA256
fbbfb484cc17a59ff97aecb9f313ba72ca164d87832310bfd53539a365b510ff

SHA512
990dad282091a60bedc885395dd57f0a735f4c21809baa88c43741cc438123feab5136a0e6a754e945bb16806e287fb2ef3668971463bf2520c7a15848bd2d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM49C6.exe

Filesize
15KB

MD5
a1215162f5bafca55ca5ad34c999f484

SHA1
111834c4e854b6064730f26d21d563f951cb14b6

SHA256
e43aa44b5957777aae21196e026b9b98252285e94d94e23ee7577d1ce8f0e595

SHA512
f55bc4b5dd7b97f79185e15931a8311163e0a1008ec0163442a4909c3c92c73fe4e968f19cd871a0366e3e3d0191b17c8434e554e10591ca93efd1e86c7fc7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F1E.exe

Filesize
15KB

MD5
897b237d05520eaf339348447432e2d9

SHA1
6a1e69c9b2ef7c74f2ea1c8e4c3634a872778eb9

SHA256
18893717358f67ab7c8563187d1cf372c46654d01c85181b653e2b0fefed1d1c

SHA512
edb8dc72568db2bb34366ac316fb319dde2637ae0e9df06e11c7fc0f369ce4e2f009986f57ef86bf65bbfc1276a3a951cafe79872db91d2dc8e998eee4db5931

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9FD5.exe

Filesize
15KB

MD5
b48ab2d57de38f3dd7d40297596fd907

SHA1
bb9d8f8b4a451c5ec4daf636960de72487f37933

SHA256
03ab3a63f8aabd7fe8dd23372f20409843a9ffd9bdd5fc3a586d925642fb34ec

SHA512
e3e20d458d519afb17192536ac6495dd14ee092a24414d715bb2aac0d9b751b0d7d096cc2c03815740f7410cc29cd17d049869982f9e1bd21200f0882f4946ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF482.exe

Filesize
15KB

MD5
dd169def8d34511c01ec0259d0e38e0c

SHA1
3ec359a13ceb4c75a697bbbc54374f3a0014d226

SHA256
3eb7885283ec86f8d755e4e4f0b0e693020a0fd28edf3bfd09ad3a12baa0b2a1

SHA512
22d67825a70e0c8a3929c09ee43de5ed0e8d8a6583f6ccb5dd78c250377ef4b724c7f55bb651dfd6da2bbf034c7e32ecf95c49387b838e00cfc5159c48308a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF5D5.exe

Filesize
15KB

MD5
5d2ddfc2ee47995bd65089c77e1044d8

SHA1
cdded1eb24d9a784ec82f68c155f75176f047ee4

SHA256
55c86485968fa7834e78f5b998d58d58eefdb2deeaac5b798f2f8abbb7c02393

SHA512
31ce476638c682d77dbddc8331bcbaf834406c55a86eb1abf2ac6064af9448e952dca439717f23cbd69496ebb927fee9f42e6d4aaf6a9ad834525da997c1ffd6

Download Submit

Analysis

Sharing