2b3345178159dc3c7542ea9e146d5c747c4d6f6fd21239dfa65add0a16556e40

General

Target

e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe
Size

20KB
MD5

e198e87970a4a2616d9b000b9af2d6cc
SHA1

ff0c0c4974e4c5a81df02d42bd85e787b1f81d67
SHA256

2b3345178159dc3c7542ea9e146d5c747c4d6f6fd21239dfa65add0a16556e40
SHA512

120dee20c52314b6d6f2e6eaefb739aadefc711a0ef36de29a74eead1a49623efdfc8e7d1a4ee4495ea927693314ca13bce325bee38e5ff04478fb03690e2885
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4A:hDXWipuE+K3/SSHgxmHZA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM34AC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8B96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEME119.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM3709.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8D47.exe

Executes dropped EXE 6 IoCs

pid	Process
2776	DEM34AC.exe
2316	DEM8B96.exe
2840	DEME119.exe
2304	DEM3709.exe
4600	DEM8D47.exe
2768	DEME366.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 2776	4144	e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe	98
PID 4144 wrote to memory of 2776	4144	e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe	98
PID 4144 wrote to memory of 2776	4144	e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe	98
PID 2776 wrote to memory of 2316	2776	DEM34AC.exe	101
PID 2776 wrote to memory of 2316	2776	DEM34AC.exe	101
PID 2776 wrote to memory of 2316	2776	DEM34AC.exe	101
PID 2316 wrote to memory of 2840	2316	DEM8B96.exe	103
PID 2316 wrote to memory of 2840	2316	DEM8B96.exe	103
PID 2316 wrote to memory of 2840	2316	DEM8B96.exe	103
PID 2840 wrote to memory of 2304	2840	DEME119.exe	105
PID 2840 wrote to memory of 2304	2840	DEME119.exe	105
PID 2840 wrote to memory of 2304	2840	DEME119.exe	105
PID 2304 wrote to memory of 4600	2304	DEM3709.exe	107
PID 2304 wrote to memory of 4600	2304	DEM3709.exe	107
PID 2304 wrote to memory of 4600	2304	DEM3709.exe	107
PID 4600 wrote to memory of 2768	4600	DEM8D47.exe	109
PID 4600 wrote to memory of 2768	4600	DEM8D47.exe	109
PID 4600 wrote to memory of 2768	4600	DEM8D47.exe	109

C:\Users\Admin\AppData\Local\Temp\e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e198e87970a4a2616d9b000b9af2d6cc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\DEM34AC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM34AC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\DEM8B96.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8B96.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\DEME119.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME119.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\DEM3709.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3709.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\DEM8D47.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8D47.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\DEME366.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME366.exe"
        7⤵
        Executes dropped EXE
        
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM34AC.exe

Filesize
20KB

MD5
6f5b7665dc969bfa21e0bf430643d360

SHA1
99a7451a80283acfc784863f0973974cfacc4770

SHA256
a929beed61d67c0707d97da06d601cf557a0939f33e8efb1dd06154854b137d8

SHA512
3747b8baa0c5d8c70ac47d2e452a3c8350637c88c57530de1f4017ae360e64345829665f1472539888207fb1a70e909de31538cb0a1e661c9da47e9b55cfd3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3709.exe

Filesize
20KB

MD5
48f759c88aaed5c908026d3b9e2775ff

SHA1
9121a75b69b324670b9e1088184422a2426ccaad

SHA256
9fa1ffb921cef6e78db42dc430d0579adf9fc8a11fe31c73fefaede58701d61c

SHA512
0f4e333de2f1db5fc6f4774cd9cefc1218df3320148f773f32e577bd3a89c0cafb4c079f9742c31041a3776165912a4d961d8dd0d2cfb1e6883d64dd79c97465

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B96.exe

Filesize
20KB

MD5
8f9523d4beba9e34662e5e21daacee3a

SHA1
ddfa88408a2cc7bb324c2bb904bae99458e5b257

SHA256
03ab6cbd096b8930eff1e92f60e1fd9ed3a772310db8cacd8564735ad6ee740e

SHA512
d73a675a5dc17e813b76b1a7e3362a666425f2a97077fb1a5bd0ee16d1f65220c0a59e382bca7c5a183797245a73700c36907d81a67485dd6be54363e54129e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D47.exe

Filesize
20KB

MD5
3e0f82e9cdd268ba5d17d796952e68a9

SHA1
7af09e5181201d15a07f263493b125402cbaa3ff

SHA256
e0a5ae93f0a90b9c44c044ea99f7e8824a5798ca881c971d4d9e5b581cbd41a7

SHA512
fddf482b037ff9c8017465fc0888a2d72492c6f107f2f115da26510c249a872aad7d21da190c538211b0adc553965d742bac83b56893a5148d4aa20f3b58c48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME119.exe

Filesize
20KB

MD5
8f79557515d5f513b59bcfb582a3a1c8

SHA1
e3e9aeaa274652229123b3aa56f36c7fe2f91cda

SHA256
08331b667f497141707f058cb18be9b4452540c97b73ae53b42066eb60f7fa1d

SHA512
bf97a2b34b71292f4237a3b2fe852cae2be866a6d8a7a3513935dabc64259c654493f0e99072c11505a28b37d199d4654446ddce36580abbe1395b68f692115e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME366.exe

Filesize
20KB

MD5
4b7c72ae4a2c3b2053e0ecd4cbd84417

SHA1
5beb3ccf784fb56b4c23496acadb34a79de9cc00

SHA256
7f99b118764e304472298ad382b4b1979eee7e739a2be95a171d056b7b29cdc8

SHA512
2c45d2abe1fd0bb723bbb8180d4647300b70852805deba34a6224f7dc1daf48b9d1c6e54426b750b718f1a8f4f8b4ae3fd46970337c00dec8fb806c646154a9c

Download Submit

Analysis

Sharing