72eac0d6d48506be0293e3026aa516d2fa8fd3367f3b4bcd3913b8a3ec0d18e5

General

Target

eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe
Size

15KB
MD5

eac85c7c0dc2a3e70d5ed5dc8a1fac7e
SHA1

56db2059e6858102e474023571beb922179d7e0b
SHA256

72eac0d6d48506be0293e3026aa516d2fa8fd3367f3b4bcd3913b8a3ec0d18e5
SHA512

9e5226e1833ff2ebc012aa0ce61f4e4769cf2b53d96f18fcdb54221d86b1a7adf1c3878de89a928032a183b71f8d55da0756a47ad5b0e2f735d61ecc3ef01cfc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvAzx:hDXWipuE+K3/SSHgxm4l

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM349D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8B0A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEME0FA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM3728.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8D57.exe

Executes dropped EXE 6 IoCs

pid	Process
1448	DEM349D.exe
1648	DEM8B0A.exe
3744	DEME0FA.exe
3204	DEM3728.exe
2964	DEM8D57.exe
2832	DEME347.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1448	2504	eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe	98
PID 2504 wrote to memory of 1448	2504	eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe	98
PID 2504 wrote to memory of 1448	2504	eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe	98
PID 1448 wrote to memory of 1648	1448	DEM349D.exe	101
PID 1448 wrote to memory of 1648	1448	DEM349D.exe	101
PID 1448 wrote to memory of 1648	1448	DEM349D.exe	101
PID 1648 wrote to memory of 3744	1648	DEM8B0A.exe	103
PID 1648 wrote to memory of 3744	1648	DEM8B0A.exe	103
PID 1648 wrote to memory of 3744	1648	DEM8B0A.exe	103
PID 3744 wrote to memory of 3204	3744	DEME0FA.exe	105
PID 3744 wrote to memory of 3204	3744	DEME0FA.exe	105
PID 3744 wrote to memory of 3204	3744	DEME0FA.exe	105
PID 3204 wrote to memory of 2964	3204	DEM3728.exe	107
PID 3204 wrote to memory of 2964	3204	DEM3728.exe	107
PID 3204 wrote to memory of 2964	3204	DEM3728.exe	107
PID 2964 wrote to memory of 2832	2964	DEM8D57.exe	109
PID 2964 wrote to memory of 2832	2964	DEM8D57.exe	109
PID 2964 wrote to memory of 2832	2964	DEM8D57.exe	109

C:\Users\Admin\AppData\Local\Temp\eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac85c7c0dc2a3e70d5ed5dc8a1fac7e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\DEM349D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM349D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\DEM8B0A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8B0A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\DEME0FA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME0FA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\DEM3728.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3728.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\DEM8D57.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8D57.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\DEME347.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME347.exe"
        7⤵
        Executes dropped EXE
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM349D.exe

Filesize
15KB

MD5
947d6e9e2d3c7f2fd86cd4c04d6c19ba

SHA1
4c845589badd46dc0ff5870d219a4229e4424412

SHA256
1b256dd070c9ed8b055633d66a9682d44cd963edf7ff0abd040776cbecb6d050

SHA512
f0bbde65b1c6d9eb807cf43838ab9817fcc4f793a96f308f5bb49945a29b6f5426dfb33a0df7274f580fb0035538b34c89b98f389d03c0bb684081e664dcd39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3728.exe

Filesize
15KB

MD5
4526915bffdfaddd2ca4a95a2f2d7cda

SHA1
58a174b802a1b370e09eff212ee8f7aa8136c6d5

SHA256
eb4a6dadd6635edf29b275226f6ee853eb451861fb6db53d9f42717a3fb60036

SHA512
526e0742221bc271bcb7e866b811c4e63964d95af407557730e56f194ad41d5e0054f429eb92a94b67fc3407d311d8dff8df4fd1d7d55b298df69837df369c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B0A.exe

Filesize
15KB

MD5
e2ccbac588f7e22998b4d9de81afb397

SHA1
fafd10ab2ce1289b1896e711cba939a99012a896

SHA256
9f3a7dd499404d7cbaf5fae6e4b3869d904f89db13d26d8f0e8a3f8114dda4b8

SHA512
5bd0601de8e6d1e8581d571827909bc1f88286ee6739e3e831827ca160afd0c9c658c6f26fc86ff29ab140a8d550ac91f646ab8a83b6836108f0c24ad0a36df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D57.exe

Filesize
15KB

MD5
7cdc1eb9ceb70f7d863e17078cdc742a

SHA1
0342da4e09fa910a023376524b4eff0a7ac6b075

SHA256
345810818e138e974f1955197763c9f745c0d63b0215c1e52c1e9a8dd0427f6c

SHA512
f5871bf61401414f371af9c4ccc38a923380036c7a70edccbbf418b2729ffd308dda703584079b6ca62c5a46d924b9430b6d5f181b164edd9372b7bf74e67639

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0FA.exe

Filesize
15KB

MD5
0bb323cdfa02676319e662d9a59a78f2

SHA1
74a1094483dd5b31a681e8cd480c64c31eba2e80

SHA256
8dce9ff868a61ba136b84938113d6205db07e0af6dd0dd733c3ac752e9a629e9

SHA512
60dd2bf2dc818ebe589f5659e3a8bb5b9fb7dccac9893866dc1b2d6f8e835505301eee42d97e32e7773a6c77bd57cc3a560bd89177abd0cc69998cb95a2422ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME347.exe

Filesize
15KB

MD5
004b4386b75d0af8cb5c0badd3e5a022

SHA1
e697a09944df379e669f368ec84f773702ae427a

SHA256
bc4f8825729000d9358c5aac01c4d02a318b36227908e7a0e34ba979d98014f8

SHA512
e24e5cc72af2b52ceab73d25ec65577549ecffa66507483030d2670dce084f02a098f5e74a0acbdd82cda176702e591bf5f2b932d48fd99ed9502231e1fb7b3f

Download Submit

Analysis

Sharing