b910eaa6e127c9f0936311d6ea1c9a9d15feac2b4a89769a353ab45f253b3cb8

General

Target

eba8926fc1ffa1fcad2b580e72419060_JaffaCakes118.exe
Size

20KB
MD5

eba8926fc1ffa1fcad2b580e72419060
SHA1

f9e61e22413080db18dd136c079f783995991a67
SHA256

b910eaa6e127c9f0936311d6ea1c9a9d15feac2b4a89769a353ab45f253b3cb8
SHA512

d1ab8212ee0023f4e4e11b2869fcf691278c0c00aec2a12744b6f66b8ef68a2a3bc9f41cd2c6764df0b0f1625bbcdc37d43f8eb51d9b74dbec2e77e515579bbe
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4P8UzW:hDXWipuE+K3/SSHgxmHZPY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	eba8926fc1ffa1fcad2b580e72419060_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM8E55.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMF07A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM47E1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM9FC5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMF7C9.exe

Executes dropped EXE 6 IoCs

pid	Process
3632	DEM8E55.exe
4304	DEMF07A.exe
1952	DEM47E1.exe
4600	DEM9FC5.exe
3532	DEMF7C9.exe
4296	DEM4FDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 3632	3360	eba8926fc1ffa1fcad2b580e72419060_JaffaCakes118.exe	93
PID 3360 wrote to memory of 3632	3360	eba8926fc1ffa1fcad2b580e72419060_JaffaCakes118.exe	93
PID 3360 wrote to memory of 3632	3360	eba8926fc1ffa1fcad2b580e72419060_JaffaCakes118.exe	93
PID 3632 wrote to memory of 4304	3632	DEM8E55.exe	95
PID 3632 wrote to memory of 4304	3632	DEM8E55.exe	95
PID 3632 wrote to memory of 4304	3632	DEM8E55.exe	95
PID 4304 wrote to memory of 1952	4304	DEMF07A.exe	97
PID 4304 wrote to memory of 1952	4304	DEMF07A.exe	97
PID 4304 wrote to memory of 1952	4304	DEMF07A.exe	97
PID 1952 wrote to memory of 4600	1952	DEM47E1.exe	99
PID 1952 wrote to memory of 4600	1952	DEM47E1.exe	99
PID 1952 wrote to memory of 4600	1952	DEM47E1.exe	99
PID 4600 wrote to memory of 3532	4600	DEM9FC5.exe	101
PID 4600 wrote to memory of 3532	4600	DEM9FC5.exe	101
PID 4600 wrote to memory of 3532	4600	DEM9FC5.exe	101
PID 3532 wrote to memory of 4296	3532	DEMF7C9.exe	103
PID 3532 wrote to memory of 4296	3532	DEMF7C9.exe	103
PID 3532 wrote to memory of 4296	3532	DEMF7C9.exe	103

C:\Users\Admin\AppData\Local\Temp\eba8926fc1ffa1fcad2b580e72419060_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eba8926fc1ffa1fcad2b580e72419060_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Users\Admin\AppData\Local\Temp\DEM8E55.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8E55.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\DEMF07A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF07A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\DEM47E1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM47E1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\DEM9FC5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9FC5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\DEMF7C9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF7C9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\DEM4FDB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4FDB.exe"
        7⤵
        Executes dropped EXE
        
        PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM47E1.exe

Filesize
20KB

MD5
80882bd5b0058449873794a54efcf3d5

SHA1
9be51f8b0c396d6cf880cc0edc5e2f2e19633a63

SHA256
460cfd4a87cab7bdbd554c0fcad7eef455e5f910d368bb1b36e8e30fde9f3b04

SHA512
0d6257cb5505c8f25713f8ac8468030fe5c9c68ca3ad09fd1acd98d3c4f5be36e0450d3c9c83651b341ea8687ae43a0a768f42fd4fbac0222981c7a37cfef3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4FDB.exe

Filesize
20KB

MD5
efe9fdf919ed9e30bd1b9783093bb919

SHA1
bc899cb0a60e01eb9fa0d76bee6662c2cbad3110

SHA256
4a3342e324e432b75bbaf1214fb4cea7c41c5e92be92de2a3e4a2e08260fe306

SHA512
3a3ae6e4915da9956bb73597546399dadfc34bb89acc255522bff997a212899f6a9105a27fee957edb52c383abc825372954f7570b2c63991138acfbac110ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E55.exe

Filesize
20KB

MD5
157ea36e51c493a614f17032da309dc5

SHA1
49e6292882f077feaa42595e92e4921a8ab8f610

SHA256
44060d32892b36fed28bc89ebc0637bd56b6115af05b6ef602d52535dee7b90a

SHA512
c8be88d2bd357af1b9e0f605bc1e321d93c1a5e40291606634e2f201c0ad1fd940dd87b35ffcb24a98bcf51885c29a03d4d14b4a56e2a4deabc309fe15487b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9FC5.exe

Filesize
20KB

MD5
50e20a62653c295f6fe4b60f931c287e

SHA1
6351fdec2960dd539383dfea283973f28b652193

SHA256
62d6ce73ed5d8eafa7431fd0ac88eb68b3b18e555dda144519279d9379e47aa4

SHA512
b4ce831f4c483a2453c466c50d09848097d7a85894da31db87156ad88c19c282e69634ccf2ddcf34f25c90756a3b9215d0fbee4aef97324f97b105bb5228c597

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF07A.exe

Filesize
20KB

MD5
23d8d4a8672279496164ec2ebdf0b202

SHA1
029cd8cf5a0c1a6ce1bdb3a3172dca271a79425b

SHA256
62c9b5e0e3e804ed903cce1b3215cc367cd7ce8e6602e29da2e5b4ae9e8d884f

SHA512
e3c678c823baaeadea8db89be7af291f84563c2bb224371e3e2a59d7abdb549748f6083efe8c803803dd4c5aaa0ca1541d277c786770e36947a53093d3899edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF7C9.exe

Filesize
20KB

MD5
16a4670043afc56acd54496ba04f4dfd

SHA1
002ec353bc1bc94f24d0c67724bdf6772b47ba4d

SHA256
6294eb20f51fa899aadd6dc168ccad651e07979de920e7c6071f8b414f186231

SHA512
ad2affff6d21f3f81a672f0deb6bd36b8cb6e6f694a6ea74b42f88c4a544b6904d168294ccae15e267adeb244d1f6523630c5c6a1ced1693dd46580292ae9b52

Download Submit

Analysis

Sharing