1f01918a8a4f6e89e60ab22fde9e41ca595965b8c276b598462cb11c8c72fa0c

General

Target

ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe
Size

20KB
MD5

ec695b94d7b312233fd6420ea5ea6552
SHA1

27c93452ded149b2a5f528ba325ef6e9a7178a68
SHA256

1f01918a8a4f6e89e60ab22fde9e41ca595965b8c276b598462cb11c8c72fa0c
SHA512

52153252f7cef83ff1307acf79e272d505463855a0bbfe42744e18931954d6f2375e9eaf053cbbd3784643c03db27f74aa6175899eaef044d19dc96d22f5ec1a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4Pn:hDXWipuE+K3/SSHgxmHZPn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM9078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM3F94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM96AD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMEDB6.exe

Executes dropped EXE 5 IoCs

pid	Process
3468	DEM9078.exe
5064	DEM3F94.exe
1704	DEM96AD.exe
2012	DEMEDB6.exe
2152	DEM44DF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 3468	2448	ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe	94
PID 2448 wrote to memory of 3468	2448	ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe	94
PID 2448 wrote to memory of 3468	2448	ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe	94
PID 3468 wrote to memory of 5064	3468	DEM9078.exe	96
PID 3468 wrote to memory of 5064	3468	DEM9078.exe	96
PID 3468 wrote to memory of 5064	3468	DEM9078.exe	96
PID 5064 wrote to memory of 1704	5064	DEM3F94.exe	98
PID 5064 wrote to memory of 1704	5064	DEM3F94.exe	98
PID 5064 wrote to memory of 1704	5064	DEM3F94.exe	98
PID 1704 wrote to memory of 2012	1704	DEM96AD.exe	100
PID 1704 wrote to memory of 2012	1704	DEM96AD.exe	100
PID 1704 wrote to memory of 2012	1704	DEM96AD.exe	100
PID 2012 wrote to memory of 2152	2012	DEMEDB6.exe	102
PID 2012 wrote to memory of 2152	2012	DEMEDB6.exe	102
PID 2012 wrote to memory of 2152	2012	DEMEDB6.exe	102

C:\Users\Admin\AppData\Local\Temp\ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec695b94d7b312233fd6420ea5ea6552_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\DEM9078.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9078.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\DEM3F94.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3F94.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\DEM96AD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM96AD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\DEMEDB6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEDB6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\DEM44DF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM44DF.exe"
        6⤵
        Executes dropped EXE
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F94.exe

Filesize
20KB

MD5
c72cff9539047a52211f7f5bfc1076a1

SHA1
44092b8e7accc59d87283d3a74d9f1ee7df895d6

SHA256
f41eba93a0e9db0e7c9fc4a877861673efbfd2ec8c8883561e1cb49c68ac1459

SHA512
6cfd0bef0cdddab22e41bd22646bb6275e721c999128a6e5e7b3821ab3c5c51575699d99531e54b923ec755bc9c81186b42e94593247e27350e6a166e6975c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM44DF.exe

Filesize
20KB

MD5
de6f3f0fcddd6625ccbe9e5f7d9b9155

SHA1
3a08d0bc68f084b21a8b618764403fa2762dac2c

SHA256
540d7f20bb907fc017257a07f3eac9155cceef1b814470a982fba3a5864fdb04

SHA512
6fd5281868ef678a1a4229ed2ddb49e057010c58eb2a75a4c821956e37284d9fb6199deda426cf9e0c36d21f86d18d2ca8b22b5a61dcfb1638905b9fd9374145

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9078.exe

Filesize
20KB

MD5
70feba5c39294bcf8e6b97feb1c066ef

SHA1
87055b1011b7b447ce86f4830e6523a794af57ea

SHA256
62c95b4681fa8958ad3ec2552980026698e68b5020a88747579c867068df4679

SHA512
902ad17dfdd52ac2eb91c9852c6f2daf36fef5f1c7fde7229a2903d4b89ad0d78a4aeca7ff1556dacb9f9dd7feb000fd48d2f19447541da75a3a95294c44b659

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96AD.exe

Filesize
20KB

MD5
09e7fa973d9152099fae1ad49dc58b1f

SHA1
92bfc44778c2f845bc5f23b6d80317c6370e0041

SHA256
0e80985aa123f4a25ce9e40f178894dec29f294bc3273cf36c152bca701ecd25

SHA512
42718c9b80da73e2ee0debd9191e9bfc10dbda6801e87b10e884e04d325c1a74c2260b61fbf647f5ecb5fc1fa74a43330e365d1271d5b2ccae74c3a308858825

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEDB6.exe

Filesize
20KB

MD5
dd8e4331be3a15e2e7e5cee08f74fd09

SHA1
375aca13ee5ebf7625d60cdbcf80fa9a7c5b6ef9

SHA256
c9daa598725731e93c8cac13f987083380acbc06da8cfbe2e69cba2d30b014a4

SHA512
8d7789146de502aa5bff46fb54997736e601cd3ff9888883d79e4b6dd50e43185b27df7852111123a571d2bf170852bf48b10c38398578371fd8769a2591639e

Download Submit

Analysis

Sharing