57d2d43bff5bdcd3533febf524f25e66f59e2f5e63523fb91bb87fa88856d1ba

General

Target

ed5ccac3f554f14292e500337c07a670_JaffaCakes118.exe
Size

16KB
MD5

ed5ccac3f554f14292e500337c07a670
SHA1

eae176a323984036dbe6342bb4e58ba5ed792a04
SHA256

57d2d43bff5bdcd3533febf524f25e66f59e2f5e63523fb91bb87fa88856d1ba
SHA512

4acce534b406d15aff014ed679179853ec6b466c6c5a9ebc663dab94e1dea16d8002167dd14d8b5ecfcd95f8a420a6dc8fe10b75b32eec28a8283e29039b7e62
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhdm:hDXWipuE+K3/SSHgx2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	ed5ccac3f554f14292e500337c07a670_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM2ED0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM852E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEMDB0E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM311D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM871D.exe

Executes dropped EXE 6 IoCs

pid	Process
1572	DEM2ED0.exe
3096	DEM852E.exe
3104	DEMDB0E.exe
4824	DEM311D.exe
4892	DEM871D.exe
824	DEMDCDE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 1572	3812	ed5ccac3f554f14292e500337c07a670_JaffaCakes118.exe	95
PID 3812 wrote to memory of 1572	3812	ed5ccac3f554f14292e500337c07a670_JaffaCakes118.exe	95
PID 3812 wrote to memory of 1572	3812	ed5ccac3f554f14292e500337c07a670_JaffaCakes118.exe	95
PID 1572 wrote to memory of 3096	1572	DEM2ED0.exe	98
PID 1572 wrote to memory of 3096	1572	DEM2ED0.exe	98
PID 1572 wrote to memory of 3096	1572	DEM2ED0.exe	98
PID 3096 wrote to memory of 3104	3096	DEM852E.exe	100
PID 3096 wrote to memory of 3104	3096	DEM852E.exe	100
PID 3096 wrote to memory of 3104	3096	DEM852E.exe	100
PID 3104 wrote to memory of 4824	3104	DEMDB0E.exe	102
PID 3104 wrote to memory of 4824	3104	DEMDB0E.exe	102
PID 3104 wrote to memory of 4824	3104	DEMDB0E.exe	102
PID 4824 wrote to memory of 4892	4824	DEM311D.exe	104
PID 4824 wrote to memory of 4892	4824	DEM311D.exe	104
PID 4824 wrote to memory of 4892	4824	DEM311D.exe	104
PID 4892 wrote to memory of 824	4892	DEM871D.exe	106
PID 4892 wrote to memory of 824	4892	DEM871D.exe	106
PID 4892 wrote to memory of 824	4892	DEM871D.exe	106

C:\Users\Admin\AppData\Local\Temp\ed5ccac3f554f14292e500337c07a670_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed5ccac3f554f14292e500337c07a670_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\DEM2ED0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2ED0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\DEM852E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM852E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\DEMDB0E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDB0E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\DEM311D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM311D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\DEM871D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM871D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\DEMDCDE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDCDE.exe"
        7⤵
        Executes dropped EXE
        
        PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2ED0.exe

Filesize
16KB

MD5
1ac68377a7bab41109edc2f381fe082c

SHA1
19ddc4d4029b5afc3488dc99654230713303d7e7

SHA256
7505174258a6910658e9dc30bad5006a8bc9c0648147e194605edd81dfb88618

SHA512
310a3d1a364dc4d90aa71dc0046b5796e1f265d89b7cfcbfb2d3884474c03bc1d3e2fdf8e60295b7255d066e4d3a12960d791fe52c4a0db1cd8397c5b7dcad14

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM311D.exe

Filesize
16KB

MD5
05152f80d2d7619ce976426fd82f9067

SHA1
74af7fa4396530c9bd52d1ca756af188b92320c8

SHA256
5b5939f087f6382aadfd51cac53471e5e837b129a26bda4b4be7a18b6072dfba

SHA512
7461494705c1b185b551cfe270c6d825b017d1c39d01006e11553eaa7a2b8e357e75c31cdbd97faff3ec6a46dc9c10cc36c97195d2aab8e1da3387c41f064fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM852E.exe

Filesize
16KB

MD5
eb8c3f34ce4bd194d8a99ee29a553478

SHA1
a1cf815f7e16348e67f9061c30a3b1267a7ceff6

SHA256
e6b3dacbcf5480b6c85f2f06daba9a6dac070288df9396b7b6089b338584b974

SHA512
26701f4f1c098bfd2f309e7f6ed16423ac21c1d613548f48cafcdb387ce609138aa9946e928b90d8e771be4dd6ae6ab091a649b402b181108e1072806a81f79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM871D.exe

Filesize
16KB

MD5
9563a88af933dc4275e83465f23aecab

SHA1
ca0285b74fc3dfca949f8dff51f8e884df8a1417

SHA256
90c6917267d051a06a87e10644fc2e63a9b13c0183d3306dd787fa1747224a7f

SHA512
3898f8116bbb1fa04e84d64da46e01b6ebcd84372a3c619883beb941d15812f909a7b4e94a5416b53e125b8570316b2bd597dfa3a38f863c0aeaa2159f8c7ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDB0E.exe

Filesize
16KB

MD5
a495b212ae77e1f4347747e9f537b949

SHA1
6113a40fa183aaf9b421b7789d67e4a8c297f26e

SHA256
6471cc9414a5a8508bc8f78205503e07bf0912f765b19e2993148b141246946d

SHA512
a2ad9fea0906b9778263b0045419e82c05c0fd1e015065411d355d8f1aa582c2f0f8749ab4440769f8b7d70247f07ff656721a24b688ed61579f5401192f5df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDCDE.exe

Filesize
16KB

MD5
4a47c0ffbe1fbdb231678011102604d1

SHA1
b9bd43026df58fbecc581a6e7a652eb83c33db00

SHA256
20ca8fd88e7e5a2ee9866a050b73fee8fb28f2b9a0168c800130edb5adb44c13

SHA512
9209b046bb959d2afe2ab0c085b86c51b88dbdf18d4051888bf53516032377a3fa3648737a4ade7f3e561e6701c0668101e1e65074711b68e4fe9edc4d79c72e

Download Submit

Analysis

Sharing