6a4fe86acfb21d3eadf16f17a9b76049d736b4314dd076a341bca1488ace4678

General

Target

ed7eb60f483a18bd60d592adcee07a93_JaffaCakes118.exe
Size

16KB
MD5

ed7eb60f483a18bd60d592adcee07a93
SHA1

3bda98708227acd277db340d4c9fc72fb4ef694e
SHA256

6a4fe86acfb21d3eadf16f17a9b76049d736b4314dd076a341bca1488ace4678
SHA512

1070ac1ffd367d563c272c705504c9f66f0f8e8e715e75f29fec58b65f3fb3ab00fcc03c4a89136784bb691b79bbad5e4508b4dffddaa97952f91b737192eeb1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJI:hDXWipuE+K3/SSHgxs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEMDADF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM30CF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8690.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	ed7eb60f483a18bd60d592adcee07a93_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM2E63.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM84FF.exe

Executes dropped EXE 6 IoCs

pid	Process
3256	DEM2E63.exe
2424	DEM84FF.exe
2732	DEMDADF.exe
1648	DEM30CF.exe
4520	DEM8690.exe
2092	DEMDC9F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 3256	1688	ed7eb60f483a18bd60d592adcee07a93_JaffaCakes118.exe	93
PID 1688 wrote to memory of 3256	1688	ed7eb60f483a18bd60d592adcee07a93_JaffaCakes118.exe	93
PID 1688 wrote to memory of 3256	1688	ed7eb60f483a18bd60d592adcee07a93_JaffaCakes118.exe	93
PID 3256 wrote to memory of 2424	3256	DEM2E63.exe	96
PID 3256 wrote to memory of 2424	3256	DEM2E63.exe	96
PID 3256 wrote to memory of 2424	3256	DEM2E63.exe	96
PID 2424 wrote to memory of 2732	2424	DEM84FF.exe	98
PID 2424 wrote to memory of 2732	2424	DEM84FF.exe	98
PID 2424 wrote to memory of 2732	2424	DEM84FF.exe	98
PID 2732 wrote to memory of 1648	2732	DEMDADF.exe	100
PID 2732 wrote to memory of 1648	2732	DEMDADF.exe	100
PID 2732 wrote to memory of 1648	2732	DEMDADF.exe	100
PID 1648 wrote to memory of 4520	1648	DEM30CF.exe	102
PID 1648 wrote to memory of 4520	1648	DEM30CF.exe	102
PID 1648 wrote to memory of 4520	1648	DEM30CF.exe	102
PID 4520 wrote to memory of 2092	4520	DEM8690.exe	104
PID 4520 wrote to memory of 2092	4520	DEM8690.exe	104
PID 4520 wrote to memory of 2092	4520	DEM8690.exe	104

C:\Users\Admin\AppData\Local\Temp\ed7eb60f483a18bd60d592adcee07a93_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed7eb60f483a18bd60d592adcee07a93_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\DEM2E63.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2E63.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\DEM84FF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM84FF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\DEMDADF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDADF.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\DEM30CF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM30CF.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Users\Admin\AppData\Local\Temp\DEM8690.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8690.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\DEMDC9F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC9F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2E63.exe

Filesize
16KB

MD5
5bac2bf467d17e313abc9ac4f024cebc

SHA1
0576f3f7d3e0ec4c411f876ad0b765564c93c1e3

SHA256
731517a2b9c07dbdb8a590efc6033a42d1212730db20757556a2b8f0a52c6954

SHA512
b733f89f2956bb8e8834a77833085ab3cd06adf2453f0bfd43ca82a56c5712d98ec6496a95fa1cf17a5dbb911f0bd98b5c1ae3b0bdd27ab5201cf691dba66e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM30CF.exe

Filesize
16KB

MD5
d71eca7960ddd8be7d25f80951f4fda9

SHA1
3083f5e3a369299b3d8bf181fa67587dbb299730

SHA256
48c7bc5258ad75b5c4a39556627d70842ed793c851d2f3208f2591c2d973caf4

SHA512
6d57d088f1f1c0ea0100a90f983bd1f4ee1199ae7090a2c03251a6b99f8bf298d8ec90b96f246d691c7a67fbca5c3da5eb6f1624e3d26c80d40b511f05cffd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM84FF.exe

Filesize
16KB

MD5
22b59d32864f84d0f6e078eb2a45694a

SHA1
f49eba13e3e61ece2f1b15eb8cb116984de462f7

SHA256
c00d9c7decde3327a8b73d2b329c0dc5cb6ddcd8904c2d49af6ed349257fe9cc

SHA512
cd5625d06ce8c2386a7057efced4d81d06a5687fd591fcc55aca7e1747edca3c271680c9ae290ed46f67501529a5233de578c681e969d789c00a0be3e80c0c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8690.exe

Filesize
16KB

MD5
0520f4d88c862a6c3afdd78d8e4a0b92

SHA1
e2cd63ee31b4ba791861da8774010d779882946e

SHA256
d389a7dd11d85dc180648c6f1ea263dfb3318d5bc4f3c6b46fa5f1e584bfd30a

SHA512
3c897f1b88571ced0965a34c55dd6bd804b3d5a79cb5823a0670731047190d46b23f8c9a7c5a1828b9831b6c7a134065eb75df191bb6d67cddebfb3b1eb7ec41

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDADF.exe

Filesize
16KB

MD5
47947baab2e62945063db61521de280a

SHA1
1c74cba7308bfaa281bc4971dbb7b9e472e5f1c8

SHA256
3b3c370059601372b7d50655ed1dfe6c9af37ac58bf8ae152c6452dedc1474a7

SHA512
fd4a6c22a3504ab0d12efb81ffa48e51e8935011d0e26834078b62c030787de48f2eb296f3e8f2ebe62d52b3e48c7c11184a9bc5482734e1fef47f82384d750a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC9F.exe

Filesize
16KB

MD5
73fa65f3376ecf6c14f9553c70f975c4

SHA1
5a3d166ac3ae56b0201f2050d24b512a3d383f3d

SHA256
24c34510211ad8ce694a21cefdbdf4897a3a2e2871db6aecd4387211f2b958fe

SHA512
330a023996575a1d1ebee12e2c95af17a1db37835c8ced4065ecc17d88b0042f22565ceef315630abfa1bd779f2f56c1b3da4f1d4385a503ea3548236543a1ce

Download Submit

Analysis

Sharing