3aefd51b1160b33f8266af5b59d22c76b8668fcf789907373b18a124f0b09408

General

Target

ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe
Size

14KB
MD5

ed98fc7fcc0a7b9ea592d0580eb63335
SHA1

9d084ee742a1a0283e9faeee839178242f85395d
SHA256

3aefd51b1160b33f8266af5b59d22c76b8668fcf789907373b18a124f0b09408
SHA512

1274f01e7d83b2a91c831d3a4e894e2df27269fb40c90b563f676b224e490b8f05d3bbd687528350384ef3d23fb59b2d92949134bc133bae5535bf04dad93393
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq44S:hDXWipuE+K3/SSHgxmq44S

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM421A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM9896.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEMEEB5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM44E4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM9B03.exe

Executes dropped EXE 6 IoCs

pid	Process
4916	DEM421A.exe
3096	DEM9896.exe
2868	DEMEEB5.exe
1256	DEM44E4.exe
1768	DEM9B03.exe
5112	DEMF121.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4916	5108	ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe	92
PID 5108 wrote to memory of 4916	5108	ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe	92
PID 5108 wrote to memory of 4916	5108	ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe	92
PID 4916 wrote to memory of 3096	4916	DEM421A.exe	95
PID 4916 wrote to memory of 3096	4916	DEM421A.exe	95
PID 4916 wrote to memory of 3096	4916	DEM421A.exe	95
PID 3096 wrote to memory of 2868	3096	DEM9896.exe	97
PID 3096 wrote to memory of 2868	3096	DEM9896.exe	97
PID 3096 wrote to memory of 2868	3096	DEM9896.exe	97
PID 2868 wrote to memory of 1256	2868	DEMEEB5.exe	99
PID 2868 wrote to memory of 1256	2868	DEMEEB5.exe	99
PID 2868 wrote to memory of 1256	2868	DEMEEB5.exe	99
PID 1256 wrote to memory of 1768	1256	DEM44E4.exe	101
PID 1256 wrote to memory of 1768	1256	DEM44E4.exe	101
PID 1256 wrote to memory of 1768	1256	DEM44E4.exe	101
PID 1768 wrote to memory of 5112	1768	DEM9B03.exe	103
PID 1768 wrote to memory of 5112	1768	DEM9B03.exe	103
PID 1768 wrote to memory of 5112	1768	DEM9B03.exe	103

C:\Users\Admin\AppData\Local\Temp\ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed98fc7fcc0a7b9ea592d0580eb63335_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\DEM421A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM421A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\DEM9896.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9896.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\DEMEEB5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEEB5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\DEM44E4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM44E4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Users\Admin\AppData\Local\Temp\DEM9B03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9B03.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\DEMF121.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF121.exe"
        7⤵
        Executes dropped EXE
        
        PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM421A.exe

Filesize
14KB

MD5
586253f1484778562bfdfec420ed9219

SHA1
9ef625ebe6b14f52caafa3ebe033e99b095cf301

SHA256
1e5b9cd4302c35343490cde489366b7fb6a28ee4767e35c1d8238616feb0bfe6

SHA512
133ac5e9c1c2831cc411f9900d6be834cc4fd95d1d585ddbe63b94caacf457167ffb0f09d15ea243a2abf34acfe56c0112944a257372fe07921dc21c3dc728b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM44E4.exe

Filesize
14KB

MD5
854bd0ec09f07fba4d79ffdc113d01d2

SHA1
5b3aa68d48c249c7bf01e1eacb27b5b8ba099afa

SHA256
8cd51657525ddbcbc045b17a993efb2f1c866996ea648bf3b40744aa5e897c19

SHA512
cd45ef4f77faec82832df7f0bacaf4b8c89fbc769771585f22cc022896ae15337b098d8a4737479a166a39443da970dcdba86ea60311685c117008534745c4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9896.exe

Filesize
14KB

MD5
4f56e2562e33fba2ed9e413996556124

SHA1
7b21c9f99578b1ad4b26cc38b3026dcfc4bf3f11

SHA256
5ae513086d6c35d78596c3b0c57feb5a5728d8796ecc1f5b015d11da15fb27d2

SHA512
2a6cff77c26f4822539c360029d952bb1917e2b7be435dcf9ee0e88d2639748e59a9991b26625a253afcbcd45d9bae12fc43a396bdf6c10d22211b6a666e602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B03.exe

Filesize
14KB

MD5
7103510d4e6f75a51b7345454188ac0f

SHA1
73da0e208ff4882cc85eced43ecae3b7b7be2aa0

SHA256
9e7be0e3286b2bd1ad699eb7b607484349bedca6809ff958dd52bae3474bc38a

SHA512
e14a59435858ce8ee043602cd897f1ffa3a027b999c9ca534ef16049c93c7eb064051318b7a5a9ec518729bc116cb348dd3c5e3cb7db564dce793e456ac1c38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEEB5.exe

Filesize
14KB

MD5
bb6b79e12861fbf83b5e48797af612df

SHA1
60cfaf6c671fb90eda536e87b8a45e3ab3d9cbfb

SHA256
a3c0f7f6d7d491dfbde24507c356b40f758bffc679f3d1cce87ba19fdd69ec9c

SHA512
20d9afa9f89d6eb9aa549a29c471ed9a843d164330ca0903efa841e9c46da3ee512cf3245ffbd13b6661c98ccd0e4f66487a9b88096bb981bdf8fca5db006132

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF121.exe

Filesize
14KB

MD5
7ca53f6237c52d087d87f34640b686d5

SHA1
2c01848ea281fd3fe7b6683128720848397e5959

SHA256
e8afd9634d615db0e907615e6a15174ed481695408c3c6338ac7e2c058e91814

SHA512
daea60ff901c34efb3f5ff89cf1e40b731f0dde87e29bde973e63e08c9b47f8ec672043b03f60448fb53bf2e57690508615cbfb1fecb0aad30520b52025c3777

Download Submit

Analysis

Sharing