5b9e40d6c5e65fa1a104e090cc47d0d2c25f2f2e534482a3cdd12f9c925cd480

General

Target

f0bbbd3d94c0fffc65cc72d81504c131_JaffaCakes118.exe
Size

14KB
MD5

f0bbbd3d94c0fffc65cc72d81504c131
SHA1

d82b47f0510d9f382cac3f65f8adcc00043c7e97
SHA256

5b9e40d6c5e65fa1a104e090cc47d0d2c25f2f2e534482a3cdd12f9c925cd480
SHA512

d8ef4f97aa3a25c67aa4d012865b3c6273f61cedcbefb341fbfbedefde9821330f09a562074c4449f70a44a48a5d7487ea3f45167ebe9290f081b66d7e6f4b63
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0DJ:hDXWipuE+K3/SSHgx4t

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	f0bbbd3d94c0fffc65cc72d81504c131_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEM6542.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEMBE5E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEM1642.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEM6DE8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEMC5DB.exe

Executes dropped EXE 6 IoCs

pid	Process
4680	DEM6542.exe
2188	DEMBE5E.exe
740	DEM1642.exe
3280	DEM6DE8.exe
4880	DEMC5DB.exe
2068	DEM1DFE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4680	4604	f0bbbd3d94c0fffc65cc72d81504c131_JaffaCakes118.exe	85
PID 4604 wrote to memory of 4680	4604	f0bbbd3d94c0fffc65cc72d81504c131_JaffaCakes118.exe	85
PID 4604 wrote to memory of 4680	4604	f0bbbd3d94c0fffc65cc72d81504c131_JaffaCakes118.exe	85
PID 4680 wrote to memory of 2188	4680	DEM6542.exe	90
PID 4680 wrote to memory of 2188	4680	DEM6542.exe	90
PID 4680 wrote to memory of 2188	4680	DEM6542.exe	90
PID 2188 wrote to memory of 740	2188	DEMBE5E.exe	92
PID 2188 wrote to memory of 740	2188	DEMBE5E.exe	92
PID 2188 wrote to memory of 740	2188	DEMBE5E.exe	92
PID 740 wrote to memory of 3280	740	DEM1642.exe	94
PID 740 wrote to memory of 3280	740	DEM1642.exe	94
PID 740 wrote to memory of 3280	740	DEM1642.exe	94
PID 3280 wrote to memory of 4880	3280	DEM6DE8.exe	96
PID 3280 wrote to memory of 4880	3280	DEM6DE8.exe	96
PID 3280 wrote to memory of 4880	3280	DEM6DE8.exe	96
PID 4880 wrote to memory of 2068	4880	DEMC5DB.exe	98
PID 4880 wrote to memory of 2068	4880	DEMC5DB.exe	98
PID 4880 wrote to memory of 2068	4880	DEMC5DB.exe	98

C:\Users\Admin\AppData\Local\Temp\f0bbbd3d94c0fffc65cc72d81504c131_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0bbbd3d94c0fffc65cc72d81504c131_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\DEM6542.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6542.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\DEMBE5E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBE5E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\DEM1642.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1642.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\DEM6DE8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6DE8.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Users\Admin\AppData\Local\Temp\DEMC5DB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC5DB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\DEM1DFE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1DFE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1642.exe

Filesize
14KB

MD5
385411396108c22993a23feb787ffd91

SHA1
4309814db04741551c1a891c967b29fc440f2ee4

SHA256
752428b003faedf85f8f000357c928c2ecb94de5d493aab53a110f7ec6c8a2c3

SHA512
abbe52b1eec320629b5abada6563d733bfa16afc959e4eca72504914f0347511f5d2a5e0efe7fa13e482da34ddb66b8c2492f34cea4b4ff9e196b6544d0f46f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1DFE.exe

Filesize
14KB

MD5
9d89fb6176f0b0c5b77f02c0d8adfb8b

SHA1
8d660ee1154d9df1d33d20037bf3041cc08da041

SHA256
b4f52080e6a34fd9cc7078448ae3830dae20c2a7dea51355149cde41e54efe6b

SHA512
aab12e857dd1c834f0f1aa470f4844257d7569e6c187e54b84f90ab5ac5ed3eee771936916cf1fde6159ed4651a9f99a4d76980d98f21b389717c445cd230c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6542.exe

Filesize
14KB

MD5
e4e35fcd3ab37deb2380b54a599bd47f

SHA1
94e3bcf8d5e5e74a3b56c9332fe32dd26935aabb

SHA256
f0c660f07e422313d5543096634d376b0caec002c84d89d24aefe507b9ba73f5

SHA512
15fec720bb76f23de2928abdcdeb3af2f9fb4b41d2b38b95b1e8878c01ccd8ef4af9765353adcd4108d088be4f7d5c164a44c8fe93e7d33a0be649cc0ecc5352

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6DE8.exe

Filesize
14KB

MD5
89e511b23cf6e009cb1aeda4d4d96218

SHA1
d18d9a73dd380e7759317cf12d4f765d2837f836

SHA256
21ad4683fe0acf745b3984681eefd3e5e71fe4f429d393bf6a2a41a299031762

SHA512
2395d4b5784fb3ed45d93631449e08ac0e0da11b0035f5c8c84a66d97772b6922c74b0c88ef073cfc51d68e00a45ed0106e7e54121caae3e4f393ce6f3f8d1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE5E.exe

Filesize
14KB

MD5
5ced8c2f8c9bf31ff3b949d26c27e5f8

SHA1
e59b30e6bebde79cbe6540215d978aa31487ff98

SHA256
820567c157a0119e14c24537913d9775302aa67bc089e427066dd01cb294694e

SHA512
909830e5a4d5097bb6a33592883c81ea0fdd504384a34fefd00665884d2601c6fc814899580ba84ac3bfb001bda3c9fe06bf2faf652f9f2bd9aa451086ac7f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC5DB.exe

Filesize
14KB

MD5
39517376e099a95f3def3b72aed52892

SHA1
386c51763d37896134875c64ec68e66ef2a5c85e

SHA256
45ef84961a1085ee742d9047dde86f758b13da18d836136baa66fe15fc38dd20

SHA512
13b70a34a4fa0aaf9d9f2d23b7fe8ad0ade7bd7c8076e17ab16a7a0697af78d9606165c156bccb148f89f10fd17027d68df6f5a2db6d4d7ec29c80bcc5da583e

Download Submit

Analysis

Sharing