3fc7be74c396fcb970bd6b3504b55ec1bccce50ab0c0b3973513f43d283d0e20

General

Target

f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe
Size

15KB
MD5

f100cd2739e4bb6002798c428d73c83c
SHA1

99b9fe26a5604347532f95523cbd6791abc4c520
SHA256

3fc7be74c396fcb970bd6b3504b55ec1bccce50ab0c0b3973513f43d283d0e20
SHA512

303fb39399b2e37ca81f2a987be2d311aae40db8976b6929e13ab6a2e0d3c70f09ce413867cd36620fc37bbb88609546f25558f59f808dbe6ebbf4e6770f9957
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYLNL:hDXWipuE+K3/SSHgxmLN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEME30D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM38CE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM8EAE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM3691.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM8CFE.exe

Executes dropped EXE 6 IoCs

pid	Process
4712	DEM3691.exe
3780	DEM8CFE.exe
840	DEME30D.exe
2244	DEM38CE.exe
4892	DEM8EAE.exe
4904	DEME4CD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4712	4568	f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe	94
PID 4568 wrote to memory of 4712	4568	f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe	94
PID 4568 wrote to memory of 4712	4568	f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe	94
PID 4712 wrote to memory of 3780	4712	DEM3691.exe	100
PID 4712 wrote to memory of 3780	4712	DEM3691.exe	100
PID 4712 wrote to memory of 3780	4712	DEM3691.exe	100
PID 3780 wrote to memory of 840	3780	DEM8CFE.exe	103
PID 3780 wrote to memory of 840	3780	DEM8CFE.exe	103
PID 3780 wrote to memory of 840	3780	DEM8CFE.exe	103
PID 840 wrote to memory of 2244	840	DEME30D.exe	105
PID 840 wrote to memory of 2244	840	DEME30D.exe	105
PID 840 wrote to memory of 2244	840	DEME30D.exe	105
PID 2244 wrote to memory of 4892	2244	DEM38CE.exe	107
PID 2244 wrote to memory of 4892	2244	DEM38CE.exe	107
PID 2244 wrote to memory of 4892	2244	DEM38CE.exe	107
PID 4892 wrote to memory of 4904	4892	DEM8EAE.exe	109
PID 4892 wrote to memory of 4904	4892	DEM8EAE.exe	109
PID 4892 wrote to memory of 4904	4892	DEM8EAE.exe	109

C:\Users\Admin\AppData\Local\Temp\f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f100cd2739e4bb6002798c428d73c83c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\DEM3691.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3691.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\DEM8CFE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8CFE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\DEME30D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME30D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Users\Admin\AppData\Local\Temp\DEM38CE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM38CE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Users\Admin\AppData\Local\Temp\DEM8EAE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8EAE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\DEME4CD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME4CD.exe"
        7⤵
        Executes dropped EXE
        
        PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3691.exe

Filesize
15KB

MD5
54dabb73e7b9d86179b59c521cefe128

SHA1
e5d0bd5a7fd3c592ef11d3c3bac071e5d2d223bd

SHA256
3a57c597f830d1001a8680c382192c8c2b912fdc1da053a6f7f68163299e28dd

SHA512
748e3465300c23995cf1665b4bd7d03582298f21de43166988fde9b665397992b1e6c79a538f44bd1b6bf2e0e2cde3b59a33c73d38cf2eb539dc7eebbbe35268

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM38CE.exe

Filesize
15KB

MD5
96f880d195a5ab33ec7459cd20921e96

SHA1
ea16fa495f9bbdee78587e0c47b743ce6a359753

SHA256
0be35c47e1a6d00896006a5debc690796ba9ebba38ce10b1dfdc499b3abf6a12

SHA512
814d821b1812cef2fda507a40170434bd915bf2d65a92a36b11133dab2ed236841d53a5fbe109cc2fff9abc256cb639f876284737173d5dbc7e584117297b4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CFE.exe

Filesize
15KB

MD5
51fded03ac17e1f1013eecc221a625b0

SHA1
658558c7fc374d1ace86dbaf08e9959ff3937524

SHA256
21c0d4298b26e9dbcfc8fe1910262d2605f104e5ac9c13fb087278b84371f0e9

SHA512
906284cfb620662ae35aa72ada68a2af84f13dfbc138fa711c441053657cb3ea13542ae52e6ed9c1715b33f20e6f60364353deb8dc1d4d692953969f99fe4cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8EAE.exe

Filesize
15KB

MD5
cc6a18a328254e90597308f5493d02bf

SHA1
87ebb94497738a5341316af1ee15bf431ebb68fb

SHA256
ec72a8af2a762c02efe891c27ad4961ce0f3648a91a7f9be1e642df4b340ba7b

SHA512
3e7dbee9dd0cf600d215ab8557e1c5971e49175dc9cdb4fdb19ba0c04e9e35f2ea20a512b9f92ef13458861686870532645ebd26e1120e9e3cabf15613b1e37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME30D.exe

Filesize
15KB

MD5
b9b7b5e35ac83e40be03156a38b5268f

SHA1
3fdeea8bdad58c6ff175ad207ec1dfa5d204e3ec

SHA256
a5afbc42edae67730dcc4f6a2158d650bffd627ede93e50df31e4fa301e0371e

SHA512
e93516ffc9a6a014495d322a7c2669663454622d6d234661e8cca853ce7423cc345216fd7ba666c04d86e62c91c01210b79cff99a3134e385002fabc4a00acdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME4CD.exe

Filesize
15KB

MD5
0eba49651176497a384cc0590417f7ff

SHA1
a872292c4ab8c6919e4168d0712f4daa04b69904

SHA256
9c46d68b967b8854c1d2ef43ca6b9dd16fb8695cd0fd3ded2c1853e1b1b5c105

SHA512
9fc67021f1b3a99db23eeaaf1df69cbdaf90cbbfa401fe8401c088da94e22e2162c9eb37b7506e8670e125c44031c697f5f414084658b65b70b86a329c445816

Download Submit

Analysis

Sharing