ed1724d3a81924534da2d3fd310a23331b86ceb973737418692c63676e165ea9

General

Target

f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe
Size

16KB
MD5

f12dae9f32fa3e1498fa08e4dbfce7d2
SHA1

9b4320acbbe4ec6faa42a307a1774f224d15ac96
SHA256

ed1724d3a81924534da2d3fd310a23331b86ceb973737418692c63676e165ea9
SHA512

84a7f164da30b886829d5062eb2746f9037f23257ea17faedf8fcebdb45e4dfb9fdc0130ded20f6c9c7f13f51a3206a734c421cbdf3047de718a058debdc2550
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+Lc:hDXWipuE+K3/SSHgxmHt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEM3410.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEM8AAC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEME0FA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEM36BB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEM8CCA.exe

Executes dropped EXE 6 IoCs

pid	Process
1276	DEM3410.exe
4044	DEM8AAC.exe
4400	DEME0FA.exe
4644	DEM36BB.exe
2000	DEM8CCA.exe
1204	DEME2CA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1276	4836	f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe	84
PID 4836 wrote to memory of 1276	4836	f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe	84
PID 4836 wrote to memory of 1276	4836	f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe	84
PID 1276 wrote to memory of 4044	1276	DEM3410.exe	86
PID 1276 wrote to memory of 4044	1276	DEM3410.exe	86
PID 1276 wrote to memory of 4044	1276	DEM3410.exe	86
PID 4044 wrote to memory of 4400	4044	DEM8AAC.exe	99
PID 4044 wrote to memory of 4400	4044	DEM8AAC.exe	99
PID 4044 wrote to memory of 4400	4044	DEM8AAC.exe	99
PID 4400 wrote to memory of 4644	4400	DEME0FA.exe	101
PID 4400 wrote to memory of 4644	4400	DEME0FA.exe	101
PID 4400 wrote to memory of 4644	4400	DEME0FA.exe	101
PID 4644 wrote to memory of 2000	4644	DEM36BB.exe	105
PID 4644 wrote to memory of 2000	4644	DEM36BB.exe	105
PID 4644 wrote to memory of 2000	4644	DEM36BB.exe	105
PID 2000 wrote to memory of 1204	2000	DEM8CCA.exe	107
PID 2000 wrote to memory of 1204	2000	DEM8CCA.exe	107
PID 2000 wrote to memory of 1204	2000	DEM8CCA.exe	107

C:\Users\Admin\AppData\Local\Temp\f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f12dae9f32fa3e1498fa08e4dbfce7d2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\DEM3410.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3410.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\DEM8AAC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8AAC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\DEME0FA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME0FA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Users\Admin\AppData\Local\Temp\DEM36BB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM36BB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\DEM8CCA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8CCA.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\DEME2CA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME2CA.exe"
        7⤵
        Executes dropped EXE
        
        PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3410.exe

Filesize
16KB

MD5
922757dd448d3c6d97d1a8f155b172f7

SHA1
6558219852a1819652cc290fc065d033e5d49413

SHA256
05527c1a327c1bd20c590842310f9c4d779210f37f5cff8f0d3e605aa827b8c3

SHA512
fd19af489079fb48d85d2e1630095afbe71386d2ef037654109dfd31b0d6b4ff642e6698448a7974c6bbdbd8e887b4401c7a66691450b7bd5606459021b1f90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM36BB.exe

Filesize
16KB

MD5
ee7f88af091f799b5c49bda06c15b321

SHA1
b624471f87d21c91472efbd216314202bef8a84a

SHA256
72791cf5d1ffb61c04b35bf7333a81c978de5ea5aa022bc39472b82b2fe089d1

SHA512
1343c7d0a8e69db2aef28e9836f3dc902f8e73ada131ea1d53d913e2d9ca523c3802362ab082a56314535363b97e2611ccbc0737c00362288efd1f79663f6f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8AAC.exe

Filesize
16KB

MD5
c4872ff113d161eac078ad6faa624d69

SHA1
77e0765be9767bdab4881a29927325a43e329afc

SHA256
09d109f31a74d735699abfdaeda5b0d4faf4e86fda4ae9b0b1a88a2aeb39dbc3

SHA512
ad4e84184b5e2685fe2231e1da41fda2e609e960b22071edfe62822963c821bcedf4cf40d5a53a40c3e1b6b7bbb795d9b9542f4c82095fbfb502d5552f745e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CCA.exe

Filesize
16KB

MD5
63d7a49bb534e60b6dc46d96954c9643

SHA1
c5a9e5e9c2c226c33a2ed0d250d24d3416ef2fab

SHA256
1fe2671e78edcfb3d6163f2eed5a0a7a83ccb1a8759de38f389c402e4f4bfad2

SHA512
843317e20ab75519084cdb12f789b0b6b7a663a21cdcf34d01271e702496f8e01df6f2c6cda7c57812002e0c514d32d3fc09e91249fb9979d3fa62f27d8616d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0FA.exe

Filesize
16KB

MD5
1756f755572449d5ef0910e215bcb9ba

SHA1
52be58f6944d5bbc9d1a2b07bbefac2778ce0a3e

SHA256
fa19b95cfc537d75db8abc9c8ccc28af793147c9990e09e091ca7887af10065b

SHA512
c2eac340627a8b826032e3565c57a3186664cfd7e298aab675a168cfd987a9eb117d43bd552068006b43e0e0009cf1db5c86a514a55cdd2f237702f076ed1b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME2CA.exe

Filesize
16KB

MD5
b719c17f9438edf82c63a2b83e35aa7b

SHA1
b051234a58189453760f97d05f2bc30abeb4b054

SHA256
ee139ff6d8eecf83e6c31c7b74e027c0e315cead444a2f1fb714ec8f39f0338c

SHA512
3676539e6c5a586742633a06aa232853374f4182931658b806ccf24d636914ee8a9976addc3dd0362760f0fab343da0d00ccb62b142951a7b64efa4c0c91276c

Download Submit

Analysis

Sharing