ff4f3914f8719f3154850b7a442839e9f50771b0bff0d5db52ba30bb715987ed

General

Target

f159acec73612aa2d6a2c13d3191b8da_JaffaCakes118.exe
Size

14KB
MD5

f159acec73612aa2d6a2c13d3191b8da
SHA1

a069cea45ba395f30e295f2372fb0e2f1f76cede
SHA256

ff4f3914f8719f3154850b7a442839e9f50771b0bff0d5db52ba30bb715987ed
SHA512

67681c98a17c4aeb731d0e61630bb515886a48adc31038084fa5bb08963fa615fb484f331519bf9b36bff0e4c33e1baad71a0779bfdf5f067745016ab4a82341
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYfQW:hDXWipuE+K3/SSHgxmfp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM2F48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM8548.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	f159acec73612aa2d6a2c13d3191b8da_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM2C6F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM82FB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEMD92A.exe

Executes dropped EXE 6 IoCs

pid	Process
4640	DEM2C6F.exe
3128	DEM82FB.exe
3460	DEMD92A.exe
3628	DEM2F48.exe
4420	DEM8548.exe
1812	DEMDB48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4640	3052	f159acec73612aa2d6a2c13d3191b8da_JaffaCakes118.exe	91
PID 3052 wrote to memory of 4640	3052	f159acec73612aa2d6a2c13d3191b8da_JaffaCakes118.exe	91
PID 3052 wrote to memory of 4640	3052	f159acec73612aa2d6a2c13d3191b8da_JaffaCakes118.exe	91
PID 4640 wrote to memory of 3128	4640	DEM2C6F.exe	96
PID 4640 wrote to memory of 3128	4640	DEM2C6F.exe	96
PID 4640 wrote to memory of 3128	4640	DEM2C6F.exe	96
PID 3128 wrote to memory of 3460	3128	DEM82FB.exe	98
PID 3128 wrote to memory of 3460	3128	DEM82FB.exe	98
PID 3128 wrote to memory of 3460	3128	DEM82FB.exe	98
PID 3460 wrote to memory of 3628	3460	DEMD92A.exe	100
PID 3460 wrote to memory of 3628	3460	DEMD92A.exe	100
PID 3460 wrote to memory of 3628	3460	DEMD92A.exe	100
PID 3628 wrote to memory of 4420	3628	DEM2F48.exe	102
PID 3628 wrote to memory of 4420	3628	DEM2F48.exe	102
PID 3628 wrote to memory of 4420	3628	DEM2F48.exe	102
PID 4420 wrote to memory of 1812	4420	DEM8548.exe	104
PID 4420 wrote to memory of 1812	4420	DEM8548.exe	104
PID 4420 wrote to memory of 1812	4420	DEM8548.exe	104

C:\Users\Admin\AppData\Local\Temp\f159acec73612aa2d6a2c13d3191b8da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f159acec73612aa2d6a2c13d3191b8da_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\DEM2C6F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2C6F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\DEM82FB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM82FB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\DEMD92A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD92A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Users\Admin\AppData\Local\Temp\DEM2F48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2F48.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Users\Admin\AppData\Local\Temp\DEM8548.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8548.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\DEMDB48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDB48.exe"
        7⤵
        Executes dropped EXE
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C6F.exe

Filesize
14KB

MD5
292ea9e54c486b5599e6a6669dbb8f54

SHA1
e3ae441747af1dac947c60a369091496178f2eb0

SHA256
d79f9298e4cea711318c5bdda7b0ec80faa015476c35ba5c7f250dc72891cc42

SHA512
a38366789a01aab51b2e0a8b7178277e9f99ec50b0c64f076b67b650a7b094a1a378de4f4b30c6e97e048f9cf18b7cc437de8554beef4b1ef08b2841771ea0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2F48.exe

Filesize
15KB

MD5
1f582fdcb274c3a62b6c91c82127dc60

SHA1
49b72782debf589753085fbb1cb26ceb380f188f

SHA256
33b4ff423f2322400c50108d0f055509b4062bbedd76dba4d959882bc2ded024

SHA512
e5e5451cfcf42d07f61cd10d25c584067942ccaaab236a0b3d34f82e9668b5286a21c9cad7fa0679109d5cfc132a9ab83de6bc135cc03ccb93a225a5a6fadc04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM82FB.exe

Filesize
15KB

MD5
bfd08aebc3c1359822c660086061d15e

SHA1
b871d376232a07d843172b3fb4295b7f16d42f6d

SHA256
3866155aa9cc8561fd4de07b5e583759e1b88d929f9c9104caf59015aee156d7

SHA512
08a60cfb6e45948ad7618414147811103fd7e124611d53943a87f841c1777975dc40ef1bd58a406b2089dbb3e02414fe0df66a7b71a56c6432fad73346e89c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8548.exe

Filesize
15KB

MD5
f72cfd2f88c485b1d774e7ea9a40e3df

SHA1
4205bab43d41d2b84498a1ffbfa9bac412eb541b

SHA256
e079cdee4ec8c88abd5ec08422b7fdf546bb0098432c67a468c5ffaacbf1cfc5

SHA512
f0c6935474624b1014dc30a9b5e52a0150910e022d52bffa95b43476ef9e76d96a0debb7c3c6e6a3472eb287af060e6ae4cf94734a554c5479c9ee0095e09364

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD92A.exe

Filesize
15KB

MD5
b35ca42be3b6aba287112d891c35ab76

SHA1
704f840d64ed32b2337efc74ce7ca7bdb935689c

SHA256
d40c9be06cbdba35ac14914972e3d0d29689253ba359e9424ea9148d33ddd552

SHA512
07adf98f4094c65be9015c587adb3bb239e4081623180014b6f2525e7e9dbdd417ef7f0628f1c9eba256f89dc27ae38845579091ca33f758ed59aaefd1545275

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDB48.exe

Filesize
15KB

MD5
edd58020f79e702470de7b8490fa8726

SHA1
8253cb69f2dcf126f49fb80cc9941aae9771ec2a

SHA256
e9248076b30c5f48eecab223bfff3ba72bcc6135953a962d873aca7ced0c24a3

SHA512
33023cfca75d6548fdc81d3248ea86993b5e1181d5239052bf0322ca2397225720830b7f3c32cc1550faf4d82d16fcca68178e2eb6dbdaf4429d288a3609a165

Download Submit

Analysis

Sharing