028ff9a295822cbd3b14fed347403939e2924574c4e2dcb13ce20b29527ae523

General

Target

f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe
Size

14KB
MD5

f4618480bd40d38c80c13339097ed22d
SHA1

4056027b84ac2360146164c654dd2473964b451f
SHA256

028ff9a295822cbd3b14fed347403939e2924574c4e2dcb13ce20b29527ae523
SHA512

5606bcf23605f4b7fa7f7ab54eb6f6bbe9779a29c3b4f5ff263a2ef0d2b39a266ce08b5d29c89faef674e51ae3df772083612ff83472cb10e8f7ff2c00588eae
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5idv:hDXWipuE+K3/SSHgxl5idv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEM9A47.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEM3F5B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEM96A2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEMED5D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEM437C.exe

Executes dropped EXE 6 IoCs

pid	Process
2420	DEM3F5B.exe
1992	DEM96A2.exe
4384	DEMED5D.exe
4856	DEM437C.exe
1040	DEM9A47.exe
5000	DEMF170.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2420	2564	f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe	93
PID 2564 wrote to memory of 2420	2564	f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe	93
PID 2564 wrote to memory of 2420	2564	f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe	93
PID 2420 wrote to memory of 1992	2420	DEM3F5B.exe	98
PID 2420 wrote to memory of 1992	2420	DEM3F5B.exe	98
PID 2420 wrote to memory of 1992	2420	DEM3F5B.exe	98
PID 1992 wrote to memory of 4384	1992	DEM96A2.exe	101
PID 1992 wrote to memory of 4384	1992	DEM96A2.exe	101
PID 1992 wrote to memory of 4384	1992	DEM96A2.exe	101
PID 4384 wrote to memory of 4856	4384	DEMED5D.exe	103
PID 4384 wrote to memory of 4856	4384	DEMED5D.exe	103
PID 4384 wrote to memory of 4856	4384	DEMED5D.exe	103
PID 4856 wrote to memory of 1040	4856	DEM437C.exe	105
PID 4856 wrote to memory of 1040	4856	DEM437C.exe	105
PID 4856 wrote to memory of 1040	4856	DEM437C.exe	105
PID 1040 wrote to memory of 5000	1040	DEM9A47.exe	107
PID 1040 wrote to memory of 5000	1040	DEM9A47.exe	107
PID 1040 wrote to memory of 5000	1040	DEM9A47.exe	107

C:\Users\Admin\AppData\Local\Temp\f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4618480bd40d38c80c13339097ed22d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\DEM3F5B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3F5B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\DEM96A2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM96A2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\DEMED5D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMED5D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\DEM437C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM437C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\DEM9A47.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9A47.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\DEMF170.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF170.exe"
        7⤵
        Executes dropped EXE
        
        PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F5B.exe

Filesize
14KB

MD5
bed1b2ea3d2ae4cf3482c0f693946f4e

SHA1
6650c25e213bdb07c4d201e1c3095a83e5b71135

SHA256
b7764a59680e6b7b7f9910af80d1dbb8f17cad07ecd5ccd2b1b7184cb34e3e25

SHA512
173d2edc6afff21709aab58ce4f125ead860afbf83a9b6bedfdea06693f05935cfb4d758d403902d1533bb9532a9b60b6e635d88cf40fb0ed4ec70f4513d6f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM437C.exe

Filesize
14KB

MD5
5ea3b68007c5ebb8757836191eceb921

SHA1
ae7cad1849a7f73bb951cbbb976854a1ee932e07

SHA256
21cca85c6ff275c74aeed83901bad7c1c9eacf6489b37b186c4da48d61490d9e

SHA512
c71d5733b4b164827f82403c651b09aace84475764e1590ebd44000428d00b097ae645b2ada0325056e339b94cac200e0dec127d08c681c19aa7f4c2ab41f1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96A2.exe

Filesize
14KB

MD5
4bea4048c787b787ea614b3e2863473a

SHA1
84e4f4db3e15e67e7e812b64b270d826a8173105

SHA256
be90f90d72d92addb5095c7677e47c194db59e45c2f997e4d843ce172e4eaa7d

SHA512
67c2bd4c94b84c9b2dfb5d79fa8139c97426edd7ba6e08f737d3ea2db8f7e60b88f9a0816691eba58743dc227092621ff1f0f33ec7170addcb5cdf3a133c9cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9A47.exe

Filesize
14KB

MD5
0b4a9a34d9d2adf57e96dd8163eab490

SHA1
207115cb930050b2ee421bf0f92f0b8d330d68bd

SHA256
d750624a991d19106e8a8647d9fef34a5fcb7a61992431091206557e83f3dda1

SHA512
ca768777bc2c6af0bd4924d2b5b2f0cd393cbfba816c22972c5ea0f13a5d713fb8283873de15df4fb55fea6132d23b02656362ac152d346b34ca82223e869955

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMED5D.exe

Filesize
14KB

MD5
637f04f3847f80727dbbd318db748493

SHA1
ce767e13cf0a2256ede38d297e1a63576fa6a681

SHA256
94b77dddab721af9eeb93ec71e4b430931b4c12e52affd0dde154e01deab5fcf

SHA512
f236e76b527d99c92480fd99b1cd35ed9bade2970d2c66adf6a80f5fc02313f47bcc1cade8574388ad86be5f32aba23bdbdc501eb2be0ad4c45a6d5636e7387b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF170.exe

Filesize
14KB

MD5
6d5282355552350d5fba89eaf3289b31

SHA1
23fa2468612855527ae63a7d18c6f292c0727f25

SHA256
5f51eedeafa552572b4f7f46200000830b1298ba79c5045d664a4a38cae817e7

SHA512
22a2ee65fde4af0c9cb7977099afd27dc511f68ab32f9b36bb77f74d4fad6a6f050b327f679cc9121f1c13afef8d03be653a242a88a0ea64057f2ca2a85e003c

Download Submit

Analysis

Sharing