4f2ec7ae6d33afceba24e70ff1d60ffb0a816821a2508e943c43c28171d53a5d

General

Target

f4676d9848f4c0b997d158b378c1ae5f_JaffaCakes118.exe
Size

20KB
MD5

f4676d9848f4c0b997d158b378c1ae5f
SHA1

5b5ff27e2367da64c785bf80ee5df19a3686e278
SHA256

4f2ec7ae6d33afceba24e70ff1d60ffb0a816821a2508e943c43c28171d53a5d
SHA512

36d45c0dfa3001ae2a9803201b90a0938ac88c86e76f2fd9d32dee94c3d9e6b681fa1333d3b8c7f0b5454b51c04abb47e9dae3203c388fe8f91e8c3ecbb49f95
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4ik:hDXWipuE+K3/SSHgxmHZik

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEMC5DB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	f4676d9848f4c0b997d158b378c1ae5f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM63DA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEMBD16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM149C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM6E26.exe

Executes dropped EXE 6 IoCs

pid	Process
2008	DEM63DA.exe
4480	DEMBD16.exe
1916	DEM149C.exe
2692	DEM6E26.exe
4160	DEMC5DB.exe
4952	DEM1D71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2008	2788	f4676d9848f4c0b997d158b378c1ae5f_JaffaCakes118.exe	96
PID 2788 wrote to memory of 2008	2788	f4676d9848f4c0b997d158b378c1ae5f_JaffaCakes118.exe	96
PID 2788 wrote to memory of 2008	2788	f4676d9848f4c0b997d158b378c1ae5f_JaffaCakes118.exe	96
PID 2008 wrote to memory of 4480	2008	DEM63DA.exe	101
PID 2008 wrote to memory of 4480	2008	DEM63DA.exe	101
PID 2008 wrote to memory of 4480	2008	DEM63DA.exe	101
PID 4480 wrote to memory of 1916	4480	DEMBD16.exe	103
PID 4480 wrote to memory of 1916	4480	DEMBD16.exe	103
PID 4480 wrote to memory of 1916	4480	DEMBD16.exe	103
PID 1916 wrote to memory of 2692	1916	DEM149C.exe	105
PID 1916 wrote to memory of 2692	1916	DEM149C.exe	105
PID 1916 wrote to memory of 2692	1916	DEM149C.exe	105
PID 2692 wrote to memory of 4160	2692	DEM6E26.exe	107
PID 2692 wrote to memory of 4160	2692	DEM6E26.exe	107
PID 2692 wrote to memory of 4160	2692	DEM6E26.exe	107
PID 4160 wrote to memory of 4952	4160	DEMC5DB.exe	109
PID 4160 wrote to memory of 4952	4160	DEMC5DB.exe	109
PID 4160 wrote to memory of 4952	4160	DEMC5DB.exe	109

C:\Users\Admin\AppData\Local\Temp\f4676d9848f4c0b997d158b378c1ae5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4676d9848f4c0b997d158b378c1ae5f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\DEM63DA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM63DA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\DEMBD16.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBD16.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Users\Admin\AppData\Local\Temp\DEM149C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM149C.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Users\Admin\AppData\Local\Temp\DEM6E26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E26.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Users\Admin\AppData\Local\Temp\DEMC5DB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC5DB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\DEM1D71.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1D71.exe"
        7⤵
        Executes dropped EXE
        
        PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM149C.exe

Filesize
20KB

MD5
6a404f6b0466233c720f6e4e002a2ccf

SHA1
96c30d15142bedf304b7ed62710a3b03246140f6

SHA256
61423f96f94bb587ee33172d54118f10a2c93e0ecf199e766e0e9d16006752c3

SHA512
7ef3a415d57f60ffb8c89549467aad9c4bb11f530661e0ac474211d02060a051b1666cc92a0bfd6c906852a1bea12d54f58384d6ce592b7ca1cdde0d7e8b8406

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1D71.exe

Filesize
20KB

MD5
46674336b1240006bd7ee9a3cc9d2961

SHA1
4e970460214d4c9ad32b23646d914ac2581a26b3

SHA256
5c6fad2d74ac023dbcab972d875c2417554877813586210cfc18e69c6c1b7f27

SHA512
a197bbfed6a24546de08a98b1cfb42d1d6b6acf568ae5e9960bbe6b7fc35ba0c2775f43959732c807355b60f82a6cdfd6c74409f914ef4e680a70dc6cd5166dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM63DA.exe

Filesize
20KB

MD5
582adeb24c83b925ecb4efd4f2431fcb

SHA1
baefbcb36b4ee39bad2bb703002161fe02e3040e

SHA256
670d8d51eae8d65dc37615afacdf1ee254e5ed224f8d30fd773de122f3b35463

SHA512
9666776acf96170610bb3c8d0cf6a9a2696231bd88044fb53443c345542baeff851e24f7d8caaab8aec26cb16ce88aab4d8681a271d55a9bf50e1d288a24825e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6E26.exe

Filesize
20KB

MD5
ef573d52067d1efb5e4aec1bdbb1ad4d

SHA1
57b110bf7a53433510770f24b13880b4dc83b854

SHA256
d4e65d09cb919fdef9d5bc593fb413e59d831b70938a8407ae56e999886c6e5f

SHA512
b28b2138dc40a56c14eb85cddad22146d3af28b177074429c160be4a226bd5061790ff219369f29ffeefa48a62a01548665df3375ff2dcd6c96278f7f39afd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD16.exe

Filesize
20KB

MD5
545403edf86962d3e508f5984535d27e

SHA1
f8d99b73e389ae1bd2b75894552028aa71c9783d

SHA256
631231678edf2ca4aa0edd7f5762db657912be3abe8692c118f67318ac6ca948

SHA512
db06dcf215d7cb759158c5163f57b70f9e04003c722672a63a7a7c76cc08f56ec589ca074ba804687cb62ffddac4fa6e73621a0faeccde4ccf97bbc9dec4ecb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC5DB.exe

Filesize
20KB

MD5
560281a4bcb3d9fccc1a23b593a7ab05

SHA1
b667d6828ebca5906b7f6396fcee1bdd2bb494c2

SHA256
e769134e1a077b13595126c67f36487beba9a119571dcd371ef0fd86de21e1f1

SHA512
b38b86e527233fb04484a6b97c6de92507768f8003d3b3eb40fd4b19765aaeef227af2e62cd1e9da9191823bc793f07ba6a7984a9d9461ebb0e7a5bca624e14c

Download Submit

Analysis

Sharing