f98b017ac2a2dbefa95fb883a8705b24d902dc4cd31733d370dde1d9e6808798

General

Target

f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe
Size

14KB
MD5

f23f454e607e28fa1d20ab02d1dfe352
SHA1

423c1a26bab639498ff05061d52bb16ddbb343cb
SHA256

f98b017ac2a2dbefa95fb883a8705b24d902dc4cd31733d370dde1d9e6808798
SHA512

be890bc794d6c84c682f0330953c9eff43e968c34c970c1defc921f40a5d2e8bc983ad2443f0ae67bed02dd6d61b6bb7e77ba95d0369ce281dd4f9adb6aa4d5b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhkRw:hDXWipuE+K3/SSHgxL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM396A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM8FA8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM36A0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM8D1D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEME36B.exe

Executes dropped EXE 6 IoCs

pid	Process
1388	DEM36A0.exe
2156	DEM8D1D.exe
2148	DEME36B.exe
4532	DEM396A.exe
3704	DEM8FA8.exe
1968	DEME5D7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1388	1176	f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe	92
PID 1176 wrote to memory of 1388	1176	f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe	92
PID 1176 wrote to memory of 1388	1176	f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe	92
PID 1388 wrote to memory of 2156	1388	DEM36A0.exe	97
PID 1388 wrote to memory of 2156	1388	DEM36A0.exe	97
PID 1388 wrote to memory of 2156	1388	DEM36A0.exe	97
PID 2156 wrote to memory of 2148	2156	DEM8D1D.exe	99
PID 2156 wrote to memory of 2148	2156	DEM8D1D.exe	99
PID 2156 wrote to memory of 2148	2156	DEM8D1D.exe	99
PID 2148 wrote to memory of 4532	2148	DEME36B.exe	101
PID 2148 wrote to memory of 4532	2148	DEME36B.exe	101
PID 2148 wrote to memory of 4532	2148	DEME36B.exe	101
PID 4532 wrote to memory of 3704	4532	DEM396A.exe	103
PID 4532 wrote to memory of 3704	4532	DEM396A.exe	103
PID 4532 wrote to memory of 3704	4532	DEM396A.exe	103
PID 3704 wrote to memory of 1968	3704	DEM8FA8.exe	105
PID 3704 wrote to memory of 1968	3704	DEM8FA8.exe	105
PID 3704 wrote to memory of 1968	3704	DEM8FA8.exe	105

C:\Users\Admin\AppData\Local\Temp\f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f23f454e607e28fa1d20ab02d1dfe352_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\DEM36A0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM36A0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\DEM8D1D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8D1D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\DEME36B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME36B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Users\Admin\AppData\Local\Temp\DEM396A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM396A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\DEM8FA8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8FA8.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\DEME5D7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME5D7.exe"
        7⤵
        Executes dropped EXE
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM36A0.exe

Filesize
14KB

MD5
72c478c41e2ff06eef96f7653c00c695

SHA1
28be122ba03a9523023c613c5b44cf214de78eda

SHA256
277d45c46ca8dc770e28bf3957cf151caf5effc0dc1304c7f3bb7781e197cfe4

SHA512
48a9e5acd6ac16f2fc3727464aac03b9511c485936604c7c584baedf25328d6dedc1539499b134bab733300c86c47ffd2ec58a9304106fc22a0b68a80ebdeeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM396A.exe

Filesize
14KB

MD5
f4e1bcb9f0209f0213828760b064168f

SHA1
db68c9e58d22e062fe6674cb8fedcc54c6f3958a

SHA256
e41b7aa0a9d0b4af3737cd270b3d508d67333190e5d5eae8f1f61627d8a12343

SHA512
768256ae7fd28c0133144ae69ec314d7b1e7b6b998d36293c25d390c82a5f32e8b790b4970ed850011df56540ad9183a02168b289414b30989fb3c55a74b8f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D1D.exe

Filesize
14KB

MD5
b55209585b7e34a886cc303e3ea03c0b

SHA1
699bcde19c1c065f82a2f71f181a6e4c03578a5e

SHA256
4a915db17f9158bdd2d9c5590573327499890d79204be8eca94820321b26efd9

SHA512
73014be13acbfa79fe1f03d73c4b61ac8c36c5180cae483ba62cdfcbc1db079682e751f3b015477a878230a48372ce6b55c6cefb881d14861ff718554e49de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8FA8.exe

Filesize
14KB

MD5
a8956fd2285a71f4add519de590ee758

SHA1
8dcdb3e2776da8d01f4017f9ea207da234254a72

SHA256
501571806762f559a72bf8ae18028d916673b47fb2ecb06b4eda2102eb04932d

SHA512
66ef11e8da863754748ab80046328d418a149081fbe5b6ea214c93abbed18c62c6af2a61500057ceb504367a9bcdfd826293d8e4665a78cea1f1fa12e72203aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME36B.exe

Filesize
14KB

MD5
eb3a5b333b06d2125a0511a3e3e65756

SHA1
e23c747bf1713ce71c0024dc72f3e7843e6550fc

SHA256
3268f64a805e9dcf5bbb4b80474644a9da096bac614356d281a58fa2d253b7d3

SHA512
45ee1bc47dc72f288b34abfaf56f2ce1abf5222c38a365703b66276ce3a591997a758636b452b0d3eefff953e53dd803e9960a45df0e1fae20e0987105bb87f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME5D7.exe

Filesize
14KB

MD5
650871a6d0291c202ee456673f053f42

SHA1
0b32fc76264a85aa8f88c2e640a35b445801bbed

SHA256
c2a337bfdca6cee0485d44b18cba88f6c6f245f5fdb4761f519ad0e554d5efcf

SHA512
dba594b8dbff8c28beae10d98494a26529677dcef91eca10144b531e006168929da2062735bb136233857f8529ea7af77e2b9f33f2fbe0bff5d6ca64911e73df

Download Submit

Analysis

Sharing