280c55f49f8dfc176107f508b6ff9c703ae6d6d84bce130f38d1982dd24c3671

General

Target

f27adc6159481867b87176875b7691c9_JaffaCakes118.exe
Size

14KB
MD5

f27adc6159481867b87176875b7691c9
SHA1

d89aec1877079328481a688ff98f2f9438eec38e
SHA256

280c55f49f8dfc176107f508b6ff9c703ae6d6d84bce130f38d1982dd24c3671
SHA512

9af8b623817cf2913aef4a95584d9ac8f1b99a67d610e91d6ac8636aa9336d64f966e7cd91f40b28949c70f2a17ffd4ccd77a9c9cdabb5dedd2fea04a4f1bbed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYF:hDXWipuE+K3/SSHgxmF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEMBBAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	f27adc6159481867b87176875b7691c9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM5AA3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEMB4B9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEMBD2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM63C6.exe

Executes dropped EXE 6 IoCs

pid	Process
4672	DEM5AA3.exe
3152	DEMB4B9.exe
1800	DEMBD2.exe
2948	DEM63C6.exe
848	DEMBBAA.exe
4264	DEM13BD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 4672	2216	f27adc6159481867b87176875b7691c9_JaffaCakes118.exe	89
PID 2216 wrote to memory of 4672	2216	f27adc6159481867b87176875b7691c9_JaffaCakes118.exe	89
PID 2216 wrote to memory of 4672	2216	f27adc6159481867b87176875b7691c9_JaffaCakes118.exe	89
PID 4672 wrote to memory of 3152	4672	DEM5AA3.exe	94
PID 4672 wrote to memory of 3152	4672	DEM5AA3.exe	94
PID 4672 wrote to memory of 3152	4672	DEM5AA3.exe	94
PID 3152 wrote to memory of 1800	3152	DEMB4B9.exe	96
PID 3152 wrote to memory of 1800	3152	DEMB4B9.exe	96
PID 3152 wrote to memory of 1800	3152	DEMB4B9.exe	96
PID 1800 wrote to memory of 2948	1800	DEMBD2.exe	98
PID 1800 wrote to memory of 2948	1800	DEMBD2.exe	98
PID 1800 wrote to memory of 2948	1800	DEMBD2.exe	98
PID 2948 wrote to memory of 848	2948	DEM63C6.exe	100
PID 2948 wrote to memory of 848	2948	DEM63C6.exe	100
PID 2948 wrote to memory of 848	2948	DEM63C6.exe	100
PID 848 wrote to memory of 4264	848	DEMBBAA.exe	102
PID 848 wrote to memory of 4264	848	DEMBBAA.exe	102
PID 848 wrote to memory of 4264	848	DEMBBAA.exe	102

C:\Users\Admin\AppData\Local\Temp\f27adc6159481867b87176875b7691c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f27adc6159481867b87176875b7691c9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\DEM5AA3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5AA3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\DEMBD2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBD2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\DEM63C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM63C6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Users\Admin\AppData\Local\Temp\DEMBBAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBBAA.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\DEM13BD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM13BD.exe"
        7⤵
        Executes dropped EXE
        
        PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM13BD.exe

Filesize
15KB

MD5
36b79daf045ed0df2f363899cb5df061

SHA1
21408e3b8c5910124ebacd428e0cec3c1a3cf199

SHA256
48609e4659b6e47a5fe7669c0fdcaf7c952e03f6944b217a0ecbe50c7a8fc219

SHA512
5b24418d8bb5b99e70c57fe77b8aff775b4da5c340225071255ef49c6b4625e5a16b91f418290769c590a8c227a7427dba2680ad561c9afcf61c7ed6108f795d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5AA3.exe

Filesize
15KB

MD5
b9f74538144c20e72cefa12b3b613c23

SHA1
826cd838e5d8ac2e48f4988f3cea7d9abc9d6650

SHA256
ba7da070b6bc633d12ab173d93afd7f65dc3ea7c21217b40777c67e07ff65894

SHA512
ba475005cfcaede8b93c8d25d347fc3192cdb56a0ea7bdd0cd0372af8e2856b49fe5dc6b8b3c53a94808a7f7a08be668fc276dee9bf72acadf481c4c7a293f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM63C6.exe

Filesize
15KB

MD5
ade3c9831350a00720805c7f2edfba78

SHA1
bfa0175043388c6c754f167362ae3569fcd68c51

SHA256
9824efb868316fdc5144c4b1ee80b8c3cddfd0c27e277c5858b4808f21144543

SHA512
a3658ba0734168a3fa1ea493ef74251207d303848d65854c4228033b8ceadef488db4ce54dc2a7202f5d3322cce6d9e089af341af691f1c5dd5555c505751ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe

Filesize
15KB

MD5
cde1bb1212ea4e70fa039f6a85aa187a

SHA1
73da773c83c2bbab28ec1ce2e177f1ed367df7c6

SHA256
f996144fe45a3acd73bd2dc2367bdfdc0ee374cdf7260d457ab3499cbf2a2f75

SHA512
47419fda35f8460185439d7c2f05ac2748f692317716bd2823fe3b35abfb9b6ca211191d0228c3f16754e002276bfa2a4941d73726b19f061d9770252f74bb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBBAA.exe

Filesize
15KB

MD5
fc992a2286d825d7c17f97b1e405270e

SHA1
0b20ec6187f31179f5be0b6b3be5d6ade27beb82

SHA256
fb5dcb966d17a944555b4fe0a9363b478fc624a90ef951470a42f7ca5a38c086

SHA512
6484497b564a90e22667b9ad27a5f8a7fa083f53934e48be50b5cf330307cd92d8b89ee59478fd20f08d3a00a0eac599e8685f8062fcec86ba77af6bf8af43a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD2.exe

Filesize
15KB

MD5
7ce323c9e27dc8b88e02b3e224dd86ae

SHA1
afcdf9f879b88d3a2904dd6378592d1d656a6ce9

SHA256
cb10fa37d9bb826ee8e83d0684e216f750f0d0cf8a67c81328bc6d74fb0e4c72

SHA512
74706f8d017c6a3b6709b7d1a59c0f171f70b6d974d2f2a782e59ed18f784f21c877ed6e69ff4c71e4678328662e45848bd768f494c6a49f28368e4984f36edd

Download Submit

Analysis

Sharing