56a1a4d140c3184962878d3b600f0ae6a1f14d7c6920a967e13d693049fe8b31

General

Target

f35bb31e2a73d0a8dd28c0b787511021_JaffaCakes118.exe
Size

15KB
MD5

f35bb31e2a73d0a8dd28c0b787511021
SHA1

ebfc91516346eec35d3a78ca254b3b54c0275521
SHA256

56a1a4d140c3184962878d3b600f0ae6a1f14d7c6920a967e13d693049fe8b31
SHA512

a021d948a024b5479b10ad607af3299b547365d6a94d7bf4f67b97ef0ca8b4edeedb34d9475389e6e3d911111621280ebfb513ba86e838df1d7de10d4bfeda77
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hEuBY:hDXWipuE+K3/SSHgxmMe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	f35bb31e2a73d0a8dd28c0b787511021_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEM4798.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEM9ED0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEMF5D9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEM4BF8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	DEMA284.exe

Executes dropped EXE 6 IoCs

pid	Process
2616	DEM4798.exe
1924	DEM9ED0.exe
4044	DEMF5D9.exe
4464	DEM4BF8.exe
2104	DEMA284.exe
5116	DEMF8B3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2616	1660	f35bb31e2a73d0a8dd28c0b787511021_JaffaCakes118.exe	91
PID 1660 wrote to memory of 2616	1660	f35bb31e2a73d0a8dd28c0b787511021_JaffaCakes118.exe	91
PID 1660 wrote to memory of 2616	1660	f35bb31e2a73d0a8dd28c0b787511021_JaffaCakes118.exe	91
PID 2616 wrote to memory of 1924	2616	DEM4798.exe	96
PID 2616 wrote to memory of 1924	2616	DEM4798.exe	96
PID 2616 wrote to memory of 1924	2616	DEM4798.exe	96
PID 1924 wrote to memory of 4044	1924	DEM9ED0.exe	98
PID 1924 wrote to memory of 4044	1924	DEM9ED0.exe	98
PID 1924 wrote to memory of 4044	1924	DEM9ED0.exe	98
PID 4044 wrote to memory of 4464	4044	DEMF5D9.exe	100
PID 4044 wrote to memory of 4464	4044	DEMF5D9.exe	100
PID 4044 wrote to memory of 4464	4044	DEMF5D9.exe	100
PID 4464 wrote to memory of 2104	4464	DEM4BF8.exe	102
PID 4464 wrote to memory of 2104	4464	DEM4BF8.exe	102
PID 4464 wrote to memory of 2104	4464	DEM4BF8.exe	102
PID 2104 wrote to memory of 5116	2104	DEMA284.exe	104
PID 2104 wrote to memory of 5116	2104	DEMA284.exe	104
PID 2104 wrote to memory of 5116	2104	DEMA284.exe	104

C:\Users\Admin\AppData\Local\Temp\f35bb31e2a73d0a8dd28c0b787511021_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f35bb31e2a73d0a8dd28c0b787511021_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\DEM4798.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4798.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\DEM9ED0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9ED0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\DEMF5D9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF5D9.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Users\Admin\AppData\Local\Temp\DEM4BF8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4BF8.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Temp\DEMA284.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA284.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\DEMF8B3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF8B3.exe"
        7⤵
        Executes dropped EXE
        
        PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4798.exe

Filesize
15KB

MD5
c33f2de105e01620e339111fdd2c4e37

SHA1
5c4c0a02f69f3598cbb1f1fd04824a981b06caad

SHA256
e25ae61cfaaf00e23ae0bd8a9388438af5ff5ce4ba94a5429a81cdbe6d9d972b

SHA512
d251d22e9effd1167f92c04e922a6adf845eee5a9494ec3de2f06c7a827d16f9304fc5c26703ec0aedd29ce49e5d98b7eb25258a9400e28fc98c32dd3b6f7359

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4BF8.exe

Filesize
15KB

MD5
e6d4c772593219b9134cccd4eb51200a

SHA1
69f555512436a70a8bb00bc2312489a7c4c5f087

SHA256
e6da689d90c0c3d4c30d697d5ba2375b2c8c8ec471769c8d68c95343886fb627

SHA512
4d739826c2cf690d002f0ac27807af40f2c70f4c036c46073e2e483eb3eda0d341895900a3ac6a216aa86230ed80287e25def4931759e72d2324fe22b0cb1d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9ED0.exe

Filesize
15KB

MD5
15c8d4cb1f6c010fb2169756d2847de5

SHA1
cef3b75c3c32f66403dca7345a8b871979a7dcf9

SHA256
bfaaf85efb2b18817eb51306aaee172413c08d44c9b9a470f295d572013f7dac

SHA512
44868b84a7fe49c27d5b31300cae92abb487e3cdcaeb7746a81d88fd9119732d409f2a82130fa466fc8808c9bf7342f13cce2a71a08ed11483dd26d91ed420d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA284.exe

Filesize
15KB

MD5
c7c23262e64f0f83d0463e2c0f1970f4

SHA1
5c2bbce890073407b754a72c5f8746883d899145

SHA256
16890caabde6e022d02d36aab7af8e89897e049e4b405b4d78bbe87ea1799486

SHA512
f9b32fc258387cd38d37479fb999c8b05855bd976fd21b6944ba8344c73b1e51bc9f4f720ecf5657d84b92d48d28a3144767daa68542c07e97f9a4a3e332af03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF5D9.exe

Filesize
15KB

MD5
ebf4bc0059ae40035537facd46e00098

SHA1
9c21f228df475514565b1e7bfbb77aa95cb46a9c

SHA256
88fa17a024e275d7f99eb4aeb031ad10a092f14667b28deb4533a2865044612d

SHA512
c2e38e64aa7c98d638bc41454656695049fe486bf78d0f87cc1faf0c8a2b05f53bec97c37d432f215cff4d484ca1b0cee83f8f8d65686aa898989b60d0288ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF8B3.exe

Filesize
15KB

MD5
958f90741a6d002f4fec36bd5d6acad3

SHA1
6b77e323ee080041209f587399a9f291b13715ed

SHA256
cf7d6065076eedd3a8461e49942ca713f7d354f3eb51120906fd1bd28aa70dbc

SHA512
5b93daba34006267f5837d8b0e75d8b2cb797cf7e346253e578f8ec5567569168ac882aac89859059d403873d79e366245fca42549e2cc16bd6c63248fcc1ef3

Download Submit

Analysis

Sharing