4397fecf22b161c0345bc45a14b0647e631cc6ee705b438317fd85c18c6268d4

General

Target

f3b75200147e4763f99ec1fc1f2aaeab_JaffaCakes118.exe
Size

14KB
MD5

f3b75200147e4763f99ec1fc1f2aaeab
SHA1

20bbaf728d37affb16d5e16048d7736e43c054ff
SHA256

4397fecf22b161c0345bc45a14b0647e631cc6ee705b438317fd85c18c6268d4
SHA512

ff8fc9d8855ecf4c9025e63189203ab4de27ba2a6aae5ba49da2c93c93e2ac3a693559b41c9d1cff5e9046c051626397e965c0d22f14a454fdd4b43c7ff2584b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvQy:hDXWipuE+K3/SSHgxlQy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	f3b75200147e4763f99ec1fc1f2aaeab_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM323B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM8925.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEMDF54.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM35C1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM8BFF.exe

Executes dropped EXE 6 IoCs

pid	Process
5076	DEM323B.exe
2056	DEM8925.exe
4792	DEMDF54.exe
1180	DEM35C1.exe
2976	DEM8BFF.exe
1768	DEME191.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 5076	4788	f3b75200147e4763f99ec1fc1f2aaeab_JaffaCakes118.exe	94
PID 4788 wrote to memory of 5076	4788	f3b75200147e4763f99ec1fc1f2aaeab_JaffaCakes118.exe	94
PID 4788 wrote to memory of 5076	4788	f3b75200147e4763f99ec1fc1f2aaeab_JaffaCakes118.exe	94
PID 5076 wrote to memory of 2056	5076	DEM323B.exe	99
PID 5076 wrote to memory of 2056	5076	DEM323B.exe	99
PID 5076 wrote to memory of 2056	5076	DEM323B.exe	99
PID 2056 wrote to memory of 4792	2056	DEM8925.exe	101
PID 2056 wrote to memory of 4792	2056	DEM8925.exe	101
PID 2056 wrote to memory of 4792	2056	DEM8925.exe	101
PID 4792 wrote to memory of 1180	4792	DEMDF54.exe	103
PID 4792 wrote to memory of 1180	4792	DEMDF54.exe	103
PID 4792 wrote to memory of 1180	4792	DEMDF54.exe	103
PID 1180 wrote to memory of 2976	1180	DEM35C1.exe	105
PID 1180 wrote to memory of 2976	1180	DEM35C1.exe	105
PID 1180 wrote to memory of 2976	1180	DEM35C1.exe	105
PID 2976 wrote to memory of 1768	2976	DEM8BFF.exe	107
PID 2976 wrote to memory of 1768	2976	DEM8BFF.exe	107
PID 2976 wrote to memory of 1768	2976	DEM8BFF.exe	107

C:\Users\Admin\AppData\Local\Temp\f3b75200147e4763f99ec1fc1f2aaeab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3b75200147e4763f99ec1fc1f2aaeab_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\DEM323B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM323B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\DEM8925.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8925.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\DEMDF54.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDF54.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\DEM35C1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM35C1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Users\Admin\AppData\Local\Temp\DEM8BFF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8BFF.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\DEME191.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME191.exe"
        7⤵
        Executes dropped EXE
        
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM323B.exe

Filesize
14KB

MD5
c126267c069b9595df131714d2d348ef

SHA1
83b767ffe6e74642cc92515de0b49505fbab1075

SHA256
6b4077945f60eb60db1f10c8d4a9b1175ca08003e4f82f594b6df46063ff1ba5

SHA512
2a4636bb67a44af640cb76fa16e281af049523ba770f511b03276ea3904b7969f2ebecee8ca79926d49adfc454b7a2a454321e49eec6dd089f69a52bd2280a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM35C1.exe

Filesize
14KB

MD5
d5966880f377e16279e9a36e7f74b2f0

SHA1
90c91e354c303a7a793a07e6aa4d15c1547e65d0

SHA256
8f7eb0416a45caeb002bfba1f42b519a8b418fe24cf7d76a02359b87a63607be

SHA512
8d22e5eb297e87c2d2983370aac7dc6e7b85c494dff40950a09528cf9f7d2e3df55aa4c8982fa0319395c0431c8197e66bc607a908be95fe0b27c57681e441de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8925.exe

Filesize
14KB

MD5
0e90f70d97bcef6eeae2a8bda51ae0bf

SHA1
6bc2c75336cb5d3170ee5c5a3b1f04dfaa61859a

SHA256
155aad9a77b01170841c8650d8a2f3cd50924eeab01cb76d00efb18862f1e486

SHA512
60e4b1405313b9fa479adf1c525613c6274d8dc8e3c2b135c0f5cb96b8cdaf3e4fea133e9cce44f6a9b73ac3e41990c2c79da4e900ba6362fb7ce9f949fea534

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8BFF.exe

Filesize
14KB

MD5
4bc42560e2a04e6a722e7555bfe82187

SHA1
87e7e4fc92bb857a4e271be3d3080fa97ebd7bc5

SHA256
46ed150dcf899a5acdc54f8f3b5c327e0a09b502168ba620b9f3b206226e0a57

SHA512
52c1c4369523eb9753b18b30d8e6e35ebba241e572d01624ace319be60b3e93e809ef558224f62b0a023b4b42ccd50809dade41ed2c9a47b2754b2359ba18676

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF54.exe

Filesize
14KB

MD5
fe2fab408a5c7a931aa7953e1190d7ab

SHA1
0814cd18ff298ae8a74ebe72b1bc661bf93fd13b

SHA256
52112b6ada872132bde6f597eb2665907d8a00bbc6df865abff9a945c3c40149

SHA512
ef0b01d2d48c927390c81bad1df6e13a48a71a8a788d3d6849e6e0bdf80d20e70916295dffb1f6e98e885742fde1d9f4717a6b4fcfdd0ba13fe8258d360c3339

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME191.exe

Filesize
14KB

MD5
fa58f103628fb78b27b094a2bb6de6c7

SHA1
3e13944d4d544471c4fbe63999c456dd5acb2393

SHA256
d5ed79503e4a88a6564a07dfed4dbc8b9e36fb515a8940d93c5c40055c3e4243

SHA512
863dd7d11609cb4be4e8cd38791f1a0310f51fdff5d41bb09be8d33b2ecd14cdd5d585a3f80c4272e9b24989f97c76b37b5dcab1ec5b734de4dea1cb69c36826

Download Submit

Analysis

Sharing