e17a36ddf5e24e4558ddb4c543fd1b32dbd9e4de72f7bc5c76138428dd72f676

General

Target

f4e0747ca6a92351ba859aa1c546c2fa_JaffaCakes118.exe
Size

16KB
MD5

f4e0747ca6a92351ba859aa1c546c2fa
SHA1

f77ceec5959b28d5e45779ba980643566b57cc41
SHA256

e17a36ddf5e24e4558ddb4c543fd1b32dbd9e4de72f7bc5c76138428dd72f676
SHA512

dd03c7d300d039f321180266c5d30d47c31a5c4dc22f566fc0d858d5f59019732193f5b0a4aad1f6f96b276f9e32ff5fc9f12b2959d8031849f7d6042b0104e1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlB:hDXWipuE+K3/SSHgxmlB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	f4e0747ca6a92351ba859aa1c546c2fa_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM53EC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEMAD66.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM4FC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM5CD1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEMB4B5.exe

Executes dropped EXE 6 IoCs

pid	Process
884	DEM53EC.exe
2916	DEMAD66.exe
1408	DEM4FC.exe
1540	DEM5CD1.exe
4092	DEMB4B5.exe
116	DEMC99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 884	2224	f4e0747ca6a92351ba859aa1c546c2fa_JaffaCakes118.exe	89
PID 2224 wrote to memory of 884	2224	f4e0747ca6a92351ba859aa1c546c2fa_JaffaCakes118.exe	89
PID 2224 wrote to memory of 884	2224	f4e0747ca6a92351ba859aa1c546c2fa_JaffaCakes118.exe	89
PID 884 wrote to memory of 2916	884	DEM53EC.exe	94
PID 884 wrote to memory of 2916	884	DEM53EC.exe	94
PID 884 wrote to memory of 2916	884	DEM53EC.exe	94
PID 2916 wrote to memory of 1408	2916	DEMAD66.exe	96
PID 2916 wrote to memory of 1408	2916	DEMAD66.exe	96
PID 2916 wrote to memory of 1408	2916	DEMAD66.exe	96
PID 1408 wrote to memory of 1540	1408	DEM4FC.exe	98
PID 1408 wrote to memory of 1540	1408	DEM4FC.exe	98
PID 1408 wrote to memory of 1540	1408	DEM4FC.exe	98
PID 1540 wrote to memory of 4092	1540	DEM5CD1.exe	100
PID 1540 wrote to memory of 4092	1540	DEM5CD1.exe	100
PID 1540 wrote to memory of 4092	1540	DEM5CD1.exe	100
PID 4092 wrote to memory of 116	4092	DEMB4B5.exe	102
PID 4092 wrote to memory of 116	4092	DEMB4B5.exe	102
PID 4092 wrote to memory of 116	4092	DEMB4B5.exe	102

C:\Users\Admin\AppData\Local\Temp\f4e0747ca6a92351ba859aa1c546c2fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4e0747ca6a92351ba859aa1c546c2fa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\DEM53EC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM53EC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\DEMAD66.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAD66.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\DEM4FC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4FC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\DEM5CD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5CD1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Users\Admin\AppData\Local\Temp\DEMB4B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB4B5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\DEMC99.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC99.exe"
        7⤵
        Executes dropped EXE
        
        PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4FC.exe

Filesize
16KB

MD5
8b91cadaea02ccfdfb2dbfb72c06b392

SHA1
b9bda512e5e3d8597c4d93efa8011f2ba230f04c

SHA256
0dfc7298620be359b5ead0fb91be5d70982708c802f01727143fe497d60e0780

SHA512
fa276f576797cae94a8c98ca9cd6d109c4a5ef2927339de7bbca42ed49094c4253cd54030fd3e07860a96f62bcb7cc99aaa75cb21bd77207cd74711948e38944

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM53EC.exe

Filesize
16KB

MD5
237469299ea4cd8332c164885a0bf2da

SHA1
cb122429e8627f9bf2aaa2365f359bfd50b63f52

SHA256
661fb4c068f05d6ca0b2ed20ff36e965c7616f61a751a310e15ea8d0d65b5367

SHA512
4788748b7a1f69de0f7514963d14f9c8f2421e0313f6d06b993305ec651b2d6de58f855ee850334d5380a399589dc74f799a000770b4c2ee86dd885173efb35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5CD1.exe

Filesize
16KB

MD5
10b943b8f8dfe449abd686832400df26

SHA1
42fc6221f6c44622fd2e21813a1f565f7929469f

SHA256
edfb9e9159f3c70c4eed0611287a0a0980dc5ec8aa9b583a1334b8a8d2786626

SHA512
93d0d2aa4335c8776bc68856ca290ff871239dbd9b267cc53f4028045efd6f399ce423ae19e5632970c04519d0a8fd4e36c9811285c4b3b9932bd6c1c7f21998

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAD66.exe

Filesize
16KB

MD5
83924466f0a2b5587831eef754179204

SHA1
4a2fa56e0a1fc5441f1a37f58f2ceb7db7c317cd

SHA256
427237580183662ca0fbbb7c1480426fbf757f4aba8f9353324b8203040bc80c

SHA512
0e567b1486e8ac0ee72fd18756c54074d252ec8a4fceef48e6301a3a481b2ab2e33b43cf2baa651e9dea545b3daaa2b3d75048196d96d3367951d8ea368dab7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB4B5.exe

Filesize
16KB

MD5
d3b3dd6649a0ed51f0a161810e6a198c

SHA1
3f5e1d4aae488c4fa2e4199953257a4305530bf7

SHA256
eca1ebd5a997aaa71494a200853c30d0972c8ad9b4cf46f1baef9cb2241dd53c

SHA512
da62dd4fd45b4515008cb84dd5351fe48576e438e0329e9570104fa4fc3e00340a7de80dd9357d56873809f46382f0d40ef432a93dfdf0a34647223ff4fe1c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC99.exe

Filesize
16KB

MD5
c90abf28b46910e41d1138ec7279d002

SHA1
494bab3ec03bf60fc5d04bd0eb75dfd5d86a1a91

SHA256
f0381a9ee43ac6af57d34749bd9dfc6d074c336a1e00c90a2f0544967a0c3bae

SHA512
99fa610425679a3eee79984b2104475e82b485bd8a596e601f3265725602395810029a2010bded95aa2f8bb09153311ae9fd333732105cbf4df88468b54f6c22

Download Submit

Analysis

Sharing