fd6fa686051b07321e8ca5aad47eee1c593d5061a13d229e112727c6c3c501fe

General

Target

f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe
Size

16KB
MD5

f6487fd7dde33f46bf442b9d92e50a50
SHA1

b235e3adc0ae66db916808b058c8ade43f4e1542
SHA256

fd6fa686051b07321e8ca5aad47eee1c593d5061a13d229e112727c6c3c501fe
SHA512

ce50f3bdf141fafb706e3f2866c59c7a08b74ef04032668ff12f45cab974e1c59c010ad410e2ce55be6a7434688ce8238ed23bb1c55ca17c628d628c2d4323d2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8ic:hDXWipuE+K3/SSHgxm8ic

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	DEM35E5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	DEM8C61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	DEME280.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	DEM3870.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	DEM8E41.exe

Executes dropped EXE 6 IoCs

pid	Process
4996	DEM35E5.exe
2308	DEM8C61.exe
3056	DEME280.exe
968	DEM3870.exe
1072	DEM8E41.exe
4000	DEME431.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 4996	2744	f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe	92
PID 2744 wrote to memory of 4996	2744	f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe	92
PID 2744 wrote to memory of 4996	2744	f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe	92
PID 4996 wrote to memory of 2308	4996	DEM35E5.exe	97
PID 4996 wrote to memory of 2308	4996	DEM35E5.exe	97
PID 4996 wrote to memory of 2308	4996	DEM35E5.exe	97
PID 2308 wrote to memory of 3056	2308	DEM8C61.exe	99
PID 2308 wrote to memory of 3056	2308	DEM8C61.exe	99
PID 2308 wrote to memory of 3056	2308	DEM8C61.exe	99
PID 3056 wrote to memory of 968	3056	DEME280.exe	101
PID 3056 wrote to memory of 968	3056	DEME280.exe	101
PID 3056 wrote to memory of 968	3056	DEME280.exe	101
PID 968 wrote to memory of 1072	968	DEM3870.exe	103
PID 968 wrote to memory of 1072	968	DEM3870.exe	103
PID 968 wrote to memory of 1072	968	DEM3870.exe	103
PID 1072 wrote to memory of 4000	1072	DEM8E41.exe	105
PID 1072 wrote to memory of 4000	1072	DEM8E41.exe	105
PID 1072 wrote to memory of 4000	1072	DEM8E41.exe	105

C:\Users\Admin\AppData\Local\Temp\f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6487fd7dde33f46bf442b9d92e50a50_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\DEM35E5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM35E5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\DEM8C61.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8C61.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\DEME280.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME280.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\DEM3870.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3870.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Users\Admin\AppData\Local\Temp\DEM8E41.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E41.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\DEME431.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME431.exe"
        7⤵
        Executes dropped EXE
        
        PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM35E5.exe

Filesize
16KB

MD5
0a215cb9cb842f268a0b1866a9021b4c

SHA1
bfaf0d9d3f7fe94d2580e526707ee42cd81a54ba

SHA256
e6485e0a4c775e2c1837ab9bd034eb50867f0edf51ee94c197be0db30bdf5435

SHA512
4be3810319a4241476645b19444ffe0f199c587d5fb7cc77607bb61d3afc574b44eaaebe9ee0e0bf5664c9caca6e586eeefb6b8e2e935d66753aae8e46b5af98

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3870.exe

Filesize
16KB

MD5
4b62aa6c987efcb7467ba8ed0db541ca

SHA1
ff8c5325f5a79417684460a5c5f4bc12dee95155

SHA256
34911a276fbf659b05043645e31fe28320593308462fc79ac0050c5f8cd7779a

SHA512
a7b5866a1fafc2839fc708618e3c426a11afbda98c0e24cee97f4c8810bd9482a4486a898e019baf5d1affa27aa7f68dc809260c11247cf428640830783ad0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C61.exe

Filesize
16KB

MD5
1b0e217ac75df4bb604600b0f84a69ec

SHA1
c1b7d3804f1463919b1c3644aaa40f5dd658690b

SHA256
feef87eed00f7b9eb549a2169ee73548aa01c0a010736478a91afa07b7b14eb4

SHA512
3416a1548fd4e6e4bcc55060fefc7ac35c2ea49054a0701c9aa59fab5bb5f56441e8a62291e03c4d6b02a8782dedf60705b940b69db4c17417859ad5d0028a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E41.exe

Filesize
16KB

MD5
c2acf932c60b6190179fb39a4d8e3e06

SHA1
775771d7b7ca51651920bc3f062ecd63f76dbdcd

SHA256
24166e5be2c7516cb703d46ed95f7867ac103f01832a1433944da0ef455b26ad

SHA512
2cb465826164cbcb3187dcbc81f3fa72c642ed4cae42b9566b1334a15d0ae42b5624056f894cba927a1780fce19ccf605651b90321803e6677c81e68a1b56528

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME280.exe

Filesize
16KB

MD5
8455b961be128b0afedbcffff0561863

SHA1
52a54cbb74f94d53e28415f368db45f9c881f340

SHA256
c5bc5979c778b29784590a41be369b9cddd9ec5dea967ce4da2b55c68896ae7f

SHA512
ff8df4787c71051ef24ab448bab2f4b7af0b32ac7d325059bb118b9e56632f8a38165526e03379d37098aa0d93be12a75199dc92e35bf53015e2f4ff52289451

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME431.exe

Filesize
16KB

MD5
26db2c9a541e9c5dbb42eecc1ae34f97

SHA1
5fc01d0cab0809e85fcba61a50cc41c4ac88565e

SHA256
477259d2dc528ee46251ce01a306bdb5685498644a6d84acfae9fda8461db1ac

SHA512
7dd442ad741478dedb0ea6313f643d50669117cd2f73d988df8dea34717e4174f3c5a6d38fdaa1e44b33795f51dca51152725606551d63316f8927a151ec2bd5

Download Submit

Analysis

Sharing