1a5370a55acf6877d9f3ce635982256ed9c92356966dc53fcc72c7697fd28aad

General

Target

f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe
Size

16KB
MD5

f8fae6346f86f1f2a9034a2077f98765
SHA1

3361ad68095212097d88767e28c803440dcff6ca
SHA256

1a5370a55acf6877d9f3ce635982256ed9c92356966dc53fcc72c7697fd28aad
SHA512

b4f6fdcd268e8e0034dbb943c34355ee422af9d7274c34b633cd2924aa4f67d4ae34d248cb20fe6e485b94df8a4492b926cc51543014a36e9e489e702576d572
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZlHfqr:hDXWipuE+K3/SSHgx3l/2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEM9BC3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEMF53D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEM4CA4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEMA4F5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEMFCF9.exe

Executes dropped EXE 6 IoCs

pid	Process
2536	DEM9BC3.exe
812	DEMF53D.exe
2444	DEM4CA4.exe
1580	DEMA4F5.exe
4332	DEMFCF9.exe
3860	DEM5412.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2536	1028	f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe	91
PID 1028 wrote to memory of 2536	1028	f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe	91
PID 1028 wrote to memory of 2536	1028	f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe	91
PID 2536 wrote to memory of 812	2536	DEM9BC3.exe	94
PID 2536 wrote to memory of 812	2536	DEM9BC3.exe	94
PID 2536 wrote to memory of 812	2536	DEM9BC3.exe	94
PID 812 wrote to memory of 2444	812	DEMF53D.exe	96
PID 812 wrote to memory of 2444	812	DEMF53D.exe	96
PID 812 wrote to memory of 2444	812	DEMF53D.exe	96
PID 2444 wrote to memory of 1580	2444	DEM4CA4.exe	98
PID 2444 wrote to memory of 1580	2444	DEM4CA4.exe	98
PID 2444 wrote to memory of 1580	2444	DEM4CA4.exe	98
PID 1580 wrote to memory of 4332	1580	DEMA4F5.exe	100
PID 1580 wrote to memory of 4332	1580	DEMA4F5.exe	100
PID 1580 wrote to memory of 4332	1580	DEMA4F5.exe	100
PID 4332 wrote to memory of 3860	4332	DEMFCF9.exe	102
PID 4332 wrote to memory of 3860	4332	DEMFCF9.exe	102
PID 4332 wrote to memory of 3860	4332	DEMFCF9.exe	102

C:\Users\Admin\AppData\Local\Temp\f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8fae6346f86f1f2a9034a2077f98765_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\DEM9BC3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9BC3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\DEMF53D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF53D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Users\Admin\AppData\Local\Temp\DEM4CA4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4CA4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Users\Admin\AppData\Local\Temp\DEMA4F5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA4F5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\DEMFCF9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFCF9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\DEM5412.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5412.exe"
        7⤵
        Executes dropped EXE
        
        PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4CA4.exe

Filesize
16KB

MD5
f90b748833d440b4337bb5cda74e3192

SHA1
667b67add70443030b0b1657669f36956bb4a466

SHA256
6a29945e67d66bfa05b374e76290713671e4b58d5c9609640396072d5499337b

SHA512
2fd3487cbf41a6cc1825224bfd4b37153210c8d32ab5ae6987cee11cb7f54b99a48db47d254e3d79d5cb9da4a53e8eef71ae6614ded934e283aa2b7959046038

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5412.exe

Filesize
16KB

MD5
e6e352944a21fdeecf733efac4a177da

SHA1
17aea949d9e19b4f0bb978d783192f6cbd8dee49

SHA256
822ac34bc389357d79eba5a7da58e69c690f781406d2c2c1b86d46944a6c917a

SHA512
7620601ee096362400ab97df7406ec668e5e5192b7f6ba04bf3b92f6b484aa80f3c5d543a6ca1bd69dccb2ba93f72be95a3b38ac934311426f0516ee25278737

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9BC3.exe

Filesize
16KB

MD5
71dded6ae856d679656b1ed053855595

SHA1
95a357641b985008f0360c94179bb1f2de114a7a

SHA256
882f5ee147aca6af1000ef739a1bf61bcb341831780e65c73c238389f7281094

SHA512
0fc1a51a5ea3e16e4261e99e21e6cba2e937e61713da786609b7834cd13b3748958d6abbb218f8d18e93c829016e71b642207bd41d0748f535b5bfea5143eeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA4F5.exe

Filesize
16KB

MD5
2075aeb20c692a74170b87e996d7f2e7

SHA1
fb3b6a4b9457e6057710cf316b5c28dc5ed6457e

SHA256
59bcd46448a58310e066b606d8cafacb007d03ae20c7d148b76c0ead80798832

SHA512
ec5933cd742278e488d1c8e9f6260e149d8d01ced9f16c5f7f58b44c0080de5d9c6b1766ec851567e9879a0e0303347ec4c0381f1d39b15a7a1e4655ace6ca3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF53D.exe

Filesize
16KB

MD5
7f9249c6f61bc733345b37610709d91e

SHA1
014cecb886ab8ac20ce4373fce758c74a759277d

SHA256
9047bc402258ad5eb81e7a9f9d094bb36a743cec512afa76d7ccca19c3b88f6b

SHA512
32d3bd5acb45ce5980a65c9b48d70bf161a6175e0449b907939094a76bddedd2f163e54530cde4ef7f23eaf7e6d86dd9c07894a95db17bc1ac60fa8a24fda178

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFCF9.exe

Filesize
16KB

MD5
25b4ba1d37e095f20fbbf3d426e62eda

SHA1
60998da17e7c2bf8400815d861fc08c7a177ec53

SHA256
57d5fd9073ec2c227e2318936591b278158856f883e445618822654bedea5efa

SHA512
d9418f50b51f5c108a40d50d18153bb53103f361de743a1e8cd7765e3d048a1147c315fc157f4bbc05791581f8709f059cfca00f03b09cdf7ef0ab348841e438

Download Submit

Analysis

Sharing