3a4889991efdcb2969f466a8e6b73205d2774ce413b67ca49f1c02e4043869f2

General

Target

f6e6570d810f030b6c3bc9d9d3277532_JaffaCakes118.exe
Size

16KB
MD5

f6e6570d810f030b6c3bc9d9d3277532
SHA1

c333eb306c44458c171d7a9ef952f2a733fc2ff1
SHA256

3a4889991efdcb2969f466a8e6b73205d2774ce413b67ca49f1c02e4043869f2
SHA512

614d1f8b89703e529d868bd1dbffb433bc37221c809020c1e0bc088a76a66ffcb3ab8bbabb974d1ee445763fdabbca2242d54314c8443fb5e5b29b3fbab4536d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhp/:hDXWipuE+K3/SSHgxf/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM75B3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	f6e6570d810f030b6c3bc9d9d3277532_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEMF2FB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM66D3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEMC5BC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	DEM1E6B.exe

Executes dropped EXE 6 IoCs

pid	Process
5064	DEMF2FB.exe
5112	DEM66D3.exe
1220	DEMC5BC.exe
4468	DEM1E6B.exe
3320	DEM75B3.exe
5108	DEMD2B7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 5064	116	f6e6570d810f030b6c3bc9d9d3277532_JaffaCakes118.exe	92
PID 116 wrote to memory of 5064	116	f6e6570d810f030b6c3bc9d9d3277532_JaffaCakes118.exe	92
PID 116 wrote to memory of 5064	116	f6e6570d810f030b6c3bc9d9d3277532_JaffaCakes118.exe	92
PID 5064 wrote to memory of 5112	5064	DEMF2FB.exe	95
PID 5064 wrote to memory of 5112	5064	DEMF2FB.exe	95
PID 5064 wrote to memory of 5112	5064	DEMF2FB.exe	95
PID 5112 wrote to memory of 1220	5112	DEM66D3.exe	97
PID 5112 wrote to memory of 1220	5112	DEM66D3.exe	97
PID 5112 wrote to memory of 1220	5112	DEM66D3.exe	97
PID 1220 wrote to memory of 4468	1220	DEMC5BC.exe	99
PID 1220 wrote to memory of 4468	1220	DEMC5BC.exe	99
PID 1220 wrote to memory of 4468	1220	DEMC5BC.exe	99
PID 4468 wrote to memory of 3320	4468	DEM1E6B.exe	101
PID 4468 wrote to memory of 3320	4468	DEM1E6B.exe	101
PID 4468 wrote to memory of 3320	4468	DEM1E6B.exe	101
PID 3320 wrote to memory of 5108	3320	DEM75B3.exe	103
PID 3320 wrote to memory of 5108	3320	DEM75B3.exe	103
PID 3320 wrote to memory of 5108	3320	DEM75B3.exe	103

C:\Users\Admin\AppData\Local\Temp\f6e6570d810f030b6c3bc9d9d3277532_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6e6570d810f030b6c3bc9d9d3277532_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\DEMF2FB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF2FB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\DEM66D3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM66D3.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\DEMC5BC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC5BC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\DEM1E6B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1E6B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
      - C:\Users\Admin\AppData\Local\Temp\DEM75B3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM75B3.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\DEMD2B7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD2B7.exe"
        7⤵
        Executes dropped EXE
        
        PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1E6B.exe

Filesize
16KB

MD5
8f3c92dfd22c0b45f0d80005ea255c6b

SHA1
c97619f5afd484254f3a905c11f14d4f1aab8e09

SHA256
a05492300e9f1b150d4413d1352142a7d693558b4565cb61845d934eb9ef73a0

SHA512
90cd76c8833f52d800feee9baacda9c44eac6370e822afa9d152d40128957cec8e3e3f4bb69d1a2fdcb38311a98bf506c26fe85f088f7e665089efdfd30d3767

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM66D3.exe

Filesize
16KB

MD5
952e9db7c1663224cc450a3bf15c5bca

SHA1
4d414d603b2b9ea6ee8ff6c73ccf0c48cd52ea2d

SHA256
eec86f45f07cb7f5998cc7713bbb5eafc567bfe16cdfd75f96bfd2d27b8ca744

SHA512
223716d00e648a25e0dd45349ac9bdcde07c477e208dabcfb396a647fd2b7ab50fe2b102dc78c926f0356538a255e7b8823dc56b71d5df64b6f8205ded6a8492

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM75B3.exe

Filesize
16KB

MD5
35fe2cc4b8b5d71ba854c598610bd1f2

SHA1
6e99537d5846febbbdd12a9c6090fa5c627d8505

SHA256
5cbd1662c85fef8c800d35ba5c7df5069ec24d065b77f9e3f84956129a8131e7

SHA512
5af74dd2bef6bd301fe48388cf21efbfcb87e199b0b299461f40403423b122cf7dc679811baa343b1236666d6d95e90959d64ca8688570610fc402e032d256a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC5BC.exe

Filesize
16KB

MD5
4e69df90cff2d169ce3f0a3265df1b5c

SHA1
3318c9118ee07965bf42fe11d3ee3a35fa61f4c3

SHA256
05372cc0d14eff3593d4e93b923e13025fb5e86343a1545f2726223463fe914a

SHA512
e405354f6af8605a4db640280758347c61737beeb43abff0e543449d46cde6a8a58cfa08788419813072784f8b2acdba21344ed10d3973a8f90d422ce3bd19b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD2B7.exe

Filesize
16KB

MD5
eb0d6b942f23c9be6820a7f09afbd64c

SHA1
d5bdab8609cd43bdd68b4446713622a316edc448

SHA256
346db39fc69cdf11880225fd1f3adcacae1e8d314608e2cf1b0a6510eb0cf0cd

SHA512
e34f07954a6ac2131989c6d1deeb3a2072875dbbfd2e96953d742edceb5c99e54d2b786416bcbd8a0fe5d83604b00ed3d79677efcaa89c7dcef631ae15df1ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF2FB.exe

Filesize
16KB

MD5
b6ad45df64eb36210a8b7e6a6fb35bfa

SHA1
3dae06564b76ca8d22c43f00131b2a2c676d2ade

SHA256
556c3dee300a3e7ae5ce36081abece7d7b498731f2fb3d6a3cd9a962111ad9b3

SHA512
be1a1d2e95b26ab28945ac6257f9d3449cf6c1fdfb3223f1c53dcd636d2dced95072ccc47471dde594118a88724da99746bbf23bccbef49c536b7eb959029b28

Download Submit

Analysis

Sharing