f7e7a93ce6330b00d14ab3bbc9a12bb7ff30b3ce154ae739c721ad691275741c

General

Target

f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe
Size

15KB
MD5

f7ad71d9042f3d76e659d220dd34ba98
SHA1

d55422b573806836906211e0e62ef013874b3dd5
SHA256

f7e7a93ce6330b00d14ab3bbc9a12bb7ff30b3ce154ae739c721ad691275741c
SHA512

6f40628e7ac1299fa5c513a7fa7c811c928cefd0d554fcd8409f2bf026b617b31b354e1e2d8368c3985c607929c7d2b2eac90f1dc5e98c64d902eb334e730c9b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJHPz:hDXWipuE+K3/SSHgxmlOJHb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM8BB5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEME1D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM37F3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM8E12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM3529.exe

Executes dropped EXE 6 IoCs

pid	Process
3324	DEM3529.exe
916	DEM8BB5.exe
2252	DEME1D4.exe
1028	DEM37F3.exe
3012	DEM8E12.exe
648	DEME402.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 3324	792	f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe	93
PID 792 wrote to memory of 3324	792	f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe	93
PID 792 wrote to memory of 3324	792	f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe	93
PID 3324 wrote to memory of 916	3324	DEM3529.exe	98
PID 3324 wrote to memory of 916	3324	DEM3529.exe	98
PID 3324 wrote to memory of 916	3324	DEM3529.exe	98
PID 916 wrote to memory of 2252	916	DEM8BB5.exe	100
PID 916 wrote to memory of 2252	916	DEM8BB5.exe	100
PID 916 wrote to memory of 2252	916	DEM8BB5.exe	100
PID 2252 wrote to memory of 1028	2252	DEME1D4.exe	102
PID 2252 wrote to memory of 1028	2252	DEME1D4.exe	102
PID 2252 wrote to memory of 1028	2252	DEME1D4.exe	102
PID 1028 wrote to memory of 3012	1028	DEM37F3.exe	104
PID 1028 wrote to memory of 3012	1028	DEM37F3.exe	104
PID 1028 wrote to memory of 3012	1028	DEM37F3.exe	104
PID 3012 wrote to memory of 648	3012	DEM8E12.exe	106
PID 3012 wrote to memory of 648	3012	DEM8E12.exe	106
PID 3012 wrote to memory of 648	3012	DEM8E12.exe	106

C:\Users\Admin\AppData\Local\Temp\f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7ad71d9042f3d76e659d220dd34ba98_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\DEM3529.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3529.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\DEM8BB5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8BB5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\DEME1D4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME1D4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\DEM37F3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM37F3.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Users\Admin\AppData\Local\Temp\DEM8E12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E12.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\DEME402.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME402.exe"
        7⤵
        Executes dropped EXE
        
        PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3529.exe

Filesize
15KB

MD5
8a7c5fa341e549785654bfa8b1214206

SHA1
d7682bcd8bfe42955206c79924048d8fbcd4d667

SHA256
19d57e8616969a5254b60e533105856872015aac9903e59d0b172afbfd6020f3

SHA512
3c28e4321e88625bada83d0796a3af1414511d1d2f75348c8dc868544e9e7252fdd26f5b78f78698e2efd0a52c2cd05fe50d8e49b068c4e80e5d08884b54739e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM37F3.exe

Filesize
15KB

MD5
32de48720ec1513483f460121afa6707

SHA1
9ab86d9af0ad78cf1eaf3e10ec30100d7f34646b

SHA256
ecb98048557f08db44696f9c431cb29247072f6c0e800ba96698a0002f0fe992

SHA512
143b49f58c25fbdc65d854e12cb7e7fdb0bebd47eae03d84cae71d1d6bb808ab5fc0fa29153be6076a02020655ddb4dc1ec1a607a0e73efda1ac3739b6303235

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8BB5.exe

Filesize
15KB

MD5
daa471fd4dae5fb4945957c529d5e582

SHA1
bf469c1333c92505be2fabbfccd07f4a92d63033

SHA256
67028fcae3d2694dc0347868dd12eeeeb391f511cf6426486fffdd6a14d49386

SHA512
c5df9fed7983446847c16700e8b19a7338f7a6e493d68067ac87c0ab48187a2d2c225b333ced031ada67a3b54d57714a2ae11dc5d559c9adb8261f1dd8ba228d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E12.exe

Filesize
15KB

MD5
e0ab53f21968b5aeed1159fe81524529

SHA1
f761127a2e91b2c89ffd8b9307e61790d0f058f3

SHA256
920b71b22261135b75017963a13f9ac3ef1c6be2ef6f304f694f285718f09e36

SHA512
eed83f86584265a989c2289780a0a731bf00cfc1e701f36a82f4f58217d0d906f2e85ea896940a23a9dbe50df5b908c1c0fe4f5d88707d59406bf097b071e1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME1D4.exe

Filesize
15KB

MD5
27791d7623607a2f988e19b80ebde2d4

SHA1
867eb0e88c0b02025578acc84a6dd521a00cc292

SHA256
d7335ee310e01894f8d96beaa10b2cae38f42730697792a72ef88b8b86b96f1e

SHA512
ee445ce6f9b9d7aa4332a43fdfb90565c0df559a194cf4c29496fcc69aa3a0856ff486c581c9654e348af9495726d2651812e5570f69feaa3ec9019b3f297fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME402.exe

Filesize
15KB

MD5
0e1f8d7e5c5dec26c73f8f03c0a4f5f9

SHA1
2a5017151254b2f0cb7563f5ab29f43e3f40ea1c

SHA256
33ae15967fd0c9c01eb65f83f0388bc0ce69427e244ff2f55bc19575ccd69daa

SHA512
80a1af596bd70b4a8fc2b303478e50b5866ab09ed5a72cc2014950a639f643c94d526ed0a4e367ab278380f3d75476e1aaa11906cea40a28258998aedb9e6ea0

Download Submit

Analysis

Sharing