a95ecd294d94d0c4678acc80fddd63435121fcdc4cdb97b41dbe584b058e6788

General

Target

f80d23ffe39f892d2602f788446196f7_JaffaCakes118.exe
Size

20KB
MD5

f80d23ffe39f892d2602f788446196f7
SHA1

83236b54227ef31cafcf36fe4aa792c520e94ece
SHA256

a95ecd294d94d0c4678acc80fddd63435121fcdc4cdb97b41dbe584b058e6788
SHA512

b9677790b9e9384ffe91b338c790989739cb1257915e78fd5b1080e8f746cd481287f3810a513787fe943b7dcdf9639ca598117cecc6fbe00fb6701520006263
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4P8Uzsj:hDXWipuE+K3/SSHgxmHZP+j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEM74DD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEMCBE6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	f80d23ffe39f892d2602f788446196f7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEM6987.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEMC1D9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	DEM19CC.exe

Executes dropped EXE 6 IoCs

pid	Process
2680	DEM6987.exe
3600	DEMC1D9.exe
3304	DEM19CC.exe
2320	DEM74DD.exe
2340	DEMCBE6.exe
4256	DEM239B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2680	1624	f80d23ffe39f892d2602f788446196f7_JaffaCakes118.exe	90
PID 1624 wrote to memory of 2680	1624	f80d23ffe39f892d2602f788446196f7_JaffaCakes118.exe	90
PID 1624 wrote to memory of 2680	1624	f80d23ffe39f892d2602f788446196f7_JaffaCakes118.exe	90
PID 2680 wrote to memory of 3600	2680	DEM6987.exe	95
PID 2680 wrote to memory of 3600	2680	DEM6987.exe	95
PID 2680 wrote to memory of 3600	2680	DEM6987.exe	95
PID 3600 wrote to memory of 3304	3600	DEMC1D9.exe	97
PID 3600 wrote to memory of 3304	3600	DEMC1D9.exe	97
PID 3600 wrote to memory of 3304	3600	DEMC1D9.exe	97
PID 3304 wrote to memory of 2320	3304	DEM19CC.exe	99
PID 3304 wrote to memory of 2320	3304	DEM19CC.exe	99
PID 3304 wrote to memory of 2320	3304	DEM19CC.exe	99
PID 2320 wrote to memory of 2340	2320	DEM74DD.exe	101
PID 2320 wrote to memory of 2340	2320	DEM74DD.exe	101
PID 2320 wrote to memory of 2340	2320	DEM74DD.exe	101
PID 2340 wrote to memory of 4256	2340	DEMCBE6.exe	103
PID 2340 wrote to memory of 4256	2340	DEMCBE6.exe	103
PID 2340 wrote to memory of 4256	2340	DEMCBE6.exe	103

C:\Users\Admin\AppData\Local\Temp\f80d23ffe39f892d2602f788446196f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f80d23ffe39f892d2602f788446196f7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\DEM6987.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6987.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\DEMC1D9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC1D9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\DEM19CC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM19CC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\DEM74DD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM74DD.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\DEMCBE6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCBE6.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\DEM239B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM239B.exe"
        7⤵
        Executes dropped EXE
        
        PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM19CC.exe

Filesize
20KB

MD5
f8f7065e7865595e996ea5dec00c3cdf

SHA1
05383f313071e42973e9d14f89d06a324aebd874

SHA256
c3cd831f2fd06454a2fa583283a95efeef0500c8c6ada598f4fde4f4017d4923

SHA512
8d19b94b08e50d271fd14c585708639a6149ff5e1c257466ea7a6d174fa0444f755f73c14a6b81c717355f76bdfa7c17ddb476aa925bb3a4f51233273f8ae5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM239B.exe

Filesize
20KB

MD5
0f4ba935c3fb0213322008de7d5c2e2b

SHA1
b4f593f7bfbc5dcb768744f1dbeb7b99279fb671

SHA256
28b084c26afeb82c84188b4f1ce64c48f891e2439ebb03c24dbd7e7f4fc35121

SHA512
a1b439801324a5ec7ae292df2a23fec2e540c0f232d346cf05fa37d057bdf4828053fe99f95f2ddcff4a07eee13eb240882393a9841dca329b48ef5b427f5fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6987.exe

Filesize
20KB

MD5
7469b97903942f76fce0c40136254509

SHA1
1341de296a28885a7a60b83b87326affe05d101c

SHA256
5515bac13d6a093e0eea45cdac7d9cb06e368d35fa3d9feaf04506c285a64cc4

SHA512
219544dc01df5f0da7995ad80c8545448283ba519506bbd4a76db95de0ae679fa50a9c4e9370ed779cb1416fc29013bd326fb65a9ec3f4995071289ff3c54228

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM74DD.exe

Filesize
20KB

MD5
774257f0f30d25d791c405ada126db64

SHA1
5b179bbeaf44c90b88aca0a3486181b33961ef54

SHA256
ab7b284a62a494bbf2d6567e2fd63bf6b3c8c77760b2de295f44a2e5caa4724f

SHA512
b94a17ce6f11f70b9577c656f9bf7a1fd322fc57e683a975bf2e61c83c56dfa6b07ffe382d6cbd7365eb453813a02724dde53a4c919612be5fd4663938cfe605

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1D9.exe

Filesize
20KB

MD5
e18c85401a5c7d47eebfaa7a77751599

SHA1
48875328173ebe5b09d054fc9809cb3061498861

SHA256
ab7407ff8e864604a91aaf36a665a0aa81eb15afe519c7dba9587dc10bdb3e3f

SHA512
2ed1a3ec38c91cff91209b4893f93a964e9feb13785d0ddd6c735d5ca5820a05ccbcd76bbad0f51c9889c8671bda16cd26e9b0865899b4e74d5c60177188fea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCBE6.exe

Filesize
20KB

MD5
565303701ae8b623975d26098405dfd4

SHA1
80b6967bf2e7f7215553958a3119253d45c62b23

SHA256
df8704371d82a6fd72dc46c9addf5abbbbc98bf299b316cf28a15efd6a172667

SHA512
851114b384b8ff64aa611b65d5ef21cddd23cb6cb4138f54c703005af8509d7cac8e2a820321b6db9eb33f5e1765d8476963c263c10544d43f13b23a82a2b167

Download Submit

Analysis

Sharing