f6f39ae74494879c0cfec3ac6fe7227ca58045a43014a503034d71989131d815

General

Target

f8c429eda50f962fd92f316159947442_JaffaCakes118.exe
Size

14KB
MD5

f8c429eda50f962fd92f316159947442
SHA1

20296bb9d6e1448fe224ae20eabab5e0cdd1d080
SHA256

f6f39ae74494879c0cfec3ac6fe7227ca58045a43014a503034d71989131d815
SHA512

5f948b959609b48599d64f80f14de55cdd917b23e855eb32e967df73756518c088ef66f97ca414d77ef3dbab6dfb523bead825495e06531a1d86257ebe897f56
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhXtp:hDXWipuE+K3/SSHgx9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM84AC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	f8c429eda50f962fd92f316159947442_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM2C30.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM829D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEMD8CC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM2EDB.exe

Executes dropped EXE 6 IoCs

pid	Process
2584	DEM2C30.exe
4960	DEM829D.exe
220	DEMD8CC.exe
772	DEM2EDB.exe
916	DEM84AC.exe
4864	DEMDAAB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 2584	4392	f8c429eda50f962fd92f316159947442_JaffaCakes118.exe	90
PID 4392 wrote to memory of 2584	4392	f8c429eda50f962fd92f316159947442_JaffaCakes118.exe	90
PID 4392 wrote to memory of 2584	4392	f8c429eda50f962fd92f316159947442_JaffaCakes118.exe	90
PID 2584 wrote to memory of 4960	2584	DEM2C30.exe	95
PID 2584 wrote to memory of 4960	2584	DEM2C30.exe	95
PID 2584 wrote to memory of 4960	2584	DEM2C30.exe	95
PID 4960 wrote to memory of 220	4960	DEM829D.exe	97
PID 4960 wrote to memory of 220	4960	DEM829D.exe	97
PID 4960 wrote to memory of 220	4960	DEM829D.exe	97
PID 220 wrote to memory of 772	220	DEMD8CC.exe	99
PID 220 wrote to memory of 772	220	DEMD8CC.exe	99
PID 220 wrote to memory of 772	220	DEMD8CC.exe	99
PID 772 wrote to memory of 916	772	DEM2EDB.exe	101
PID 772 wrote to memory of 916	772	DEM2EDB.exe	101
PID 772 wrote to memory of 916	772	DEM2EDB.exe	101
PID 916 wrote to memory of 4864	916	DEM84AC.exe	103
PID 916 wrote to memory of 4864	916	DEM84AC.exe	103
PID 916 wrote to memory of 4864	916	DEM84AC.exe	103

C:\Users\Admin\AppData\Local\Temp\f8c429eda50f962fd92f316159947442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8c429eda50f962fd92f316159947442_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\DEM2C30.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2C30.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\DEM829D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM829D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\DEMD8CC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD8CC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Local\Temp\DEM2EDB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2EDB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Users\Admin\AppData\Local\Temp\DEM84AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM84AC.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\DEMDAAB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDAAB.exe"
        7⤵
        Executes dropped EXE
        
        PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C30.exe

Filesize
14KB

MD5
3a634ad50442e9f0ce986564da85670b

SHA1
960194130191cf3a62b8469789ea950c8b15ba62

SHA256
afc8442bd8ee57c0e72b9a0bfe6306d8eeedf11550513c7a68eb544566e53de3

SHA512
96446b4c1d2905d3a98143aab97129530efccc9a2511a9e990f42c73ab857b59ef85678fec799724ce18b49d62fed56ed97906f12e87cfc79069081b87d2f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2EDB.exe

Filesize
14KB

MD5
0268faf7b885f4dddfe7e1e8f1e0ce1c

SHA1
2d4a8681a8c13798a1f7fcd31c92f97e4bc7ac31

SHA256
78f832fe3b0573185bbe5354feeccf8851b58a25d43a625dcaa902038b104fc5

SHA512
df767a34da24a17147e6cae5ed18ec4cfed1fe956694bf5f268d80fa68b2096966e4f27ef661adee4245f983db26ea19656deb55b97750e6e7e147736a863766

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM829D.exe

Filesize
14KB

MD5
db5e0584e3e6c4e56b03f3a6ef95dd89

SHA1
14d8ae3c02bfbfedcf1d6ae47b3af76344e639bc

SHA256
3cb348b5c4fd7dd801192f23847c8fbc05a46538ff2f75f37a5e60f9777515db

SHA512
5a9c05def08fc22e447c6d2745a757e30f59fe3596c47d5d98964666d6758cb2cbfd3185b0c6abe43aac3c450530b8efeb11dede81d24ba3d40c7282a05fc8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM84AC.exe

Filesize
14KB

MD5
8822d0ee35666a7f556c139fb320b3f8

SHA1
ec21efec4bc3e7d9c2c993a0442b6cdc228148fc

SHA256
99ab8afb0c00dff9ca14bff442d53cdbd192fb83b447b6773a1eba47046e734c

SHA512
7f3c9faeeaeef8603a18ed79905e214ae825640f8765c92f3ac28caee7b439c8fae4106d39821c02ef8b49b866c28935330ee3a99898e6f8209dc41f54dfad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD8CC.exe

Filesize
14KB

MD5
98efd53ad317e111b5fe0342ac48304e

SHA1
9e3c97af2fbcae2e1ec50f9b45bdb061255fc15e

SHA256
2d8f3e48fd1f93e1bb53cf03942cdfd76f350ad2395f5e6cbcdfcf700077e4c6

SHA512
088482a1fc5da74980d8c56210975189c3daff3ed4f25074239932f3f952622c5003beffe3386bb47b7be20a72f217dca877fade301880436c43e7c15d41a9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDAAB.exe

Filesize
14KB

MD5
532c8a1c79ef6d71446893d8a8b0cb96

SHA1
30c7adb3bbc3420fda7c45a58a2297c5d01ba641

SHA256
1bd20cadfac30dff12bdaa869bddd58498e23ba9cbea9376a6865049b025f1bb

SHA512
d4d4cc7cbfcabc77f59da4df5a5e52bcf7ffe61318f5204fd0665bb031d2b29b60f4b4a88ba92ab44183ec6e035a66d4902ffdcbffead4eeec9ef82790577259

Download Submit

Analysis

Sharing