af55714da39eda7c44d8a2884409f344101ffda2318f722efd0bd035ec9dece4

General

Target

fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe
Size

15KB
MD5

fb3b7bcdc07d6803b3c41d61e5d1d255
SHA1

389542b012ff6fa3d64522a8cf5bd17d00145054
SHA256

af55714da39eda7c44d8a2884409f344101ffda2318f722efd0bd035ec9dece4
SHA512

c40218c8a210b66f81351e80426bb54c31dcdc4cfc3936f9ab89fb590af9c6cdf1dba2f8f003bb0d2455fdf7c5efda66cfe905704b470df4c7346c035446b604
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pjW2UWXg:hDXWipuE+K3/SSHgx49WdWXg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEMBD64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM1373.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM6973.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEMBFC1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM66F7.exe

Executes dropped EXE 6 IoCs

pid	Process
4128	DEM66F7.exe
2076	DEMBD64.exe
3316	DEM1373.exe
620	DEM6973.exe
2500	DEMBFC1.exe
2712	DEM1592.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 4128	2316	fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe	99
PID 2316 wrote to memory of 4128	2316	fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe	99
PID 2316 wrote to memory of 4128	2316	fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe	99
PID 4128 wrote to memory of 2076	4128	DEM66F7.exe	104
PID 4128 wrote to memory of 2076	4128	DEM66F7.exe	104
PID 4128 wrote to memory of 2076	4128	DEM66F7.exe	104
PID 2076 wrote to memory of 3316	2076	DEMBD64.exe	108
PID 2076 wrote to memory of 3316	2076	DEMBD64.exe	108
PID 2076 wrote to memory of 3316	2076	DEMBD64.exe	108
PID 3316 wrote to memory of 620	3316	DEM1373.exe	114
PID 3316 wrote to memory of 620	3316	DEM1373.exe	114
PID 3316 wrote to memory of 620	3316	DEM1373.exe	114
PID 620 wrote to memory of 2500	620	DEM6973.exe	119
PID 620 wrote to memory of 2500	620	DEM6973.exe	119
PID 620 wrote to memory of 2500	620	DEM6973.exe	119
PID 2500 wrote to memory of 2712	2500	DEMBFC1.exe	121
PID 2500 wrote to memory of 2712	2500	DEMBFC1.exe	121
PID 2500 wrote to memory of 2712	2500	DEMBFC1.exe	121

C:\Users\Admin\AppData\Local\Temp\fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb3b7bcdc07d6803b3c41d61e5d1d255_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\DEM66F7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM66F7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\DEMBD64.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBD64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\DEM1373.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1373.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Users\Admin\AppData\Local\Temp\DEM6973.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6973.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:620
      - C:\Users\Admin\AppData\Local\Temp\DEMBFC1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBFC1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\DEM1592.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1592.exe"
        7⤵
        Executes dropped EXE
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1373.exe

Filesize
15KB

MD5
1385db31859edd1c8e2b715cf7180871

SHA1
c8f90210c5ae52d4655b22716eb95778c82fc28b

SHA256
f969acf33ebe1487227c38dda4807e83f3ce94fd5d122863d45a0e287035a352

SHA512
5bce46f3363c25c6e7e243bd986cb0feffa273b19c40561a4a1aad21a9cb37e8e7c06dc1d77cfd3d9053adf9a704a72c3a94657c753775ecdceccc94c8123f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1592.exe

Filesize
15KB

MD5
5f653b2012c0721de0a84d36be7c87ca

SHA1
8268f49a5575aaa10b2f18184d119e0329dddec2

SHA256
21eea129f7a333eb2f7914d14825fa197ce62183889d6382f9831da4043ae234

SHA512
e4e275f688ccf067d23a0cf493bd7e64da25195ae85929ddcce089efec4fcb23824b1a7b2ccfae17b261302f6eef047acb525e53e3c4d4497d4eaed9bfb77607

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM66F7.exe

Filesize
15KB

MD5
3694b77cef1b708e52826792c4a72eaa

SHA1
a371839b5284802e31d83158bec8d7486a204adf

SHA256
f4f26faa2e33bcd46c162b48a07fd9355aa58eb38b53376f8c861cf8b36a0b4b

SHA512
8d52154f27f2b918c5dea3146210cab0c2e0155657b316791654465a26e4aad43b443b196614d20e9dea60a88502637062d0af6f9120810996d42bcf49bda6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6973.exe

Filesize
15KB

MD5
8a1712e0a2dded7a7a0fa8eff642a128

SHA1
6498a6c2359654f1ddf9f01be320cf8f25b9469a

SHA256
6a57dedf2013e71bb7d898078876d5c27bb4048da4dea10d3417ca7dbbeaaea7

SHA512
b09865a81e3e54a1ba5e6b27a615058f8ef84bf56a886b7eda1824b75a4b2d748ed2ee177fda7481d9ad5f630411f87b25ee042c17b67ae2c470ac7e749f6faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD64.exe

Filesize
15KB

MD5
2a99164b6ca79f48a03ba879334c9160

SHA1
8a3b9d05955fa1ab15c3047c33ecb4658bbecbc5

SHA256
f078e3df21d70c11936464892327e57cd37e454488bf012e38ee3dba49bb90bb

SHA512
58b4e6c507bb364051ac4d8a9b8b4c674e2a9dfa9193e271e597c1ba209b9632d133d38aac6f4796599e9fda312ec2688fea134aff308ea0b7447b6993cd2d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBFC1.exe

Filesize
15KB

MD5
80b14274829c5d7ab7214e6cfd99e853

SHA1
f4046a404e3fa9526f2fd5398554e640ad015f43

SHA256
76a114b6f552cde01f9be86ed5b0a1daa96a488978154c11831e41b57a9b76ce

SHA512
6017d8d83cf3a5ca70ec8155e9f2ab8c65bc63d698bbbfd32558cb5a9fffc037ea8dbf1a95ed144cb842722a8509c4eee574738a61634ef14a6aa37a220f6e3a

Download Submit

Analysis

Sharing