aa2b5dfdbcdc575e456161b37d4290444070217e874b9e66276cfa687f1090cc

General

Target

fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe
Size

14KB
MD5

fa3bb13c3afb72fe3c4ad1f3eec80bc0
SHA1

2a936b3b7742fad42f65c50c2a9202d12bc403b5
SHA256

aa2b5dfdbcdc575e456161b37d4290444070217e874b9e66276cfa687f1090cc
SHA512

71a851b4b4d50d9d1abfb2a23de797a8733bd7be0986e3acc24d707c4c9205fbed7f0b67d9e5b5a589487c0da74e96e96dfd9bfdadc5158fd143be7558a4f355
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5N:hDXWipuE+K3/SSHgxmz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEMB35D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM59F7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEMB0A3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM6E1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM5D0F.exe

Executes dropped EXE 6 IoCs

pid	Process
1052	DEM59F7.exe
4308	DEMB0A3.exe
3148	DEM6E1.exe
2084	DEM5D0F.exe
3488	DEMB35D.exe
3192	DEM99B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 1052	4088	fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe	91
PID 4088 wrote to memory of 1052	4088	fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe	91
PID 4088 wrote to memory of 1052	4088	fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe	91
PID 1052 wrote to memory of 4308	1052	DEM59F7.exe	96
PID 1052 wrote to memory of 4308	1052	DEM59F7.exe	96
PID 1052 wrote to memory of 4308	1052	DEM59F7.exe	96
PID 4308 wrote to memory of 3148	4308	DEMB0A3.exe	99
PID 4308 wrote to memory of 3148	4308	DEMB0A3.exe	99
PID 4308 wrote to memory of 3148	4308	DEMB0A3.exe	99
PID 3148 wrote to memory of 2084	3148	DEM6E1.exe	101
PID 3148 wrote to memory of 2084	3148	DEM6E1.exe	101
PID 3148 wrote to memory of 2084	3148	DEM6E1.exe	101
PID 2084 wrote to memory of 3488	2084	DEM5D0F.exe	104
PID 2084 wrote to memory of 3488	2084	DEM5D0F.exe	104
PID 2084 wrote to memory of 3488	2084	DEM5D0F.exe	104
PID 3488 wrote to memory of 3192	3488	DEMB35D.exe	106
PID 3488 wrote to memory of 3192	3488	DEMB35D.exe	106
PID 3488 wrote to memory of 3192	3488	DEMB35D.exe	106

C:\Users\Admin\AppData\Local\Temp\fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa3bb13c3afb72fe3c4ad1f3eec80bc0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\DEM59F7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM59F7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\DEMB0A3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB0A3.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\DEM6E1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6E1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\DEM5D0F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5D0F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\DEMB35D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB35D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\DEM99B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM99B.exe"
        7⤵
        Executes dropped EXE
        
        PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM59F7.exe

Filesize
14KB

MD5
49e8d4596a750860c8bf844a2ec266a5

SHA1
323f7d9ba6a17fd4e65eb6cbe65995fcff454b79

SHA256
7b398182a1a095a5a54ff539ba4648a3deaac5b91995670743d819bfe5998648

SHA512
5cee74bf7cd48bba42a0cefae1b6f42f0844a76960ba444c0332e8ab9815107bc3116627a1fe982f6a3a4d5afc3c8dd90b0d4a5d1748f4b93ad829c465587093

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5D0F.exe

Filesize
14KB

MD5
f3ba88ce056f3ec657d783e63403b24f

SHA1
29fa0536468699486620549b4d9043ef653204ca

SHA256
05a52dd53c016b992eb9e8fad9af40e5876e23634938bbe6989276a1e3f7930b

SHA512
faa49e6e8d428de2dcd8e91a69406e28fa058ecb05ce5638b77747b3f21f29b275047e501d88517510586d03f207982c38050abac3a538b733dd9cfe11929df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6E1.exe

Filesize
14KB

MD5
f9614d8918aa2dd261ca201cd0c14a75

SHA1
077e6e64ebf0dacb939fb88eaedf1f7fdae47912

SHA256
2c3e2361f728957d8af249c5815bca98f80b039d55c3a5dce9cdb6c7d8dc5b34

SHA512
9a6a8897b40010138e2739524ea90eabff2ee0beee04b2e51645b1619ae53db9af9bad1d894f553f7a24cdde1485ada111d18c53e181cb8f08658f524db0d55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM99B.exe

Filesize
15KB

MD5
756cd21ae8d6ebe5ed14e439c7093f47

SHA1
97b0a1cb4e640973a94109f4d5d8f0099869ad43

SHA256
69b0fc2eb847d0a00365da55c1c9b60d575cb2fd011e746f4f56d6cffdd2ee48

SHA512
d6489ea93671f07103fcf6d0c2f73cf13c9caff5011e4f691844efcf85ac82c51ef5de462db9f3eabd4d3754216c5d05ca4faa17572ad9145a435ae472bd6ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB0A3.exe

Filesize
14KB

MD5
d39abe738063147bc9568c1686689b29

SHA1
11a2663423522530d40574ef690d41112c82b587

SHA256
64d909c7da294a29fb4b893ce426f201fde403667ee69aa0c4971ff111c51a12

SHA512
decdfdb54ffcd10e66794e069cccd37d2fed661940d32d7773a1fcfda2db716eaa3ac2bd0014782c42a95065fca5aa64e036e5708fdbce10bd1353efbad2d82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB35D.exe

Filesize
14KB

MD5
09b35073cdb250ee847503b245bd88f7

SHA1
2391b2101e0d729206ac1c195382990bdab5cbdf

SHA256
936e31978d9e1d244a1493b6c839b5c1a989b5d14291ad43ce2bde3d6e4e2fe1

SHA512
446d78b2026355a25a4d6bdefc741f2756258578edda9e8e29250b1db4e4027caf3ffc3e7f72cf4cbfebf22a65eeac2f3b1a5b010fa0fc6a54caa44ee910b040

Download Submit

Analysis

Sharing