c0886cc4e3aa82033ef87770af50bfda7b63fbf38f31a2d65b19f728768bab4f

General

Target

fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe
Size

20KB
MD5

fa83bf7904cba0c1944963dd0bcd626e
SHA1

3a25157344d951c9e328b42fcaf8380c7d20c001
SHA256

c0886cc4e3aa82033ef87770af50bfda7b63fbf38f31a2d65b19f728768bab4f
SHA512

16168bab7c16d8474feee48fb0da3a80d1654fa194da472493f01b7734dd577694478b7d09765d3ab538c210985dd6028ced76f2967eca0d562f61049a020c8e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41mm:hDXWipuE+K3/SSHgxmHZ1B

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEMD79E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM2DCD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEMD503.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM2B80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	DEM819F.exe

Executes dropped EXE 6 IoCs

pid	Process
1296	DEMD503.exe
2340	DEM2B80.exe
4648	DEM819F.exe
2356	DEMD79E.exe
1504	DEM2DCD.exe
4704	DEM840B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 1296	3188	fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe	94
PID 3188 wrote to memory of 1296	3188	fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe	94
PID 3188 wrote to memory of 1296	3188	fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe	94
PID 1296 wrote to memory of 2340	1296	DEMD503.exe	99
PID 1296 wrote to memory of 2340	1296	DEMD503.exe	99
PID 1296 wrote to memory of 2340	1296	DEMD503.exe	99
PID 2340 wrote to memory of 4648	2340	DEM2B80.exe	101
PID 2340 wrote to memory of 4648	2340	DEM2B80.exe	101
PID 2340 wrote to memory of 4648	2340	DEM2B80.exe	101
PID 4648 wrote to memory of 2356	4648	DEM819F.exe	104
PID 4648 wrote to memory of 2356	4648	DEM819F.exe	104
PID 4648 wrote to memory of 2356	4648	DEM819F.exe	104
PID 2356 wrote to memory of 1504	2356	DEMD79E.exe	112
PID 2356 wrote to memory of 1504	2356	DEMD79E.exe	112
PID 2356 wrote to memory of 1504	2356	DEMD79E.exe	112
PID 1504 wrote to memory of 4704	1504	DEM2DCD.exe	114
PID 1504 wrote to memory of 4704	1504	DEM2DCD.exe	114
PID 1504 wrote to memory of 4704	1504	DEM2DCD.exe	114

C:\Users\Admin\AppData\Local\Temp\fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa83bf7904cba0c1944963dd0bcd626e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\DEMD503.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD503.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\DEM2B80.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2B80.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\DEM819F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM819F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\DEMD79E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD79E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Users\Admin\AppData\Local\Temp\DEM2DCD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2DCD.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\DEM840B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM840B.exe"
        7⤵
        Executes dropped EXE
        
        PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2B80.exe

Filesize
20KB

MD5
716baaef335a16b96c54e34e0e9d8a3f

SHA1
71f5346e4bb01d3de23446be4f0ba7b115350127

SHA256
5c9eadc037daed34fd2c4f8bd9d41dc9aa3ba10929ecd3b78b1881b5873b0f13

SHA512
6ddbe71e67e9792f61010755c8e4dc09c37b7be3982ac970b3fe74ecb3ea378ddc3bc4105a0182e91d4af099a1fbe309724f6ba252df576063579c754092005f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2DCD.exe

Filesize
20KB

MD5
43e1564e8713cfa108193398bf3396f3

SHA1
9dd5ff6d152c9585d9e887de78307885364e09fe

SHA256
73a2ca3fc57274f07f1b5973f891238e038b3d5190f1a0aaf33f6f62f7f5607a

SHA512
66db90c9dc2a2114ded27d8c18c30d31dbebebf405cda3512c8308bf10f6d397ce403872ee0003c5fed67552471beece972925b1b46474c79d208f474d714509

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM819F.exe

Filesize
20KB

MD5
c9fa6847226608b0c14e5cb60c5eff13

SHA1
552a47bbda22e8a09e469649bf36a123ee9fefb6

SHA256
4f9f3dd33583fb5d87fb5d845656afaee72120ec846e67fe369593601d45b9e7

SHA512
07291ecfd7381aad29bc143f7a06371ed8476956de978086b7d070de04ee26928f8485fdf55e987e962048bb413e605a121814b39c22dbdfd1172fc49a82477d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM840B.exe

Filesize
20KB

MD5
fad6df3e16063d313f8dd0c35509d864

SHA1
3c831c5b7a95c26429effcef525fffc6c0af99e5

SHA256
b3794a59e444b1b5ccf77ce0358fda3257fc1599ce3243edfdf571dd79dc64cd

SHA512
a5a773ef59d94f23765b585a15450c8890587e3df2cb57ee002c4d9cd3e050411a4a3a4f0de4e8da823227094a81e70dfe48e9e822814390ef12b7007ff30644

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD503.exe

Filesize
20KB

MD5
1486fe49ef98b4f39529441a3f0d62bb

SHA1
0f8290a1f2a310ecc1e5b7ec105d7a8393f71f70

SHA256
d5a5f905460107148b6c692019cf426af9c04e42b4f7cbd1f22ed67f50b5cd1d

SHA512
1bce60d26e5d2aa288b3e4ef57e7a859b34bc5a151dde838d40935c8e54bcb35db7a76feb342c886b2759193dab85c3600543ed436aa6b431bad9adcf72eae23

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD79E.exe

Filesize
20KB

MD5
3fd8d9ba382637356b979effe2023753

SHA1
a0d667bb88d638e782b0a7e82e996defbb705869

SHA256
5d4a1837a3b030b3b6d1a7d8e1d658329cd674ea5f6e76b51a28c93086ae606c

SHA512
aadb467de99184c4369b625e4000b9eef1ff5999a23f8cf21dc29a91bbc50b40f76e1b26addebef331049bb5b75a252e42f373cf9bf6c5743f3d7c0f00c8b9fe

Download Submit

Analysis

Sharing