c89b736c4e7a4d989271a2a8217904fdcae3fa52abecd8a688ec2177ecff22d7

General

Target

ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe
Size

15KB
MD5

ff8fc259ff0fa909675f4bff59c38568
SHA1

b1b66f7bdc8885c50b47e3de9a70d254cd50f886
SHA256

c89b736c4e7a4d989271a2a8217904fdcae3fa52abecd8a688ec2177ecff22d7
SHA512

3bb78bbfa9860a781debef5b97f5c5882c379c61629fb0c1ade3c3f32b9a2e8471d5adcf5ab48e4189f999936a181f0a6ab3f6732786d9c9710c503afc870a1b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhG:hDXWipuE+K3/SSHgxzG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM5E3D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEMB4B9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEMAB9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEM6126.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DEMB774.exe

Executes dropped EXE 6 IoCs

pid	Process
2140	DEM5E3D.exe
1688	DEMB4B9.exe
2188	DEMAB9.exe
5116	DEM6126.exe
2568	DEMB774.exe
116	DEMD54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2140	936	ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe	97
PID 936 wrote to memory of 2140	936	ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe	97
PID 936 wrote to memory of 2140	936	ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe	97
PID 2140 wrote to memory of 1688	2140	DEM5E3D.exe	102
PID 2140 wrote to memory of 1688	2140	DEM5E3D.exe	102
PID 2140 wrote to memory of 1688	2140	DEM5E3D.exe	102
PID 1688 wrote to memory of 2188	1688	DEMB4B9.exe	104
PID 1688 wrote to memory of 2188	1688	DEMB4B9.exe	104
PID 1688 wrote to memory of 2188	1688	DEMB4B9.exe	104
PID 2188 wrote to memory of 5116	2188	DEMAB9.exe	110
PID 2188 wrote to memory of 5116	2188	DEMAB9.exe	110
PID 2188 wrote to memory of 5116	2188	DEMAB9.exe	110
PID 5116 wrote to memory of 2568	5116	DEM6126.exe	112
PID 5116 wrote to memory of 2568	5116	DEM6126.exe	112
PID 5116 wrote to memory of 2568	5116	DEM6126.exe	112
PID 2568 wrote to memory of 116	2568	DEMB774.exe	117
PID 2568 wrote to memory of 116	2568	DEMB774.exe	117
PID 2568 wrote to memory of 116	2568	DEMB774.exe	117

C:\Users\Admin\AppData\Local\Temp\ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\DEM5E3D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5E3D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\DEMAB9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAB9.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\DEM6126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6126.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\DEMB774.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB774.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\DEMD54.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD54.exe"
        7⤵
        Executes dropped EXE
        
        PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5E3D.exe

Filesize
15KB

MD5
e9ec10a2e78bfa8b85ffd7e3bbb87856

SHA1
e8d21540a730613e593bff8073753298eab10bb4

SHA256
f4336502a4931a5b96318acfbcc7a3528a179e2bf3fd00176389bb0855ddba28

SHA512
4fe9b7950e0e69a4ef2d993efe6c408a8fa690466716c9252f7a0992dfc990331cc6975cd3a54d4706b000e8ca4515d3883b0c31bd5e930ca9598664f04e73ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6126.exe

Filesize
15KB

MD5
1210db792548559d09e9d9ab68941035

SHA1
c770fec6ab85f8f65921909f671916213668c5ce

SHA256
e53c9555f4b3db50b717be9d1b2c5c20e68750ad3658f540d497f5ef7791e9b8

SHA512
d41ecb6b5af975a2ae8f8e9574f875bfa248575168377a64f7a96c82e8bc90ca9c046758f81786e09cf6a9218264a66b48ccaed57d32e9eac2701c864b3b7be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAB9.exe

Filesize
15KB

MD5
e0574cb5519a88142ceb503c834c25f1

SHA1
955c08fe3a9eda3cb6e0483c3be1fa2f315777e0

SHA256
e49328ca115b50f55c0e64e4e59b1a12eaa183dc12e820fd9d7347a4813aa243

SHA512
669c9b7ad12483e88c718ea9c2379f748c9d185d52581867342d6aa2173f02ad5f890013f7ffe2215383f176db530adeba4ecc625816529dae43bb6490b91aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe

Filesize
15KB

MD5
1d1a82a8f4d55122ac3dc80dff39c37d

SHA1
ed104f05442908de7d21a1becff27d12581a24d7

SHA256
df93a606d1003481b22c800dd910275dfb8866b83af16f52b6c83a2080cb169d

SHA512
b5a57715ef39ea7eb609b36cab179a08d91854242343781919b6008edf41434aeb83c57b7ed09113be965647f1b44232bf67792f04b2bfbe52126f65d33c1eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB774.exe

Filesize
15KB

MD5
e1083561868088a6c2c2f9ea15e04f0f

SHA1
ec9094ed2678f4fafeb91662f44ba89ba47723d6

SHA256
b6dec9a9a6ace80d2aadba256a801eeee2e5ac6b0689b2b48e769e539b93d59d

SHA512
b1e2894c40421bbb92e469d752f73a36ee0cce98ea9558873e82169d10ea1fc0543e076f906be78efcbd7cc819234e26113cf7f418790d6cbd9b44cbbad53f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD54.exe

Filesize
15KB

MD5
a902b1348bb6b6df1807619254683c01

SHA1
6ddcc926041492b42e9dc33fc2f911371d5be82b

SHA256
57a32c47731f0d67ba8f4e6ea58440fc834a9c39a195075f01496c0d424274a0

SHA512
c8ab907d39a47eb039026306ebe1c5acb209ff545ded87f91d1e71ae17a6b84d88fb5983634bd0d2ae76c065b1117e0255689a928df28479f13e1c40151f1295

Download Submit

Analysis

Sharing