a1c84cf4f33d8626e2395c81868fe38907742686efe30a8192c5c9fea194eb1b

General

Target

07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe
Size

15KB
MD5

07a179275272eaedd0bc8de4db091ab6
SHA1

b54b8e361edb7961bb91b819b77c8d5eb4063833
SHA256

a1c84cf4f33d8626e2395c81868fe38907742686efe30a8192c5c9fea194eb1b
SHA512

21b0c9e6db0c3523ea4b207c0ae307fe7d9dc91b6eafeb603ec7941e41a09b13881464b243f1e7fff8c4d25c8bbc293f87269208564cd03510b74412cab675aa
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8x:hDXWipuE+K3/SSHgxm8x

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM4F29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEMA577.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEMFBA6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM5222.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEMA880.exe

Executes dropped EXE 6 IoCs

pid	Process
1684	DEM4F29.exe
3164	DEMA577.exe
60	DEMFBA6.exe
2652	DEM5222.exe
2736	DEMA880.exe
3200	DEMFE9F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 1684	4932	07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe	81
PID 4932 wrote to memory of 1684	4932	07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe	81
PID 4932 wrote to memory of 1684	4932	07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe	81
PID 1684 wrote to memory of 3164	1684	DEM4F29.exe	85
PID 1684 wrote to memory of 3164	1684	DEM4F29.exe	85
PID 1684 wrote to memory of 3164	1684	DEM4F29.exe	85
PID 3164 wrote to memory of 60	3164	DEMA577.exe	92
PID 3164 wrote to memory of 60	3164	DEMA577.exe	92
PID 3164 wrote to memory of 60	3164	DEMA577.exe	92
PID 60 wrote to memory of 2652	60	DEMFBA6.exe	94
PID 60 wrote to memory of 2652	60	DEMFBA6.exe	94
PID 60 wrote to memory of 2652	60	DEMFBA6.exe	94
PID 2652 wrote to memory of 2736	2652	DEM5222.exe	96
PID 2652 wrote to memory of 2736	2652	DEM5222.exe	96
PID 2652 wrote to memory of 2736	2652	DEM5222.exe	96
PID 2736 wrote to memory of 3200	2736	DEMA880.exe	98
PID 2736 wrote to memory of 3200	2736	DEMA880.exe	98
PID 2736 wrote to memory of 3200	2736	DEMA880.exe	98

C:\Users\Admin\AppData\Local\Temp\07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07a179275272eaedd0bc8de4db091ab6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\DEM4F29.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4F29.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\DEMA577.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA577.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\DEMFBA6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFBA6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Users\Admin\AppData\Local\Temp\DEM5222.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5222.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\DEMA880.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA880.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\DEMFE9F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE9F.exe"
        7⤵
        Executes dropped EXE
        
        PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4F29.exe

Filesize
15KB

MD5
95e654f4d55671c36972077011e39da9

SHA1
0a9df52d4a019bf8f0303411544b2fa1b1cc7b63

SHA256
c27f858ae9e1105e304e070bb4725fb2c5cdc18cde7a4f3570b78c183cae9f53

SHA512
a3e7975b5cf4194f8384b023ba88abc0f4d96e65f829e6349be11d9af7d4e38f38805d32ce193e5feb762eca195f464837080fe398bf2133d4b59d66b3d9c00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5222.exe

Filesize
15KB

MD5
98b4cd881175e24c14e19e49ca8ec0e1

SHA1
acc8550e5ca168faae730c39395aca035e177d2a

SHA256
2f1186c7eca344be280262477ed24dc94d168c5ec585f90afc750d25dcc5c2c7

SHA512
ee439a40cdb409e1227241aecd1010b7a2805032cdf0030474e13b55da77b839d3df35f40270b806970cbad6abda96955d7378f39e4d8ccc4d9382bf748d5a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA577.exe

Filesize
15KB

MD5
4fab08d4484689a9d6ea82440b1f3403

SHA1
109edeff4224b091744dbac8231dfb37bd7b26f4

SHA256
08175e250bcd62a099c420b00ab269d5e85bc046f19ed275cc68d7ee3bb89673

SHA512
d0e34c6b5f28184bdd8e93e7f57dcccfa28bf12d4511dd25a42e8cc7cec13b3c943e26a674f9b3fdf9c776d891f8502b09718d74a2da265ddeaa3327962e102b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA880.exe

Filesize
15KB

MD5
ea0f980c0530b9c2179a492e8848be32

SHA1
d741348f126c6b25a38c26d0cee7355e1b30cc96

SHA256
77ae2c36acc7a1334c6b340fdfd1fea7afd8cc157446322e7a7599951ef905ba

SHA512
ce7694460558cc9ae7a5b8a94b84e93037b2d17d1e93483c2b629207b5c7f9368c0fee57cef17bed618a27b57a2c793b713a29c3b0a83276d64ed138e81468d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFBA6.exe

Filesize
15KB

MD5
b52844805f075eeec55a4215c6f4cdb0

SHA1
f76922ad32a3f5447e54792fd17576717c110af3

SHA256
c4e359421ba27e42fb40eb5c039bc95a5839387161e459f6543c1a4258783402

SHA512
bcaf56f7243a2d988bac613e7de7e09620964c5c43d2e3a4fc76426672b4054420afae9af759df4522b0ff95d900ab40cc4c53851d29d6d37b1911599ad1256c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE9F.exe

Filesize
15KB

MD5
60b6003afea72e1f1d7151b7bf2414e6

SHA1
38d7d47e46f6f09ca17685f6918a3d69b73030bc

SHA256
0274205bc499eefc6cdf0830d70c4841fff80e0f7f885eed61c4da326c6a11a6

SHA512
90b0d9bce55febf8b4b71feb4bfb9d83c9d22e0ffb2bbaf20a12c3324301238f0dd399cdfa59a29c1466adc167d7d0963966bfdc858a91138720f75c38df9348

Download Submit

Analysis

Sharing