a0be0dfd4fbd858015f8f6719eeb5fca7319724c47e2dfa0648c19169ffe5219

General

Target

0c775c3c8b4b980a0d1e0bd80da8f358_JaffaCakes118.exe
Size

14KB
MD5

0c775c3c8b4b980a0d1e0bd80da8f358
SHA1

03d26de2a0076067fd215bf5a2934380fb30ef3d
SHA256

a0be0dfd4fbd858015f8f6719eeb5fca7319724c47e2dfa0648c19169ffe5219
SHA512

df73b600257d8053c9b857385b8881bc90b56c6aeb750e48dca915aa4c2eecae3cae95118ea39b8dba5c32c8a33051236f8b9c717e04a607b80ef4ca9bfbd21c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0p6KoF:hDXWipuE+K3/SSHgx4QVF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0c775c3c8b4b980a0d1e0bd80da8f358_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM3A3A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM9049.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEME687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM3D14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM9371.exe

Executes dropped EXE 6 IoCs

pid	Process
3848	DEM3A3A.exe
812	DEM9049.exe
2496	DEME687.exe
3112	DEM3D14.exe
4328	DEM9371.exe
3852	DEME990.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 3848	2680	0c775c3c8b4b980a0d1e0bd80da8f358_JaffaCakes118.exe	81
PID 2680 wrote to memory of 3848	2680	0c775c3c8b4b980a0d1e0bd80da8f358_JaffaCakes118.exe	81
PID 2680 wrote to memory of 3848	2680	0c775c3c8b4b980a0d1e0bd80da8f358_JaffaCakes118.exe	81
PID 3848 wrote to memory of 812	3848	DEM3A3A.exe	85
PID 3848 wrote to memory of 812	3848	DEM3A3A.exe	85
PID 3848 wrote to memory of 812	3848	DEM3A3A.exe	85
PID 812 wrote to memory of 2496	812	DEM9049.exe	92
PID 812 wrote to memory of 2496	812	DEM9049.exe	92
PID 812 wrote to memory of 2496	812	DEM9049.exe	92
PID 2496 wrote to memory of 3112	2496	DEME687.exe	94
PID 2496 wrote to memory of 3112	2496	DEME687.exe	94
PID 2496 wrote to memory of 3112	2496	DEME687.exe	94
PID 3112 wrote to memory of 4328	3112	DEM3D14.exe	96
PID 3112 wrote to memory of 4328	3112	DEM3D14.exe	96
PID 3112 wrote to memory of 4328	3112	DEM3D14.exe	96
PID 4328 wrote to memory of 3852	4328	DEM9371.exe	98
PID 4328 wrote to memory of 3852	4328	DEM9371.exe	98
PID 4328 wrote to memory of 3852	4328	DEM9371.exe	98

C:\Users\Admin\AppData\Local\Temp\0c775c3c8b4b980a0d1e0bd80da8f358_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c775c3c8b4b980a0d1e0bd80da8f358_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\DEM3A3A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3A3A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Users\Admin\AppData\Local\Temp\DEM9049.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9049.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Users\Admin\AppData\Local\Temp\DEME687.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME687.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\DEM3D14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3D14.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3112
      - C:\Users\Admin\AppData\Local\Temp\DEM9371.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9371.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\DEME990.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME990.exe"
        7⤵
        Executes dropped EXE
        
        PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3A3A.exe

Filesize
14KB

MD5
0a00c3685cb931adeeb405f281e8fd33

SHA1
7d7c1664539b0631e4c6641b66eebf8e35fef3e9

SHA256
af04cdc4a673c43a4c3c7901718949e9a342b5e3e8b7efe3be0db7807af60cdc

SHA512
f6c9a0fc34dffbce63e06f8694652dc4052c06843c3621c11d5b1ab36dcf23e27c79d04abcff4d7c675ccb837da737ad16e889048ae801c48c53074ce82e7b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3D14.exe

Filesize
14KB

MD5
f071690faf726f76016c501a25b1d7c0

SHA1
f55e05ff4a9d0d6b4cacb3f86faefa15893942a5

SHA256
83540366921de161dd5f66d4aaa115430955e17a514384b45323309d0f6262aa

SHA512
bd802879b345ac3cbb6b0853250d3f42f6f48b72217477fe680fb6451552eb2755aafeaeaadbdb7a751cdcba37bc79a6ee6b05b455c2c5e16601eeb2208eb202

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9049.exe

Filesize
14KB

MD5
b3214dcfa4f402367faa17bca09a419e

SHA1
00cfed2aad13753a04de80dab24e61cae43b6a97

SHA256
bf41679dfc8ee10577c3fcef51fc60fe4b1c901679c1bac2290053fa2b3882e5

SHA512
80f3a7fd9fa8121186c2e1367914596c7995b4f564c6479dcf1756c41365bc0d90ede4425d86e9369e0309536018889702dd9e8474e76b3635cceb965d0c5250

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9371.exe

Filesize
14KB

MD5
4f4016a93e83f2d8ad8c90e815ec082b

SHA1
03419a3ddc3b89bf60510610d725834656da1592

SHA256
bdc8e5b112d8bbbfbf2e477d23d5a42059c9102e194c2d6f257b06b07e45994e

SHA512
4fb05cd9e2ca73548464f0883f6222821baef363b2f34e25e712a8cb17a5fea0508f0ce7f5ee90c5c7c164002c492316ab5e02037a5427378358f188808cdd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME687.exe

Filesize
14KB

MD5
72a0d3ed82fe9dc37919581d5e19a0f8

SHA1
aa29dbd820e667145c76d05f72a44452e9db9bf7

SHA256
4474c17dae9293a4f71ff306780774c090f9351a93ec38cf4cbe3bbde9d198a1

SHA512
2523dd2136b5fd99579d54c307755d77146c4f254297499e7c0d98db62a3a6a90396546fd4877f14aa34fd48dbc8c2303ef81f25754170887a379b2cf1e81265

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME990.exe

Filesize
14KB

MD5
ee9f7938ebe008ebdda3407057410b93

SHA1
0c6a8828c9a10516111a58f47b30dfc6d25f32da

SHA256
856d7b63f132dfff60d0ecaca7804ec8cff321db5e96125a6e28250a7856799a

SHA512
4538792eadb08d1a332fa3248198911b6b6dee2e2bd64bb410b6dbd195519cc215513731ea8d334ddc88296b19e77a11b0842392978dae3f07f1fbb1031dcf4c

Download Submit

Analysis

Sharing