5d6517729e3978320be8e4267bac4eb37a89cf98b1c19b369b12c816d96929d0

General

Target

100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe
Size

14KB
MD5

100fce82f2901c328ade83de47f4d96a
SHA1

f77ac502bc113c4f262ed39e1ef75f517e54bf0c
SHA256

5d6517729e3978320be8e4267bac4eb37a89cf98b1c19b369b12c816d96929d0
SHA512

e6695f3c56b4f669fa86b43fef98800374b81728af2ecd30820f7614dc1a73e753bcdf7e95722a5addd6e4c813583f78c311be79da549836b25aac3faca56090
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD:hDXWipuE+K3/SSHgxR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEM2A1D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEM800D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEMD5FD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEM2BCE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEM81DD.exe

Executes dropped EXE 6 IoCs

pid	Process
532	DEM2A1D.exe
4340	DEM800D.exe
2560	DEMD5FD.exe
4232	DEM2BCE.exe
656	DEM81DD.exe
2008	DEMD80C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 532	4976	100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe	94
PID 4976 wrote to memory of 532	4976	100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe	94
PID 4976 wrote to memory of 532	4976	100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe	94
PID 532 wrote to memory of 4340	532	DEM2A1D.exe	99
PID 532 wrote to memory of 4340	532	DEM2A1D.exe	99
PID 532 wrote to memory of 4340	532	DEM2A1D.exe	99
PID 4340 wrote to memory of 2560	4340	DEM800D.exe	101
PID 4340 wrote to memory of 2560	4340	DEM800D.exe	101
PID 4340 wrote to memory of 2560	4340	DEM800D.exe	101
PID 2560 wrote to memory of 4232	2560	DEMD5FD.exe	104
PID 2560 wrote to memory of 4232	2560	DEMD5FD.exe	104
PID 2560 wrote to memory of 4232	2560	DEMD5FD.exe	104
PID 4232 wrote to memory of 656	4232	DEM2BCE.exe	108
PID 4232 wrote to memory of 656	4232	DEM2BCE.exe	108
PID 4232 wrote to memory of 656	4232	DEM2BCE.exe	108
PID 656 wrote to memory of 2008	656	DEM81DD.exe	113
PID 656 wrote to memory of 2008	656	DEM81DD.exe	113
PID 656 wrote to memory of 2008	656	DEM81DD.exe	113

C:\Users\Admin\AppData\Local\Temp\100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\100fce82f2901c328ade83de47f4d96a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Local\Temp\DEM2A1D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2A1D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\DEM800D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM800D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\DEMD5FD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD5FD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\DEM2BCE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2BCE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4232
      - C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\DEMD80C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD80C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2A1D.exe

Filesize
14KB

MD5
210e6592a3358b21243bf6186748dff6

SHA1
e5c8b80cc06ef5aeb4b22ce1846a57a806daf200

SHA256
b317419074aae9aa612aae8825bdfce19afec5696f749e34d9bf5d3a1920857b

SHA512
29bccc448cb658f820ac059a32948a262c1c3a3589ea3e2e12b6b1a65905cff60423b362ed0e38deb7e6d5f3031b1a1bfe7c2eb81f622e674b8fe4325c67b873

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2BCE.exe

Filesize
14KB

MD5
246d1423f505586f3f92f18a8a73f2ca

SHA1
23c340dc2edd2c922717f4245183800efb242212

SHA256
64eb7135232632ffa4e9130f1b608be99c5aeaea1e2be278c937ab6c7561ff65

SHA512
4cf5c1ac576180667eddbcb28885a0ec72c74a6a1926c7de831ed46591930818f11b9ddc8195dd4dce72f8e3c5023ef94928c1e503ac6378a74dcb6dca17f9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM800D.exe

Filesize
14KB

MD5
26ff48ac41ef2a55dbf2d13f50f53377

SHA1
31c1f77f06baff973e45f481d059abc609f87da6

SHA256
359092a37c62f00e8b503d2de08ef9d443d707ddbfe7ad80303a448abef9f4c7

SHA512
2e0e39b24674a37ed3923e9abd7f877c6470dfff06117f1e51a63fea0137d7343c271fe69aefcd39ad86cba0841e7518fd5d78368312d9f27d94b7dabac81321

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe

Filesize
14KB

MD5
9c89059248d23ab72d63896bc70a74f5

SHA1
f12627c7379e83c107b12f67641b4a2b6e549250

SHA256
39e686f7d6e4a91a7fdc68d0744f81b30c30f875684ea9a3a26b807c8a6a8a42

SHA512
47f2b21790ca83606d231dde00f5fd493b4fcd75cb01a6b447b856dc1ceb97d04e4a190f46c432180e8154c87e290f77e4784d7f235e7ca1c1d2b2a263c27dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD5FD.exe

Filesize
14KB

MD5
892f62754118c9d368adc0d5b89068fa

SHA1
95f62d1ad0fe559324d9da9aa9b52306f5af0c21

SHA256
904a0847878b67748ecda4bcb7dff3acb8b568c0e637ebca361bfbef5dcde4cc

SHA512
45f2af6b2af6a277413bed3d703a36404c41fe14f0f36ec59ca05e4954134eade27df6e6376afc611783d40137c1d95ad6ffe9b3aa0cd375cd9d05f8bb16623f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD80C.exe

Filesize
14KB

MD5
78b40b1275eb5f29d08ad99e37784338

SHA1
8ec0076a399d0e806aee1f57213b7048e1eb4239

SHA256
e5cb0d5b1859baf3d822e266d8dd3465854aa827cb3ae8f88e34056ef92c75d0

SHA512
44251784c781d16c68ea7c8846fbe998de47652974809ca55151d7e2fd9e514817fbcb5a314ddc807cdb3133163fdf8114553ff1b5f21d1f10232730e00f2d77

Download Submit

Analysis

Sharing