0ed2664d5c96f4d49aaeec64535a772184b94e26b5beabccd8e3b2c49138acea

General

Target

1476221ad6460f006d2cb67035b4be98_JaffaCakes118.exe
Size

14KB
MD5

1476221ad6460f006d2cb67035b4be98
SHA1

5e012b7bb1f36dbefc23444018d4930521b4b10d
SHA256

0ed2664d5c96f4d49aaeec64535a772184b94e26b5beabccd8e3b2c49138acea
SHA512

fd6a8b8a60daf568a795364c8c5550d63b8d0ef3fed26dcd4368fb4b5b452368db86d3525833ce0573971589b042b2633cee42af113317c657c40696d84d7053
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5P:hDXWipuE+K3/SSHgxl5P

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	DEM8CFE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	DEME30D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	DEM38FD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	DEM8ECE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	1476221ad6460f006d2cb67035b4be98_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	DEM36BF.exe

Executes dropped EXE 6 IoCs

pid	Process
4756	DEM36BF.exe
1764	DEM8CFE.exe
3748	DEME30D.exe
3752	DEM38FD.exe
3056	DEM8ECE.exe
4344	DEME4FC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 4756	2220	1476221ad6460f006d2cb67035b4be98_JaffaCakes118.exe	95
PID 2220 wrote to memory of 4756	2220	1476221ad6460f006d2cb67035b4be98_JaffaCakes118.exe	95
PID 2220 wrote to memory of 4756	2220	1476221ad6460f006d2cb67035b4be98_JaffaCakes118.exe	95
PID 4756 wrote to memory of 1764	4756	DEM36BF.exe	100
PID 4756 wrote to memory of 1764	4756	DEM36BF.exe	100
PID 4756 wrote to memory of 1764	4756	DEM36BF.exe	100
PID 1764 wrote to memory of 3748	1764	DEM8CFE.exe	103
PID 1764 wrote to memory of 3748	1764	DEM8CFE.exe	103
PID 1764 wrote to memory of 3748	1764	DEM8CFE.exe	103
PID 3748 wrote to memory of 3752	3748	DEME30D.exe	105
PID 3748 wrote to memory of 3752	3748	DEME30D.exe	105
PID 3748 wrote to memory of 3752	3748	DEME30D.exe	105
PID 3752 wrote to memory of 3056	3752	DEM38FD.exe	113
PID 3752 wrote to memory of 3056	3752	DEM38FD.exe	113
PID 3752 wrote to memory of 3056	3752	DEM38FD.exe	113
PID 3056 wrote to memory of 4344	3056	DEM8ECE.exe	118
PID 3056 wrote to memory of 4344	3056	DEM8ECE.exe	118
PID 3056 wrote to memory of 4344	3056	DEM8ECE.exe	118

C:\Users\Admin\AppData\Local\Temp\1476221ad6460f006d2cb67035b4be98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1476221ad6460f006d2cb67035b4be98_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\DEM36BF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM36BF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\DEM8CFE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8CFE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\DEME30D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME30D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Users\Admin\AppData\Local\Temp\DEM38FD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM38FD.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Users\Admin\AppData\Local\Temp\DEM8ECE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8ECE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\DEME4FC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME4FC.exe"
        7⤵
        Executes dropped EXE
        
        PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM36BF.exe

Filesize
14KB

MD5
5a717a001ff1c9ecca816f422607b5bf

SHA1
b9df53526295a021f8f2022d81aeff2d005699a3

SHA256
acc5259185be48c66134f03e4a5f6c7fa52dbd9f5749c1adb2e19c878679d41d

SHA512
1110f7bf1a817142453e3cef93dea19f33f039c7d9cc7749b4f12b28055e5c4dcaf2ec42f2193c43330a61e9d62b8094724bb9316043a86f3b3f229caa174233

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM38FD.exe

Filesize
14KB

MD5
22cd8efa4b73d4d19714e98b7999ad7f

SHA1
c42c5087f953aa72943289b35974e9cd3bb2c585

SHA256
fbfb6567165b2b7aa06e7349f993126ab8b74c8d22a645afaf690833328840f7

SHA512
fcc397a5f2edbffa5f911b2e89a33bcc97efafdf35afd6305d82a7e19d2660c0b0efe319d4ecbe567893a72325a9c24b369a94bbec3657f5b698435d681a1cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CFE.exe

Filesize
14KB

MD5
e3382620e7e1fda9346a086d0b7bb7c1

SHA1
327fcaaa61fa03f260ce77560e24181b80cf74e9

SHA256
690da39d0d5a57fe54f21d5dcdece8a854d0c78d8e948343e28b6fec380eff3e

SHA512
665d51938cd0a85e2a658e86e13b5cb08852bff518501f85944cead3c8c8878edd19f7036fb89aa31cacf5a28f61d4eaebb65ee873e8f6d4d2f3d4c545d178ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8ECE.exe

Filesize
14KB

MD5
2b856279de560f08beb232df3f58bfa1

SHA1
869120ff3f4d82de71fad686e6f6fa8c8ea3394d

SHA256
935c43a4e51b84c576c61ddcc02a4dcfe1e9ae5a4459d4492f0d7ecd7185266a

SHA512
c801709defb1323555aeffb25d552808afad07b358bc29e468f501e71fc90cac903a9f547e82c3a002e54f2db8e81b8f3cea13c7b30a1cf62ac592e31db88493

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME30D.exe

Filesize
14KB

MD5
13cbb42c603a0557181bad5a2b09d7b8

SHA1
8fcbae07750aaa0ced160c9814594f93a42738ea

SHA256
8d064a23eeffbae14722be4ea0eb1e188dc6245011d9892bf818ef83c4e0c2a5

SHA512
fe78837600a28415753ea3940c541ddb3f5e0ae1ee761e14ae0e0e540b298f66a8ec1af20059ea352989ea4376dbb33513f963c99c92808e818a6c02f2bb2aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME4FC.exe

Filesize
14KB

MD5
2fd22c922921a3e6a102fdd9f9eaceac

SHA1
aa071ba3df1817d0804478698b32eea83c026795

SHA256
af06c7cb63e79c8641d1487fd54bd7958db41005fae86afe865fdd5a5518520c

SHA512
091e63f109d2a7ff7182603a302b52474b0bfd2e3b2e0000a78b09dc973566eb8173d916612dcd472e0cc7d73a3002171d0a25c2906e66fc9d0a0aef6d0e1823

Download Submit

Analysis

Sharing