71a6f5ce884e108ee0a02d453e91beca10021ce4d56a1cea16994ce732e3de74

General

Target

150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
Size

14KB
MD5

150905c22aba1839292edc2a59e4b2f8
SHA1

22df283ac4a6b45d33f738bcf5ed1370a974448d
SHA256

71a6f5ce884e108ee0a02d453e91beca10021ce4d56a1cea16994ce732e3de74
SHA512

2074a83ab71afdfb936d6bf5d68515ccec8f616e78651d832c12ae04f486cafa3f459f3baf03657252083a54c9305f4e881c3c9a9c3fbfb4d1377d0b2d079801
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlbv:hDXWipuE+K3/SSHgxmlbv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM4BFD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEMA27A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEMF8E7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM4F73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEMA5EF.exe

Executes dropped EXE 6 IoCs

pid	Process
4796	DEM4BFD.exe
1536	DEMA27A.exe
3936	DEMF8E7.exe
3644	DEM4F73.exe
4776	DEMA5EF.exe
3328	DEMFC5C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 4796	3860	150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe	82
PID 3860 wrote to memory of 4796	3860	150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe	82
PID 3860 wrote to memory of 4796	3860	150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe	82
PID 4796 wrote to memory of 1536	4796	DEM4BFD.exe	86
PID 4796 wrote to memory of 1536	4796	DEM4BFD.exe	86
PID 4796 wrote to memory of 1536	4796	DEM4BFD.exe	86
PID 1536 wrote to memory of 3936	1536	DEMA27A.exe	93
PID 1536 wrote to memory of 3936	1536	DEMA27A.exe	93
PID 1536 wrote to memory of 3936	1536	DEMA27A.exe	93
PID 3936 wrote to memory of 3644	3936	DEMF8E7.exe	95
PID 3936 wrote to memory of 3644	3936	DEMF8E7.exe	95
PID 3936 wrote to memory of 3644	3936	DEMF8E7.exe	95
PID 3644 wrote to memory of 4776	3644	DEM4F73.exe	97
PID 3644 wrote to memory of 4776	3644	DEM4F73.exe	97
PID 3644 wrote to memory of 4776	3644	DEM4F73.exe	97
PID 4776 wrote to memory of 3328	4776	DEMA5EF.exe	99
PID 4776 wrote to memory of 3328	4776	DEMA5EF.exe	99
PID 4776 wrote to memory of 3328	4776	DEMA5EF.exe	99

C:\Users\Admin\AppData\Local\Temp\150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\DEMA27A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA27A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\DEMF8E7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF8E7.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\DEMFC5C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFC5C.exe"
        7⤵
        Executes dropped EXE
        
        PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe

Filesize
14KB

MD5
7695c8688d81360ee7dcd8681102760a

SHA1
4b49ef66c7438c1d18e571c7d3a4a47f24b14d23

SHA256
696c43ce3250470df1bf533dc37582042228761b1c3d208776f605598853a0be

SHA512
9ef125ba9e1630c5c4fde4be98fd75b7f4535d6ed2a1ae7f5b2ca3b5e3100b54da355c5f393e76f1fa52ed346284ace26383d9bfd8a66cd60feb21b3f2623349

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe

Filesize
14KB

MD5
411588a5832869bd909f8ba840286c57

SHA1
08dd4411100d20e86f9805a4bfc1e67906d44e4c

SHA256
0ab89a28675458d9ecf3fbc4ab5508d8cb389312760ec61146b6f31cc76bedb5

SHA512
2eeb08b0581cf75a889d8c455f71b613e638003262932a70189826a45b3771ba87ff2359bc20421d535314bc35534f083fbafe03a59bd870b1b53722186b830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA27A.exe

Filesize
14KB

MD5
1d616885af36c8cb63057d637c7e871b

SHA1
d8d25405056e5faa5218aee2d20cbdfdaf75b51a

SHA256
6af03e9d93f93f1e6388e583254f7ee39a43fdc2d33e7836df59ac1a8457b5bb

SHA512
86bf351f692b66660ca7ebf7d500749034eedc73265c75381389961d41adf2724e2812a002acb7f289a78221946ff7ccf1a83b0488ca7e09a0fa0d995ba9ef75

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe

Filesize
14KB

MD5
2665648d61ab2c2eac9785d806c578e2

SHA1
47123cb47368a0f1e73960030353f31f16f20089

SHA256
6bd623f3e62873a240a5101205484e192f39a961b744eca9341d9d0786671c83

SHA512
9e3c38c56d1af721f53f6b9a7fadecff573fa833662036447f6695d91478ec1959273b4cb4f789a3175fc68586771939916cbf26b8beb06269cfa4e06860ccfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF8E7.exe

Filesize
14KB

MD5
0ea3dd68e1f8ac42502fcde9db31f8f4

SHA1
30d009ad738f0d068c8116cf30d0dd7a328228e5

SHA256
cdf95c6bf7695a159c9bc528c9e9a747e8336f7f411ab0a1b80c3e324ce66697

SHA512
a676786df02fbaa121ff5b483239c2d2ca75731ddb87de7e117f2f1823520617462292391ed1fbe975d88f40285446230e04a69a2771a8275b0fb06ca9ed408d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFC5C.exe

Filesize
15KB

MD5
44e53b10870e06855300c51aa72836ec

SHA1
6fb4084619f9edf26b84db5352a505710279c685

SHA256
fd7c70d2805c3f027d7f081c4ad5599e57e84561d25db2eabda574aeb5b173b4

SHA512
1b4969e9d1ac3156aa78441fe71038c40b9b7d769719e780ef64599cdb9ff3bd83d774b48183ac1db44974de16d13e13d960769e6885009e34f4aa5c71435bed

Download Submit

Analysis

Sharing