f9ba592ada8437b603a30de56db0277e03ec9f60e8053c49ee4a8264f3f14de3

General

Target

15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe
Size

14KB
MD5

15e4bf4b762bba00ce17ce250709fec2
SHA1

18b17c7d94ce7695c2b0af4d70ad709f479fba9b
SHA256

f9ba592ada8437b603a30de56db0277e03ec9f60e8053c49ee4a8264f3f14de3
SHA512

cfeca2da509ecec1e5bc785f24b496a2a9011f5066e2fd927aad838453da2f0fc0dd88ad610fb16885f907af2f3289a665d93d4bc04a0079875ed7a6b1f27851
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYD+:hDXWipuE+K3/SSHgxmD+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM42F4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM99A0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEMF01D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM465B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM9C6A.exe

Executes dropped EXE 6 IoCs

pid	Process
4604	DEM42F4.exe
4596	DEM99A0.exe
628	DEMF01D.exe
2852	DEM465B.exe
2360	DEM9C6A.exe
1744	DEMF2D7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4604	4196	15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe	89
PID 4196 wrote to memory of 4604	4196	15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe	89
PID 4196 wrote to memory of 4604	4196	15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe	89
PID 4604 wrote to memory of 4596	4604	DEM42F4.exe	93
PID 4604 wrote to memory of 4596	4604	DEM42F4.exe	93
PID 4604 wrote to memory of 4596	4604	DEM42F4.exe	93
PID 4596 wrote to memory of 628	4596	DEM99A0.exe	95
PID 4596 wrote to memory of 628	4596	DEM99A0.exe	95
PID 4596 wrote to memory of 628	4596	DEM99A0.exe	95
PID 628 wrote to memory of 2852	628	DEMF01D.exe	97
PID 628 wrote to memory of 2852	628	DEMF01D.exe	97
PID 628 wrote to memory of 2852	628	DEMF01D.exe	97
PID 2852 wrote to memory of 2360	2852	DEM465B.exe	99
PID 2852 wrote to memory of 2360	2852	DEM465B.exe	99
PID 2852 wrote to memory of 2360	2852	DEM465B.exe	99
PID 2360 wrote to memory of 1744	2360	DEM9C6A.exe	101
PID 2360 wrote to memory of 1744	2360	DEM9C6A.exe	101
PID 2360 wrote to memory of 1744	2360	DEM9C6A.exe	101

C:\Users\Admin\AppData\Local\Temp\15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15e4bf4b762bba00ce17ce250709fec2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\DEM42F4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM42F4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\DEM99A0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM99A0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\DEMF01D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF01D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Users\Admin\AppData\Local\Temp\DEM465B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM465B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\DEM9C6A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9C6A.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\DEMF2D7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF2D7.exe"
        7⤵
        Executes dropped EXE
        
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM42F4.exe

Filesize
14KB

MD5
9da18b187d490770666a72e0ac725b8a

SHA1
06f78a8d9e87d36c47debd8b17d7d5848c23645f

SHA256
a4cbd4978df168ea886d73ffa09961978116a69784c843ded5704b5fe5eb64ac

SHA512
e2a3818b56f7a7dac26e35941399245838bcda6b7a75caddb8a0e79cecdc9d9961908265441979590a8b1813954a2cd4c1a7828fe133aa6d22cf8d87b814ce9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM465B.exe

Filesize
14KB

MD5
3f2017c66419b85ead766519e73bbac6

SHA1
e7a5ae7bae3642e923d682f85e7cea2fa1d6eb94

SHA256
23e94a42922542156461cf6f2cd1ca80bc7823a0ccec522b9cc3316ddac45f3d

SHA512
524009be571f32525ab97411ff6be61ba887116ba80d6e93049a85d2cb016d8fef609765850abbc21c1838bfc16c02b9e47dc3f59d35f267029fb7f35388b0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM99A0.exe

Filesize
14KB

MD5
4e1f99bc97ecdd66a28aafc33b4771dd

SHA1
e029d9f3b457defd9375eedff8ea10e31ec8a2e0

SHA256
574d5d7e2f6ec97eade5f8946ab0b19a1673cc088772915b9fa38eea7ad4749a

SHA512
c7b36cf18c19dd9c25001383a3090bbb8fea8fed182747dc5a474fcd39ea615ba75db0bc4c6cfbd4fe888398f9d548504adcbc392d2e7333e6cd65089beb74bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9C6A.exe

Filesize
14KB

MD5
64b62d7d4c91c9081db5283265c9ed9d

SHA1
efe0a08d99ab2dd4566e5a818bfbb394d1057ea4

SHA256
58e98eb9055046a942471381398cf5dce1411b12a0aa492e0510eb9d2ab29d1b

SHA512
b4c7356ad390f267084ac354fe51489c773cc5ae1a684a05fe2d216c17a9e425df3b7b94079356c81ec69cae84e8fcc3c3e152935a540f158ef57c31b60dc247

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF01D.exe

Filesize
14KB

MD5
0eb821943712a44b7bbaa79bc3828c00

SHA1
3edc6b14f584224f6924f43ef5b0a127bca4fe78

SHA256
af0d098ed9c47c37d68f33c02f7f881403acaaac1c4519e7a40f03a1c77855b3

SHA512
35ccc9c1ddb7d274281119d885135aae12c186c77e6283e47aadf44295463670be1814b816bc11358d27dec4c5d2ce9db6dd811d13854c9b62fce879e01f9393

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF2D7.exe

Filesize
14KB

MD5
8c5b281735561f5173b01acd8ca33903

SHA1
f890036e2c0a3ce5fbf7c3fdb131c84067365105

SHA256
c21e85a36fbdd19be28888d97f1851ec2410f51c79e60849f710b687780a503e

SHA512
c083ff432af736acf2048f0f9ac102b78fd8a5f2ee86a4582efeaaee1510283ca9d7a75997d3e6afd925e8482a18c3e1a1711e33a69a01129c29cd14e990600d

Download Submit

Analysis

Sharing