0db0a94045f183b9ca9ddad472cb67d2669575d84ec90448ca0a7203bda4fd2f

General

Target

1b0a0d4364e478d488e3a315d4c9b526_JaffaCakes118.exe
Size

14KB
MD5

1b0a0d4364e478d488e3a315d4c9b526
SHA1

bf89c394c419c53e15b89a972f7e55a31bb68131
SHA256

0db0a94045f183b9ca9ddad472cb67d2669575d84ec90448ca0a7203bda4fd2f
SHA512

ed72da3901ad80e985c1180320b408a60d6cab20b77df0f7ac51a6dcbee128a235b36a1f62fa9e15c30a78e647526b64f8df9381664ea55706e5642dda11b07b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/w9E:hDXWipuE+K3/SSHgxm/KE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1b0a0d4364e478d488e3a315d4c9b526_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM88E7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEMDE69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM3459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM8AD6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEME114.exe

Executes dropped EXE 6 IoCs

pid	Process
2044	DEM88E7.exe
412	DEMDE69.exe
5060	DEM3459.exe
4068	DEM8AD6.exe
772	DEME114.exe
3548	DEM3723.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2044	2828	1b0a0d4364e478d488e3a315d4c9b526_JaffaCakes118.exe	82
PID 2828 wrote to memory of 2044	2828	1b0a0d4364e478d488e3a315d4c9b526_JaffaCakes118.exe	82
PID 2828 wrote to memory of 2044	2828	1b0a0d4364e478d488e3a315d4c9b526_JaffaCakes118.exe	82
PID 2044 wrote to memory of 412	2044	DEM88E7.exe	91
PID 2044 wrote to memory of 412	2044	DEM88E7.exe	91
PID 2044 wrote to memory of 412	2044	DEM88E7.exe	91
PID 412 wrote to memory of 5060	412	DEMDE69.exe	93
PID 412 wrote to memory of 5060	412	DEMDE69.exe	93
PID 412 wrote to memory of 5060	412	DEMDE69.exe	93
PID 5060 wrote to memory of 4068	5060	DEM3459.exe	95
PID 5060 wrote to memory of 4068	5060	DEM3459.exe	95
PID 5060 wrote to memory of 4068	5060	DEM3459.exe	95
PID 4068 wrote to memory of 772	4068	DEM8AD6.exe	97
PID 4068 wrote to memory of 772	4068	DEM8AD6.exe	97
PID 4068 wrote to memory of 772	4068	DEM8AD6.exe	97
PID 772 wrote to memory of 3548	772	DEME114.exe	99
PID 772 wrote to memory of 3548	772	DEME114.exe	99
PID 772 wrote to memory of 3548	772	DEME114.exe	99

C:\Users\Admin\AppData\Local\Temp\1b0a0d4364e478d488e3a315d4c9b526_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b0a0d4364e478d488e3a315d4c9b526_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\DEM88E7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM88E7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\DEMDE69.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDE69.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Users\Admin\AppData\Local\Temp\DEM3459.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3459.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\DEM8AD6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8AD6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
      - C:\Users\Admin\AppData\Local\Temp\DEME114.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME114.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\DEM3723.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3723.exe"
        7⤵
        Executes dropped EXE
        
        PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3459.exe

Filesize
14KB

MD5
2af8cc247b02f4a3d02995a4f69c06c6

SHA1
79e92cb78deb142b6d30b7679fdcaa06bebb1319

SHA256
20b69844e32a6184a2afb7a0e16f4cfed0d0ec9c742aec5d05bdc48eacc4c392

SHA512
6433a5db1cf800b2db986f58d92bf2b8b3a28a8d4a849315456c41989c843d7130f1ae50a58ddfc19a342077930dce61ab084bffc18e851422314c907da9643c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3723.exe

Filesize
14KB

MD5
e7c4a47c4c7ec1f4f0b2cca6156cc08c

SHA1
e929abf8c53dada7e5e2f9e4ac34dea409ac2cc2

SHA256
d92b0cd0f64cbdc1689e4ab2c37e90a8a49d14ab44c651ecfb25f77bf0e5a36f

SHA512
d3579ec7f9e6bc55dd9bd629427e7ade10de9e4062365f57c7c0e70d8b4203988e00d9ca1abfc596c864fb2935cd41a84147150a6fc35d2bfb4fb46a9a20bec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM88E7.exe

Filesize
14KB

MD5
20ddc1d1283589a4af1c86ef184dfb6d

SHA1
cbc4aa971aebaa76513fb97013fc56ecb625fb94

SHA256
18e5f4d31814d914ac81b5f3000b2b0b6e37ca6153b7dcbeb31e45aa0f9f5b13

SHA512
5dc46186aa706697cca8ad606783bed5decbc8975d72d06bf8536a9870ccbeb7ee3f2f2e25e865ba5fb21508d70a48d06493285d5f268322d7967acdf0d36cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8AD6.exe

Filesize
14KB

MD5
6c66a84780683281d2041394b01a9cf0

SHA1
b80ea11f44839a51869c3f9cb823ffa9b527f5f5

SHA256
921ec07ff653f905b5f1604833bcaebf6d9348d13c0272f53f33c8f07fb0a825

SHA512
9d9ffd5060b74a4d00bb7d5802c413be2ee92b880ea45263d9f7f11ad6c8b8fd5c121b9bf23f2dab8157305df6b673c6221e46151f77cd56694bd996a63048a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE69.exe

Filesize
14KB

MD5
42a7adae7b3d628ecd8d517330729cdf

SHA1
fbcac9eede1bfac5285c7fdd3afd2582a03226b1

SHA256
ab3cf5f40a27616d6f61cb2a96c73765f89819ef3993b0a4e971db11dc3cb4a8

SHA512
4f313e32276e0bc12469d1fc5c79e701d7b88fc380346415d2beabb4f81f3b198385be75777bc1795f83e532e297c51941beabd99a26d012648fb981a64549b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME114.exe

Filesize
14KB

MD5
2744c6ecc5362ee7b1aabd8beae2c672

SHA1
9688047345bbcbfc195d949ec7dd134b1d4f8b8c

SHA256
860b6d73ccad9bb2f2275e4c341c21b05de4976444d28ea560005ada0d4baf24

SHA512
8a7b0f41b6b7f2421770bc6e358af86720fdbf73378548f59505c34c19eee657d0c08f410ddd24f1db52d5431e69d64fe85d8b51f4d7d4e7a2db8e23be79e7ed

Download Submit

Analysis

Sharing