a8ec0e90fbce2db4559af4178aeea8c6a4df7311e4e56baf3ac963100276838e

General

Target

1b896a595788018fc0393e612a6957de_JaffaCakes118.exe
Size

14KB
MD5

1b896a595788018fc0393e612a6957de
SHA1

5453bcb34903b0b36904e900569738dd90624698
SHA256

a8ec0e90fbce2db4559af4178aeea8c6a4df7311e4e56baf3ac963100276838e
SHA512

5155a7484bc379f361355ede3d9989698c842b806edf2262944fc38e70768a687d8cbc0066621e18300cf2e1c9d8c77fc7d45975fadc3764ca46a0f214863af5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYuoi:hDXWipuE+K3/SSHgxmBi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1b896a595788018fc0393e612a6957de_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM4621.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM9C8E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEMF2CC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM4968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM9F96.exe

Executes dropped EXE 6 IoCs

pid	Process
3432	DEM4621.exe
3912	DEM9C8E.exe
4308	DEMF2CC.exe
3828	DEM4968.exe
3144	DEM9F96.exe
1512	DEMF603.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 3432	1512	1b896a595788018fc0393e612a6957de_JaffaCakes118.exe	83
PID 1512 wrote to memory of 3432	1512	1b896a595788018fc0393e612a6957de_JaffaCakes118.exe	83
PID 1512 wrote to memory of 3432	1512	1b896a595788018fc0393e612a6957de_JaffaCakes118.exe	83
PID 3432 wrote to memory of 3912	3432	DEM4621.exe	97
PID 3432 wrote to memory of 3912	3432	DEM4621.exe	97
PID 3432 wrote to memory of 3912	3432	DEM4621.exe	97
PID 3912 wrote to memory of 4308	3912	DEM9C8E.exe	99
PID 3912 wrote to memory of 4308	3912	DEM9C8E.exe	99
PID 3912 wrote to memory of 4308	3912	DEM9C8E.exe	99
PID 4308 wrote to memory of 3828	4308	DEMF2CC.exe	101
PID 4308 wrote to memory of 3828	4308	DEMF2CC.exe	101
PID 4308 wrote to memory of 3828	4308	DEMF2CC.exe	101
PID 3828 wrote to memory of 3144	3828	DEM4968.exe	103
PID 3828 wrote to memory of 3144	3828	DEM4968.exe	103
PID 3828 wrote to memory of 3144	3828	DEM4968.exe	103
PID 3144 wrote to memory of 1512	3144	DEM9F96.exe	107
PID 3144 wrote to memory of 1512	3144	DEM9F96.exe	107
PID 3144 wrote to memory of 1512	3144	DEM9F96.exe	107

C:\Users\Admin\AppData\Local\Temp\1b896a595788018fc0393e612a6957de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b896a595788018fc0393e612a6957de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\DEM4621.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4621.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\DEM9C8E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9C8E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\DEMF2CC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF2CC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Users\Admin\AppData\Local\Temp\DEM4968.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4968.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Users\Admin\AppData\Local\Temp\DEM9F96.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9F96.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\DEMF603.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF603.exe"
        7⤵
        Executes dropped EXE
        
        PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4621.exe

Filesize
14KB

MD5
8f6c8b4b4777919c1620029882da9ca5

SHA1
aaf3e8d5f01ed7482978e243c931823dc1b9683a

SHA256
ed9077b3facb63becac7e943ef46f15815a1dca612bbf5961133e930ff9a074e

SHA512
f4b189d06a89ff587b8083df113fc433b69ccffc8e67875391fd69f3d40e1e8636db23ad35ff0a88006357f8802a3c22e10298e5c4cf9819a116bfd78712011c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4968.exe

Filesize
14KB

MD5
6fa5d326410003d92ebc692c46e0bbe9

SHA1
2327e4f3cd976a247eec842ff737dfb30ec2083e

SHA256
7a85e81f33807b55ce3c930615c04a23292475492b50df8e889c161e686e5d38

SHA512
d563390ff2fcf20c1348ae5ff0c453e0108f9e407f1bfa512415ecc3bec110e485cac8925ad456c2f9ef33388162c97dc2e88214ef09008d1683c259144c8869

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9C8E.exe

Filesize
14KB

MD5
6448ea9856d8cdb2ab765ed48c085c79

SHA1
897d8a89922688d11ab064f794d4b211e99c5938

SHA256
a518275a98ca295d9fcd30a944545ffebbee20be9169c66d8e56c58b7ca99727

SHA512
98a2f360232608a64f05e50a6fd538bde910a1d7a324a4ad8f05daca150621f95dcdb59927ee8a2d3ab2a39bcd12821648652443f2935434dae32f37bf0830bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F96.exe

Filesize
14KB

MD5
407b79ed5ba66c561170a0b5a2ac1953

SHA1
e6107327f3f10c427da31ae5fffb26915eaf7ab8

SHA256
c98deeff5149b3759954f90d5603c9664cb598ec624b00120fc915dd16c1261a

SHA512
1dced237bb8c8ef67f4402a9a660bf8531bd4cd82805c8d141edb2263d1ec455cb02d63252790d1d34a95fd651b377e68f2ea393d88b9a06f6d32196abe646fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF2CC.exe

Filesize
14KB

MD5
c5583b231c4fa106c948926538cf2b36

SHA1
e6fbd8f53a155f1a7e83c2ed0210c843683e956f

SHA256
5315363229d9f3af7398a7f7b253339a5a8937a98c87b6328b984c0701014d32

SHA512
8d4d07f447af7c8d4f495bc6543952fcabd026e71906ff0b31dad7a541aff9b1c37a62fedd63e45e0c478701074d9d044e8a493dd07fb510215aec8f4d0d1fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF603.exe

Filesize
14KB

MD5
1bb067b7f7b924718096c183d0ff2b9c

SHA1
a39b565f40564959f50779cf0922dcbf86654619

SHA256
35ef0a880feee5e85475167abb082db902301991aba192924bca8f69cb526b50

SHA512
f980e97b3085529464d6a2ae5374c244c665d33a408046945f2aee4ab1f5159559f2aa93fe8c91ca9732ff8cb1ab573edb0e8f2c4489419cefbdaf97b8c8af24

Download Submit

Analysis

Sharing