8094cdc4f5c8ed280a27077dc12ec10cc006adfdfc7345601e6eab26e82b450b

General

Target

2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe
Size

15KB
MD5

2964a4c1279a6b3c42e66b8c3557f41e
SHA1

0a717f23dd9422db39e9d6a85e0a7561291277b5
SHA256

8094cdc4f5c8ed280a27077dc12ec10cc006adfdfc7345601e6eab26e82b450b
SHA512

850ed98af3ac9b43b3afdc4f344f239b59d883690b4f66f3d3789b8150bc8a9bc10b5e88b2fa78b8db978cc26d1b84790675973269558309d06edc6ec19c5525
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxnOik:hDXWipuE+K3/SSHgxmHROik

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	DEMF194.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	DEM4801.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	DEM9E6E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	DEM447B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	DEM9B27.exe

Executes dropped EXE 6 IoCs

pid	Process
3740	DEM447B.exe
3208	DEM9B27.exe
4452	DEMF194.exe
1748	DEM4801.exe
3668	DEM9E6E.exe
1828	DEMF4EA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 3740	4612	2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe	82
PID 4612 wrote to memory of 3740	4612	2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe	82
PID 4612 wrote to memory of 3740	4612	2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe	82
PID 3740 wrote to memory of 3208	3740	DEM447B.exe	91
PID 3740 wrote to memory of 3208	3740	DEM447B.exe	91
PID 3740 wrote to memory of 3208	3740	DEM447B.exe	91
PID 3208 wrote to memory of 4452	3208	DEM9B27.exe	93
PID 3208 wrote to memory of 4452	3208	DEM9B27.exe	93
PID 3208 wrote to memory of 4452	3208	DEM9B27.exe	93
PID 4452 wrote to memory of 1748	4452	DEMF194.exe	95
PID 4452 wrote to memory of 1748	4452	DEMF194.exe	95
PID 4452 wrote to memory of 1748	4452	DEMF194.exe	95
PID 1748 wrote to memory of 3668	1748	DEM4801.exe	97
PID 1748 wrote to memory of 3668	1748	DEM4801.exe	97
PID 1748 wrote to memory of 3668	1748	DEM4801.exe	97
PID 3668 wrote to memory of 1828	3668	DEM9E6E.exe	99
PID 3668 wrote to memory of 1828	3668	DEM9E6E.exe	99
PID 3668 wrote to memory of 1828	3668	DEM9E6E.exe	99

C:\Users\Admin\AppData\Local\Temp\2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2964a4c1279a6b3c42e66b8c3557f41e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\DEM447B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM447B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\DEM9B27.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9B27.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\DEMF194.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF194.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Users\Admin\AppData\Local\Temp\DEM4801.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4801.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\DEM9E6E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9E6E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\DEMF4EA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF4EA.exe"
        7⤵
        Executes dropped EXE
        
        PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM447B.exe

Filesize
15KB

MD5
54edd7fdc600378d31a2f899001319a1

SHA1
686653bf8cf179b226537a6940a5a316dd895e4d

SHA256
efae37969ad67e8353a7af33f26fae778f0e865740641b5cedc48db1f0999e74

SHA512
90ef23dd1e948b28b1e95388953d35d0c8beafd7296b5194578458bc3bdb6df85ffd40bd50736fadace851fbf21fa8fbf0f178c11bedd58b858a0e1de2d584e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4801.exe

Filesize
15KB

MD5
54016e84bbabc47910708765dfd31c0d

SHA1
a8738bbc18108f326dab0f43196f85d7ee2f1674

SHA256
6be5f366757c6c7acd89f77ac958dfab01e421e3de00d27bd1acaef87cd99db7

SHA512
ba36e4bfc063a249e1a15a50ef2d8a3286cdcf46038a7d68c4effaa0ace1487b1a328c42dbfeb039b8abd75108171653a8f1bd2553b0f6faaa78d9ace1a0d7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B27.exe

Filesize
15KB

MD5
6491f75b351d9bc2baf747c2dbd5d2fd

SHA1
7c6c97a6a1778ebc68a6bd744ca2407c1d220b3a

SHA256
cbfe77bae6b8a0d72ae9aeedec84a62a96cd3f39b618996cfadcd96906b932f0

SHA512
ad871899df254446070bc8d0ca516ba3d0f985f7e3c75636b1569566fb64618599c2c3a80cf253bac764b55982b0d191645cb37e211f4315732fa00451770e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9E6E.exe

Filesize
15KB

MD5
ede268e87f2c68cc2c2dffa0316478ac

SHA1
bee8e91b6bb51752f16e063baaf72abb7fa1785e

SHA256
cd505e8938eebce7dc3db0c81089909fc54f807bf069a95bf7c51a8fe0ad00e3

SHA512
3afd24378216747af7fda35bff4958722afdbc63fe92101f5625bd9070a92e479fa85000efa26f55c68855599b511fed315fa8b1d2ce8de06e16f2a05167b244

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF194.exe

Filesize
15KB

MD5
7e951fc1be181546836d6f6ffc1b7570

SHA1
b07dfd7c03f6b7c14728f004ec5dc6f4a523c9a6

SHA256
2e42c56f8aba0fd29ad4d031fe72ec7e3b6467c05dd836ec253325529ff1b826

SHA512
a9ca8f4e44162602af013300110227613e377389f726a8f4365d0a2c6507d32ec92122130c7a1989f814ae6a757d5453bd7415cdf68b3795aab7219559213d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF4EA.exe

Filesize
15KB

MD5
95cc4bacbd621256e150f3e423dffdcd

SHA1
fe30f893a1d933df7b06772990427a3801b08084

SHA256
69adc22906ef84562b9508d659fe8288eb5aa293328b00fafa06b7cf5b5be546

SHA512
79143504b774f0812495ea9b99228aee2847166a3bb214b7fa48a656cc303720c05a0281834fdb612b27de959f453016bd8b9fd44f52cb2aa1d87eea0bce79c9

Download Submit

Analysis

Sharing