0705971b9f7b9ec5d13be59d4d4466b2eadfba2f2efd14ab588b52bafa5b0f00

General

Target

2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe
Size

15KB
MD5

2cce3155a1fcc4b4dd9e828ec97a3417
SHA1

602700cb11eda9fec307c27ffe48ad2a5606d06f
SHA256

0705971b9f7b9ec5d13be59d4d4466b2eadfba2f2efd14ab588b52bafa5b0f00
SHA512

e60a0eb780c47278c69ce82ee8ee0947c9685ec3e6a0c430fb93b15c47b2ce9c03d545b66e32e455af66b102375389783a18edcf1340436e0384a308464d1481
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl5:hDXWipuE+K3/SSHgxml5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	DEM7A9E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	DEMD1D7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	DEM28B1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	DEM7F3D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	DEMD5C9.exe

Executes dropped EXE 6 IoCs

pid	Process
4048	DEM7A9E.exe
4696	DEMD1D7.exe
436	DEM28B1.exe
5116	DEM7F3D.exe
4076	DEMD5C9.exe
5080	DEM2BF8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4048	4192	2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe	85
PID 4192 wrote to memory of 4048	4192	2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe	85
PID 4192 wrote to memory of 4048	4192	2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe	85
PID 4048 wrote to memory of 4696	4048	DEM7A9E.exe	91
PID 4048 wrote to memory of 4696	4048	DEM7A9E.exe	91
PID 4048 wrote to memory of 4696	4048	DEM7A9E.exe	91
PID 4696 wrote to memory of 436	4696	DEMD1D7.exe	93
PID 4696 wrote to memory of 436	4696	DEMD1D7.exe	93
PID 4696 wrote to memory of 436	4696	DEMD1D7.exe	93
PID 436 wrote to memory of 5116	436	DEM28B1.exe	95
PID 436 wrote to memory of 5116	436	DEM28B1.exe	95
PID 436 wrote to memory of 5116	436	DEM28B1.exe	95
PID 5116 wrote to memory of 4076	5116	DEM7F3D.exe	97
PID 5116 wrote to memory of 4076	5116	DEM7F3D.exe	97
PID 5116 wrote to memory of 4076	5116	DEM7F3D.exe	97
PID 4076 wrote to memory of 5080	4076	DEMD5C9.exe	99
PID 4076 wrote to memory of 5080	4076	DEMD5C9.exe	99
PID 4076 wrote to memory of 5080	4076	DEMD5C9.exe	99

C:\Users\Admin\AppData\Local\Temp\2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cce3155a1fcc4b4dd9e828ec97a3417_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\DEM7A9E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7A9E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\DEMD1D7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD1D7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\DEM28B1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM28B1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Users\Admin\AppData\Local\Temp\DEM7F3D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7F3D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\DEMD5C9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD5C9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\DEM2BF8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2BF8.exe"
        7⤵
        Executes dropped EXE
        
        PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM28B1.exe

Filesize
15KB

MD5
701895eb7a03387211ebd4bb521802f1

SHA1
02f9266e800feaafcdf830ff11eff4ff68bbffe8

SHA256
49b25bcb241532287d33bb97983b6d27acc98030d83edc46a227fa5a568fb62a

SHA512
fbe7c7dcca32665bcfdab9901a896117e3544b1118f1671a91bbd22313679dfccd70b6cf188443767f45f7f427bc70f5e666d3d19e7103a6709092409999bac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2BF8.exe

Filesize
15KB

MD5
7e531a77c6c938baa7ef74f0b0cf7690

SHA1
3d436e4167ec8ed7df8b572550565330aebdfa02

SHA256
7c6b2706f9ce6df54875b86078ba466ce458b4981dd799abeb1aa8ac41b25788

SHA512
2f3bc0e65cf33f9bbf59831b0a65fa42d6a2147de62d4590d094899c7cd6e3c7c3497605b2d1ea93f9eb00a3e9ca77a469cce057a15abbb248a63beaab98542d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A9E.exe

Filesize
15KB

MD5
98f0cf09009501227224153a9ee10637

SHA1
25090375121f3a9b8ca1bf1c191825cf1f8230e6

SHA256
6b52281b83be0873ff9cba3768b3bc7234c66010ebb183089e74fabf9fb01ebe

SHA512
5a09091cde25930308671adcc15fe1f334f0d19746dac3aa8c124408f6a0584ea580e522bf7f6e6653cc4844c0a33e45d763f60510be08320b1e2b6fc33275c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F3D.exe

Filesize
15KB

MD5
4956b76bcfd24fb19ab07d511a9f5cce

SHA1
fadc7d79fe471efd77788507d620763b2058bc86

SHA256
4975ccb185d29bdfd375656b8486583ea746615d155ffd04b710699e9b80494d

SHA512
15aca62203eef96af7a744d87f6c3329db5f56331b91cb698cdea78ed3f9b2e8d0d1e0e7b1fb8659ae8f3389d8737b50419c2598b186944493a32aac30be2454

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD1D7.exe

Filesize
15KB

MD5
170ce83b55c624637775717871db40a0

SHA1
77c1622db1fe468f88db49c70695619d0b981ff7

SHA256
a716c1add3be7f341d7b0ccdc57b9dbada5493c0fe392771e2942e599a7f1317

SHA512
45552d69a95241783cbac8c90359ea2ffe4f61a98bc81b79657f15a62ad2912735bf8873d8f87aab5d489e238df428b47d11783f019d15c125bfe9532ac9c9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD5C9.exe

Filesize
15KB

MD5
2af79685833e8561b87d7a8b959a8529

SHA1
099eebf6a9ac869b90dba13b721bc15a113c2ca0

SHA256
c71b5c38fc595afe730d6ee45f7a4f4353434d43f9e284f190eef7b4fcb31fea

SHA512
35ee33284cac33d990f95477476053051df2c76cd1936559fbb9eeca21c9f477ff13556756e6f23888557bac4f7dc9cb32aa3c553cfc01a88f1adcb8301df018

Download Submit

Analysis

Sharing