52f996b3921589209fe2be0ee13e5b54823732bc18b03285e5eaf9b231e9f0d4

General

Target

37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe
Size

14KB
MD5

37bc1ced5a42019420b7c9688785457c
SHA1

df03f5f489db503b2a87e9da2cb4e844a6f94ffa
SHA256

52f996b3921589209fe2be0ee13e5b54823732bc18b03285e5eaf9b231e9f0d4
SHA512

59aeff12f71227a384d778d9787878cbf6719e9d44b53956401cd9055b41b208cfa0c591b276b15789476a2debbe2a1346188da09271ac4394ed17352e626930
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhT:hDXWipuE+K3/SSHgx5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM67B3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMBE7D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM147D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM6B09.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMC167.exe

Executes dropped EXE 6 IoCs

pid	Process
100	DEM67B3.exe
4940	DEMBE7D.exe
2508	DEM147D.exe
2420	DEM6B09.exe
4416	DEMC167.exe
2680	DEM17D4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 100	4696	37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe	87
PID 4696 wrote to memory of 100	4696	37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe	87
PID 4696 wrote to memory of 100	4696	37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe	87
PID 100 wrote to memory of 4940	100	DEM67B3.exe	92
PID 100 wrote to memory of 4940	100	DEM67B3.exe	92
PID 100 wrote to memory of 4940	100	DEM67B3.exe	92
PID 4940 wrote to memory of 2508	4940	DEMBE7D.exe	94
PID 4940 wrote to memory of 2508	4940	DEMBE7D.exe	94
PID 4940 wrote to memory of 2508	4940	DEMBE7D.exe	94
PID 2508 wrote to memory of 2420	2508	DEM147D.exe	96
PID 2508 wrote to memory of 2420	2508	DEM147D.exe	96
PID 2508 wrote to memory of 2420	2508	DEM147D.exe	96
PID 2420 wrote to memory of 4416	2420	DEM6B09.exe	98
PID 2420 wrote to memory of 4416	2420	DEM6B09.exe	98
PID 2420 wrote to memory of 4416	2420	DEM6B09.exe	98
PID 4416 wrote to memory of 2680	4416	DEMC167.exe	100
PID 4416 wrote to memory of 2680	4416	DEMC167.exe	100
PID 4416 wrote to memory of 2680	4416	DEMC167.exe	100

C:\Users\Admin\AppData\Local\Temp\37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37bc1ced5a42019420b7c9688785457c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\DEM67B3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM67B3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Users\Admin\AppData\Local\Temp\DEMBE7D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBE7D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\DEM147D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM147D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Users\Admin\AppData\Local\Temp\DEM6B09.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6B09.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Users\Admin\AppData\Local\Temp\DEMC167.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC167.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\DEM17D4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM17D4.exe"
        7⤵
        Executes dropped EXE
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM147D.exe

Filesize
14KB

MD5
eab4084d1ac37f57b327accd7cb2de99

SHA1
3b6e4e49b828232324ec8bf8abb49f714655747b

SHA256
af67e585404fda199d1322b4fb02cb5c7e1779d848cd90f257e64f542bf5c411

SHA512
2c6c08da3062c3a60f868da8106ddf99efc9847029934121fcadc6b483baad1637d74de4bd32f8fc8048d5bd8d68b3aa98dfaba813eca80339cfd2175eae37b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM17D4.exe

Filesize
14KB

MD5
238a7119558378e1337d4802e0dfcddd

SHA1
0109eba126c5cb49238122272b13504948ad1b05

SHA256
8591aecb237489fa408b4665a0a71511fdaa0c14ffacb6479f2c3cff7491b92f

SHA512
a3e693461b26eb7378d73495d0116cb5f7352681bec580be7e5ccc5927cbe564fe0a5c6dc6e1db659fd4aaf8da4aa5b42bd84c00ae0c7d8fe2c1a3955015fe7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM67B3.exe

Filesize
14KB

MD5
ede286f4f789c44aef56a9793cf999d2

SHA1
16310e6c6bf438cb6dbd3d81ac059b892b696e9e

SHA256
9d5d5ac9c3c183c85c48864784df203d63c0d7c6affdd4ded398f67a62c3760f

SHA512
63d368b011f6ca8ecf8e5db3fee5e50947cf293aedda3f3460263e5518543a71b636a184814c6ffa568b60dbc66d4d176d58f9cfea1cb8f1ba1ac402aebb4750

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B09.exe

Filesize
14KB

MD5
e00c4744066d0cb97b9b7270facf1850

SHA1
f1c2d7e52369854547e44c6eeb58ae21362cf516

SHA256
9b399f347f180b221b12b7e4a3ae838875179fa646fe107ce90333768303839e

SHA512
dc029614eeac79bd7ab38c086995bb462f00eb46fc0b8313136550f5d9d53524871f3528b926b385c6ec95382d86d6cbc5862548c6564dac478d89ad10524311

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE7D.exe

Filesize
14KB

MD5
490f8dfa332745d1dfb7367e5cf46b91

SHA1
dd634b7052e8758d2d87d98639a89163d4b15330

SHA256
6a1f9eda5330fdf03cc6014040ca7dac191fce781e806b3df610990091b5ec58

SHA512
994d5b6c518b4def7047db24ff158de470147dc4f83d423792adeaef0724d4f0384c42a794e654365179be55ed6f36be65ca67e0a4a6b067cfd17e22ee464456

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC167.exe

Filesize
14KB

MD5
c90cb5940d15056341ff88fad5506f73

SHA1
b8b7383b21047af02d10801c766bc69d49d5576f

SHA256
7d994e7fffaa36156c56168f26a3a5ca5e533f1251be14e84914c0208e82214a

SHA512
ecee272d135e81c9f7a1517fb2ac31551736d6f95e8c55717cacf7ee3e06b1e0c3408df24d4208bbd91b3c3f6eefd3fe72e89bbc8f2d1b3672d2f658f4e22d65

Download Submit

Analysis

Sharing