a685f60c91e9a27cb9e274dc33b79a1d915410689234fa02cb1f9648c8858044

General

Target

38fd2d58dde7d5e4413a5d3d8a03c64b_JaffaCakes118.exe
Size

16KB
MD5

38fd2d58dde7d5e4413a5d3d8a03c64b
SHA1

ccff38fda2cb03f1ad821a1fa04e0ade54d2bc0f
SHA256

a685f60c91e9a27cb9e274dc33b79a1d915410689234fa02cb1f9648c8858044
SHA512

b4927d91c66c4ae7367181945ffd79abe39c3b2ef131f57174935f486f5a2b1cbe99aed271054024e29732d7124feffff1706dd35d24c8c09ea76f9d233f7f12
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+LY:hDXWipuE+K3/SSHgxmH1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	38fd2d58dde7d5e4413a5d3d8a03c64b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEM7D0F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEMD39C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEM299B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEM7F8B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEMD5D9.exe

Executes dropped EXE 6 IoCs

pid	Process
3804	DEM7D0F.exe
1384	DEMD39C.exe
2804	DEM299B.exe
4520	DEM7F8B.exe
3948	DEMD5D9.exe
3484	DEM2C08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 3804	1364	38fd2d58dde7d5e4413a5d3d8a03c64b_JaffaCakes118.exe	87
PID 1364 wrote to memory of 3804	1364	38fd2d58dde7d5e4413a5d3d8a03c64b_JaffaCakes118.exe	87
PID 1364 wrote to memory of 3804	1364	38fd2d58dde7d5e4413a5d3d8a03c64b_JaffaCakes118.exe	87
PID 3804 wrote to memory of 1384	3804	DEM7D0F.exe	92
PID 3804 wrote to memory of 1384	3804	DEM7D0F.exe	92
PID 3804 wrote to memory of 1384	3804	DEM7D0F.exe	92
PID 1384 wrote to memory of 2804	1384	DEMD39C.exe	94
PID 1384 wrote to memory of 2804	1384	DEMD39C.exe	94
PID 1384 wrote to memory of 2804	1384	DEMD39C.exe	94
PID 2804 wrote to memory of 4520	2804	DEM299B.exe	96
PID 2804 wrote to memory of 4520	2804	DEM299B.exe	96
PID 2804 wrote to memory of 4520	2804	DEM299B.exe	96
PID 4520 wrote to memory of 3948	4520	DEM7F8B.exe	98
PID 4520 wrote to memory of 3948	4520	DEM7F8B.exe	98
PID 4520 wrote to memory of 3948	4520	DEM7F8B.exe	98
PID 3948 wrote to memory of 3484	3948	DEMD5D9.exe	100
PID 3948 wrote to memory of 3484	3948	DEMD5D9.exe	100
PID 3948 wrote to memory of 3484	3948	DEMD5D9.exe	100

C:\Users\Admin\AppData\Local\Temp\38fd2d58dde7d5e4413a5d3d8a03c64b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38fd2d58dde7d5e4413a5d3d8a03c64b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\DEM7D0F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7D0F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\DEMD39C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD39C.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\DEM299B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM299B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\DEM7F8B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7F8B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Users\Admin\AppData\Local\Temp\DEMD5D9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD5D9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\DEM2C08.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C08.exe"
        7⤵
        Executes dropped EXE
        
        PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM299B.exe

Filesize
16KB

MD5
d5670e60d3950974b267b2db619a2a08

SHA1
bf84f89a0cec5e75e5431f848f6827c78506d50e

SHA256
7c003502964db14904bb7aec33390cbfdde073e5dbd22f0cca33b76388e9a259

SHA512
2629944eda0c3657a744768cc071cf49bd3165c7eb3c0fa94d3edd3eadf3e3fb08be2bade28968192d1302ad227325228cacdf258562100dc6807683ddc6ee6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2C08.exe

Filesize
16KB

MD5
d8cfe71793e8acd5fa70e156d6fcf007

SHA1
8ebb808b24b4f5d2087890fd76a273c7cf45f220

SHA256
50ad931abdf6ab42d3d7c19ef2c932c768f186b0698140ed5ff3ae717230616a

SHA512
ce07246adcfcb0b9725d5334fec6f2a7bdaaf8092f03f84dbe55f265948deedf4fecf18be4819a33aa4ee233c15b8eadd94fdfc7e189749a8a7ed477d88f585e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7D0F.exe

Filesize
16KB

MD5
c9fc6f7da8dfb5d1aac032ca0b10f0ea

SHA1
fbb78294a48d02224a353893cfd00a6cce598eec

SHA256
0e027640b7763ac7e862feecd123018097a1b887351e4d140e2a1f5385542b07

SHA512
fb8b15f3df289e31fa22509308cc1a8110fb76a2f95792e00c568fa37905569c43b1931d5681aab6420b051e2c806c67044afb3c168e4ba724ed6ddf08b96be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F8B.exe

Filesize
16KB

MD5
663bb7d1cb72f3dd797710a79461a531

SHA1
8071ed1ae2d2112bf60e2f75dfeaa91ec50df35f

SHA256
f79ef930e7ed145c813111576fe27f11c27b6494b7bc3b8a0d86f0e067d9eb8d

SHA512
e4e788dfb38f1a476e55ab5bb1defcd15414a410029184d9ce6baf160986c3d006eeff8222053bb2c889e681a582bc7ac4b0de8266bf2413c45a33adb6738c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD39C.exe

Filesize
16KB

MD5
cfaabed46ea5f104841a803206bfc9fa

SHA1
2c18e1050ce06b261f23f3bc6cc6a1fed6bbbe87

SHA256
d53b76d3002c2b71a46815e2852494420ff2c87ca7fa873f0254b1b79a26aa6f

SHA512
9fb3d819b11b82ed5e6722e2dca7f809b3b21de383f33a2db0f21bda80392d6e99c55b7a8eddff6c58dc516c0238277b42ce2a11f7224f29f53e3d2553738a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD5D9.exe

Filesize
16KB

MD5
36f6fb1052db9e6723cfe204518dc788

SHA1
7b189ec9f038d3c17e2adfd0138ddf2e357b22d6

SHA256
5a8c0a7aaf330665130b3e4033973dfcf142b122bed180fdab76072411415fee

SHA512
787eee03ba03a9a4206afc30bf911e414a0c42a5546d255414acd911024fc5545d4f736878ed2225471db15ed15b7e71f6868a1533c137d47887f24db9c724b0

Download Submit

Analysis

Sharing