28dfb8ab52d6227622e6e3100d824cf1db0d025f73b9f412e41039f4cb87b4a4

General

Target

3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe
Size

14KB
MD5

3b888ddf6ec5dc8e648f32b51937629e
SHA1

0b34813b3d2753ea948ebd4da1af8c51a5a6ec34
SHA256

28dfb8ab52d6227622e6e3100d824cf1db0d025f73b9f412e41039f4cb87b4a4
SHA512

0e2a5765bf18e9090b3fb50050f81a3b9decdd7af8140b6be9c9190dc977113a54303bc538c74635ca150672444f7c325e7130451154185b3e194936a3876768
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhT3:hDXWipuE+K3/SSHgxN3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMF037.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM97CB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMEE29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM438C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM99BA.exe

Executes dropped EXE 6 IoCs

pid	Process
2272	DEM97CB.exe
4376	DEMEE29.exe
1284	DEM438C.exe
2168	DEM99BA.exe
4032	DEMF037.exe
3704	DEM4666.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2272	4800	3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe	87
PID 4800 wrote to memory of 2272	4800	3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe	87
PID 4800 wrote to memory of 2272	4800	3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe	87
PID 2272 wrote to memory of 4376	2272	DEM97CB.exe	92
PID 2272 wrote to memory of 4376	2272	DEM97CB.exe	92
PID 2272 wrote to memory of 4376	2272	DEM97CB.exe	92
PID 4376 wrote to memory of 1284	4376	DEMEE29.exe	94
PID 4376 wrote to memory of 1284	4376	DEMEE29.exe	94
PID 4376 wrote to memory of 1284	4376	DEMEE29.exe	94
PID 1284 wrote to memory of 2168	1284	DEM438C.exe	96
PID 1284 wrote to memory of 2168	1284	DEM438C.exe	96
PID 1284 wrote to memory of 2168	1284	DEM438C.exe	96
PID 2168 wrote to memory of 4032	2168	DEM99BA.exe	98
PID 2168 wrote to memory of 4032	2168	DEM99BA.exe	98
PID 2168 wrote to memory of 4032	2168	DEM99BA.exe	98
PID 4032 wrote to memory of 3704	4032	DEMF037.exe	100
PID 4032 wrote to memory of 3704	4032	DEMF037.exe	100
PID 4032 wrote to memory of 3704	4032	DEMF037.exe	100

C:\Users\Admin\AppData\Local\Temp\3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b888ddf6ec5dc8e648f32b51937629e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\DEM97CB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM97CB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\DEMEE29.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEE29.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\DEM438C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM438C.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Users\Admin\AppData\Local\Temp\DEM99BA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM99BA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Users\Admin\AppData\Local\Temp\DEMF037.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF037.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\DEM4666.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4666.exe"
        7⤵
        Executes dropped EXE
        
        PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM438C.exe

Filesize
14KB

MD5
1ee2d6ff58b542132a2301c56de53caa

SHA1
344a8a210a93f54ccebad25eb8eeb720472bafeb

SHA256
31c3e51bf6ef18eebc4b4d867ff5774a9d5b69e658682d4acc6d036dc9b4fdac

SHA512
fb7ec6f1b6831b4e2a5050d5c4e3742430ed9ad73e61d633cd1183f5d11bcdb3525585bc8f621e8cf9594444ce7560f5c4d74cd136f7a9d4b35162bedfa62f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4666.exe

Filesize
14KB

MD5
eac8039d366653ec396a4b9468d05b86

SHA1
bfa54c34aab29a34d51fd358d6e37e3f9da5cd53

SHA256
0e8a216e22c7fea853396340ba3becb6c852dbd115dfbafc296508b0346430a0

SHA512
58a7ad6614c75b346b4e263db12ec4fd3b651cdd53a3a37133156c971ab16243b34f0715267d804d0dcc0f7868a9ca02f5f3e8b8ffc77e765d356850089967a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM97CB.exe

Filesize
14KB

MD5
6143310c173647bc1d35f73bed63fbad

SHA1
89e454e106c9dad257cedc9b1b3ab722b468c590

SHA256
506c28b15c62dd0b36ac5fd1c55ba697c97227e30c3e01a30702370b9e151e7c

SHA512
c87cfee775262585d9342c434ea55d9737fb319b535cf1632e63ee3bf0acbebb5f2ce5757e5936822695ba9b731cd82c242f5848b46bbd0c3dbcb9ac53d07aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM99BA.exe

Filesize
14KB

MD5
96273f87843668843ae9205a6ef59ebd

SHA1
c1c64cd463dccdc80e2a0cc7d36d407f67784d41

SHA256
d62e5f9ffe76bf7753319cc56bc48374010e2a1215069d7092bc1ee3d00d0517

SHA512
f704fb77a4adab76a8201c1df53ff37ba99e34ff9e938d57b50a1a5eb3eb40433582e9cbb304ac74eb1066e5a48a2492cc6351c968a540295c2274e848db3395

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE29.exe

Filesize
14KB

MD5
5d4c20c82b6ccd047db1439113a78ee9

SHA1
ae047ad0881ca9c605b10e08932b7ceeef4a2de9

SHA256
8f0d81259308f637549da1b9181aefe7e2b82dd41c905958c6922838a61686a7

SHA512
5f9dad4ecb8aec9cb8c26a8f99463aae171d2fc749f4687b8c81991720db53d0a5a350c2e02ac9e443cd18e1235e31fca88f231d96505a24c3e03fb7421ae240

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF037.exe

Filesize
14KB

MD5
ece79d0671dd174b29ed158f9923f74e

SHA1
428491b85812fbfface052e1ccec792707792261

SHA256
e56fc89ce5d74e085eda5eeafb2c7548a3086532a406afb03a10e8ea469e397e

SHA512
f947a26987a0b3dcd7973b896624e7aef48da12ee0d979f514f46568fd265db3ca2a96b3abe5ded26b5f3ac165533e0be7c1de3edaf34b4c0d7c0177257a7a2e

Download Submit

Analysis

Sharing