2b6bbf2ad098d45eff6abd4cc2d2040464959cd01bd072a8e4b36c3f1a649eb4

General

Target

3cc339df334a665f172471bd70aceabc_JaffaCakes118.exe
Size

15KB
MD5

3cc339df334a665f172471bd70aceabc
SHA1

357d422e8eda84d54b237a1fbf2fcb7e813dc4d6
SHA256

2b6bbf2ad098d45eff6abd4cc2d2040464959cd01bd072a8e4b36c3f1a649eb4
SHA512

f14aca9e34756be0147f649d6cd2ff13072502627c8013647d3898bfc02a7570c20daaf71912ea0f88662f1af2fc4c9603101c2173146c48eb4665a404c45ea5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4+TI:hDXWipuE+K3/SSHgxmJE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	DEME162.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	3cc339df334a665f172471bd70aceabc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	DEM8879.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	DEMDED7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	DEM34F6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	DEM8B24.exe

Executes dropped EXE 6 IoCs

pid	Process
1204	DEM8879.exe
4168	DEMDED7.exe
3484	DEM34F6.exe
2032	DEM8B24.exe
2244	DEME162.exe
3024	DEM3791.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 1204	4776	3cc339df334a665f172471bd70aceabc_JaffaCakes118.exe	87
PID 4776 wrote to memory of 1204	4776	3cc339df334a665f172471bd70aceabc_JaffaCakes118.exe	87
PID 4776 wrote to memory of 1204	4776	3cc339df334a665f172471bd70aceabc_JaffaCakes118.exe	87
PID 1204 wrote to memory of 4168	1204	DEM8879.exe	92
PID 1204 wrote to memory of 4168	1204	DEM8879.exe	92
PID 1204 wrote to memory of 4168	1204	DEM8879.exe	92
PID 4168 wrote to memory of 3484	4168	DEMDED7.exe	94
PID 4168 wrote to memory of 3484	4168	DEMDED7.exe	94
PID 4168 wrote to memory of 3484	4168	DEMDED7.exe	94
PID 3484 wrote to memory of 2032	3484	DEM34F6.exe	96
PID 3484 wrote to memory of 2032	3484	DEM34F6.exe	96
PID 3484 wrote to memory of 2032	3484	DEM34F6.exe	96
PID 2032 wrote to memory of 2244	2032	DEM8B24.exe	98
PID 2032 wrote to memory of 2244	2032	DEM8B24.exe	98
PID 2032 wrote to memory of 2244	2032	DEM8B24.exe	98
PID 2244 wrote to memory of 3024	2244	DEME162.exe	100
PID 2244 wrote to memory of 3024	2244	DEME162.exe	100
PID 2244 wrote to memory of 3024	2244	DEME162.exe	100

C:\Users\Admin\AppData\Local\Temp\3cc339df334a665f172471bd70aceabc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cc339df334a665f172471bd70aceabc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\DEM8879.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8879.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\DEMDED7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDED7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\DEM34F6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM34F6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3484
    - - C:\Users\Admin\AppData\Local\Temp\DEM8B24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B24.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\DEME162.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME162.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\DEM3791.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3791.exe"
        7⤵
        Executes dropped EXE
        
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM34F6.exe

Filesize
15KB

MD5
912ffd2700de54975d364c70a7048cc7

SHA1
86f41e7d54ba8ee02a652a3f9fc750173962f645

SHA256
5b414511b563bd083b0d436a74a42a8cba3f4d8b7baf5630e686da6c4c42b844

SHA512
71a9a00604ea1d91b210e36b8bb42f85108b2eb9eea08748224b4396c14b2c98241f9f716e372c77e3d0ad482a683fc71def56e1fd30c193d830fb16d49cf303

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3791.exe

Filesize
15KB

MD5
f05ac2cdd226a69746c968324fefffed

SHA1
a20689400c1855121ba7ef915c4b3ed4bfc89af0

SHA256
7d73ac66cd2c4165043b2bd764bcb70ff4184b425249a953ff4b1496731fe05a

SHA512
c7db658b5f2da7f3ac6f9c752a72c0acc40172c2bc2616a6fcddf3e30323fa24f6553941b6846447336704fe0977fa297f4dcc3170d4671503294664ee427552

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8879.exe

Filesize
15KB

MD5
5e493de41fa19d2b0a33bc065b04cf37

SHA1
ed72d46a7fd4bb999ad7a84f4f70b1dc7a4f2e92

SHA256
dce61c083dbe33cfcf17ad9807a64ed9e004de8fc652600654a143ec5ed9ebff

SHA512
7ad4d2d3623d1f63988ad0fd058d4e22fd24fe80f780b76259b09bad6e5053f5223389070b415fefee9b9e4ecd034b624ffa85fa1f6c2a7fff3591a4493721aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B24.exe

Filesize
15KB

MD5
5b6bed00849b8d6fc420232bbd6e9a6b

SHA1
2a60c2c2156049d908a4605938f62f4f6d44cb5d

SHA256
fd17186e695f5a338d86be5cfca9d9682058e01ce73ec72fae1ad9f3c0c028b6

SHA512
f93cf2af95a584a6f1565bc49e60000c890aaf6e6363735c407aa4703ade4725c465334f4979156aadfa3b567e919cdf1585f8ac9ccb26a30e071686238f0ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDED7.exe

Filesize
15KB

MD5
6a422b03074a54ef0ce6d308cb11156a

SHA1
88037c170dcc61f6d9cf6ccfdd9ab0644bb77a07

SHA256
a4bc4c90295318275f9deacc4f552032e559392ea7a907fe3ac1d49aa3eaeffd

SHA512
ccbd800caedff52433c421bf3784d7561bc3515d58d11c3a9a8ad18b24836170d9f578d7cf5e7483c8fe23208385f1493fa2f42e0d28230e4857896db64ba124

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME162.exe

Filesize
15KB

MD5
c0e20c747175bf6e90998ab7e0c81bc8

SHA1
c2a7abe09383948cc2bf719ead10fedd0d39b049

SHA256
82608af63a58e5e27f17d87cabd3f452952cbd2acaa8b64bda7309668f9a8bf3

SHA512
5aa87eef40b649249c1ad96fd7730604bf497a8d2da1c98ea5ef3587a94af3120a64e311781b976c428c7668283afc6d0b91847c4fd92a655d09e853bd8c0b54

Download Submit

Analysis

Sharing