4c25447b768f8569e5f3651841f5cd1d9e60a88ea2c499256eee86ef7333d61f

General

Target

3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe
Size

15KB
MD5

3cf247671286280afaeead77b0bb1cd2
SHA1

85dda666303773e5cec415886a45a5ef565e897b
SHA256

4c25447b768f8569e5f3651841f5cd1d9e60a88ea2c499256eee86ef7333d61f
SHA512

d43a6108516e3a93aeaf91110150d59b59904c5a7a6643e778ec8c8883c6ae9e9808cf877416ffd5af6df26976fcdc761f4eec2744ac069544ca9128f82a34ad
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYln:hDXWipuE+K3/SSHgxmln

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEMBA95.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM118F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM678F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEMBDAE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM13AD.exe

Executes dropped EXE 6 IoCs

pid	Process
3384	DEMBA95.exe
1976	DEM118F.exe
5076	DEM678F.exe
4188	DEMBDAE.exe
4144	DEM13AD.exe
708	DEM69DC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 3384	3344	3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe	87
PID 3344 wrote to memory of 3384	3344	3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe	87
PID 3344 wrote to memory of 3384	3344	3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe	87
PID 3384 wrote to memory of 1976	3384	DEMBA95.exe	93
PID 3384 wrote to memory of 1976	3384	DEMBA95.exe	93
PID 3384 wrote to memory of 1976	3384	DEMBA95.exe	93
PID 1976 wrote to memory of 5076	1976	DEM118F.exe	95
PID 1976 wrote to memory of 5076	1976	DEM118F.exe	95
PID 1976 wrote to memory of 5076	1976	DEM118F.exe	95
PID 5076 wrote to memory of 4188	5076	DEM678F.exe	97
PID 5076 wrote to memory of 4188	5076	DEM678F.exe	97
PID 5076 wrote to memory of 4188	5076	DEM678F.exe	97
PID 4188 wrote to memory of 4144	4188	DEMBDAE.exe	99
PID 4188 wrote to memory of 4144	4188	DEMBDAE.exe	99
PID 4188 wrote to memory of 4144	4188	DEMBDAE.exe	99
PID 4144 wrote to memory of 708	4144	DEM13AD.exe	101
PID 4144 wrote to memory of 708	4144	DEM13AD.exe	101
PID 4144 wrote to memory of 708	4144	DEM13AD.exe	101

C:\Users\Admin\AppData\Local\Temp\3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\AppData\Local\Temp\DEMBA95.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBA95.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Users\Admin\AppData\Local\Temp\DEM118F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM118F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\DEM678F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM678F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\DEMBDAE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBDAE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4188
      - C:\Users\Admin\AppData\Local\Temp\DEM13AD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM13AD.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\DEM69DC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM69DC.exe"
        7⤵
        Executes dropped EXE
        
        PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM118F.exe

Filesize
15KB

MD5
0a75bc1aef4a282fc2b71c4222334af5

SHA1
0be8f5310cbbad8dfcee9f1e9518b7c77defe3b6

SHA256
4c9196ba774f0575d8781c7f9389af619c60837f079770531ef4fe71191c80f4

SHA512
1f12897957f9aa5f330b0ccc1b12e70a3da4b809c0e39690426f0e252f7507f9f30074da56933d0c25bb174d8927618fa1debbf5bcaffa7a058435fc245a4184

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM13AD.exe

Filesize
15KB

MD5
d7c4a1c2861d56c7c547fef68c2814a1

SHA1
6cd19d0797e3e57197b4694ed553ee427a14d00d

SHA256
487759b3c661674702f18dec01f45ddd3563bd622f33cf1e22ab2994d2502421

SHA512
51dae8d2383010ffafdcc515cf1f98fa076bd5dd500824b307e823de22df701d98239ab16b6a80c07aa93ff1291b96e2f182add3f6fb1ba8593485969aaed2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM678F.exe

Filesize
15KB

MD5
b7a55296870759351c99796e853a5b54

SHA1
f0f370d49e6630023f1760317fe46ec59c5c3e33

SHA256
7888bbbc8f60750d844d3350b3ef73a7ce92b5d43339d2a4cbd3feb20b03b209

SHA512
e39497ce7da1082a295425dc2c1f0a9bdfc2bb15b546004065e24b860f664727f5191cb4b4ae0951f0215dd5f9c1b9af17d3ddb1ec869814d7025b0684ee32cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM69DC.exe

Filesize
15KB

MD5
53a892c55163b86c6bff6ed72fadad88

SHA1
df6e5c1be741a1453974556998261aef28c2c1fe

SHA256
99036a8d306f433109b70f80f24add8ce23289c1e74c415e2e217886b1f72c5e

SHA512
aafff616e122d90d11b49f9597963608fe3bdae8761723d3e7d449021c68f663f54f42c00590c0f5704a2d47145d7e9307483bd2eccb0f72bb2ed3244cc11849

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA95.exe

Filesize
15KB

MD5
54ec9fa08f63b8e9ff2d2223e3d244d3

SHA1
26bd954f5751321c4f42f3269effeb49c1a877d7

SHA256
25d2766b4bd7272f485d0979d5079dd80680427b979f21289f7f20880da767e3

SHA512
5dd8daef606cad4d1ad461ba31f94a7eb604dba94e789fb3917242412ba65225e25de9f0d2907595ff2702308ffdda7bfd818ca270c6b649bb7663576247903d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBDAE.exe

Filesize
15KB

MD5
28827c3e71a5cc31c395d0515848f997

SHA1
22edbfdc9be9f5220eec49340d3cae0e17ce77ad

SHA256
3cdcb8aba3da980c538498b6898cedb54c4e2856f9f5f60c70540144efc226b6

SHA512
b9951628422b83adbcd98083814f4aa3875c26e653c796519c89e63e86226b1200832d570cd27166c41358528bd1d96c4587850b5a0365736c60a1f1fcb8c1b2

Download Submit

Analysis

Sharing