7d7c0024d937fd9b3150ffb61116b3c1dfcd55a4835e40beff216bb4e134584f

General

Target

3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe
Size

14KB
MD5

3d074426b1e62deb53df423539bfb19e
SHA1

a789216a0888725858b04398ce5057669270816a
SHA256

7d7c0024d937fd9b3150ffb61116b3c1dfcd55a4835e40beff216bb4e134584f
SHA512

419c49ad0af62ee6265888b7494c3e9b0a355919ccf48d83f515f385d7b4cf8d248b5ea7a0d4f83088cc4819d6ad67e91c20895d0fed6c231c183ff19e409517
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvGg:hDXWipuE+K3/SSHgxlGg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEM851E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEMDCC3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEM33AD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEM8A69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEME133.exe

Executes dropped EXE 6 IoCs

pid	Process
536	DEM851E.exe
2804	DEMDCC3.exe
2240	DEM33AD.exe
4228	DEM8A69.exe
3064	DEME133.exe
1632	DEM3781.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 536	2264	3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe	87
PID 2264 wrote to memory of 536	2264	3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe	87
PID 2264 wrote to memory of 536	2264	3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe	87
PID 536 wrote to memory of 2804	536	DEM851E.exe	92
PID 536 wrote to memory of 2804	536	DEM851E.exe	92
PID 536 wrote to memory of 2804	536	DEM851E.exe	92
PID 2804 wrote to memory of 2240	2804	DEMDCC3.exe	94
PID 2804 wrote to memory of 2240	2804	DEMDCC3.exe	94
PID 2804 wrote to memory of 2240	2804	DEMDCC3.exe	94
PID 2240 wrote to memory of 4228	2240	DEM33AD.exe	96
PID 2240 wrote to memory of 4228	2240	DEM33AD.exe	96
PID 2240 wrote to memory of 4228	2240	DEM33AD.exe	96
PID 4228 wrote to memory of 3064	4228	DEM8A69.exe	98
PID 4228 wrote to memory of 3064	4228	DEM8A69.exe	98
PID 4228 wrote to memory of 3064	4228	DEM8A69.exe	98
PID 3064 wrote to memory of 1632	3064	DEME133.exe	100
PID 3064 wrote to memory of 1632	3064	DEME133.exe	100
PID 3064 wrote to memory of 1632	3064	DEME133.exe	100

C:\Users\Admin\AppData\Local\Temp\3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d074426b1e62deb53df423539bfb19e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\DEM851E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM851E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\DEMDCC3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDCC3.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\DEM33AD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM33AD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\DEM8A69.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A69.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\DEME133.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME133.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\DEM3781.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3781.exe"
        7⤵
        Executes dropped EXE
        
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM33AD.exe

Filesize
14KB

MD5
d3bfff273da34ab1af4e9dfbbf47f375

SHA1
4caeda25d748da04286464976b7375aaf10344f0

SHA256
82e555a4c785ef510b2d0dd70fb7b31f1ec39d832814cb14048956c8ec2d063e

SHA512
b8fb85d887dd6e4c3e9e81049fce3bc9de578e52144f5e9c8e5472edecc633d11c1f985d1c4480c00f254465e1368a9fa89baef71800aa7b5ff1c88edda1ef44

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3781.exe

Filesize
14KB

MD5
0d1559e6efd734c66aedbef47f304e99

SHA1
6fbfbe62921c0d2342105a8b2ae22477a50e2fc1

SHA256
b71f896541932a61eed221213bc08ce2efb13cf35234359fd5a7254cc56b29da

SHA512
786f3b1615714a4c3d783c62413b0716d957042b51b849dc2603a1b70d857d8ccf91f234a33f79dda8c3cd595c10bf515ec5dc552ffbe4ae954d99a8fd9acee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM851E.exe

Filesize
14KB

MD5
efbf88e181d05a2d118f7d02340096f2

SHA1
af837cf32a3430e50ba10a677248085793f4d8be

SHA256
bd4cef8422dc04cadb20a53e4ecc25bd01cb46753cef76484ba641501b80c0c8

SHA512
dfbcb8400ec9c139dc780a2d6b29df0b9608005cef2a7588428621cd1125192b1a4074c8e5db55882b15ee39e327f09f26383bad9dd7598857a761313361e8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A69.exe

Filesize
14KB

MD5
4bace3d476718216635181f549c61f45

SHA1
9d7dbdf25b48d41b09ddc4311f4219a5456cac13

SHA256
cbd657f0348492e350437bb13231c95f4e9a0cfb12af2a96608e5789ae4054db

SHA512
7f3104de1bbbe4cee0f9a247a3d60bc4e706c58a01dcad16ec61d7ea9e76bbfc6b53df2133b3d41bc07d31644e127bd05e96a70db8a73f23fbf3c3dee8ecb60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDCC3.exe

Filesize
14KB

MD5
38fe07b1ea3d341e9b095637555f7210

SHA1
42079959c8e09c9b6560960aed9f99a091e9ff11

SHA256
357b0f7a1395a41d443c0ae66eeeb2bd592b4dc6fb1fe9001b8c34b9a2a3fc2a

SHA512
57ee44407f366551f9d0777c4e446ad2242589e3cb3051870125a8c2c8346800378804e1d482bc8048d1a0b54326ce39a605c09a300f69d2f24858975c3fa840

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME133.exe

Filesize
14KB

MD5
f0d61d40a310ba01455328db296917d0

SHA1
9867db41343e5fa7d614c2b983aec9072f6c13b1

SHA256
91d08121a3611ae518375465d2203c257374aa96375397910e36bda9f271ae33

SHA512
62acd9253a825503e825a58be4d47c597c9bdab516fee81dd2477fe61af3c95faa510d29b0efc7b5a9f5bebb517cf240f295727ce9653172a891a1f23fd02e65

Download Submit

Analysis

Sharing