aaa1b4cfce550d7577decfcb606ba716def5f84ee71cb69892dacdd0d15506bc

General

Target

43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe
Size

14KB
MD5

43b57993374f3f56d7031e11a5c30b5f
SHA1

b8486e21e636259f959f269c766acbe17fb670ab
SHA256

aaa1b4cfce550d7577decfcb606ba716def5f84ee71cb69892dacdd0d15506bc
SHA512

2666df51cec2b5e299f710417f465de9288471c833ee9d6bc03674ca018718c22a9266efe189ffbc7eb75e553265ac0039d5386baacb36642361ae4b73d19c7e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJL:hDXWipuE+K3/SSHgxmB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMA4B7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMFB43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMA0D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMF7BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEM4E69.exe

Executes dropped EXE 6 IoCs

pid	Process
4204	DEMA0D4.exe
4720	DEMF7BE.exe
4772	DEM4E69.exe
5112	DEMA4B7.exe
2980	DEMFB43.exe
556	DEM5143.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4204	1468	43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe	87
PID 1468 wrote to memory of 4204	1468	43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe	87
PID 1468 wrote to memory of 4204	1468	43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe	87
PID 4204 wrote to memory of 4720	4204	DEMA0D4.exe	92
PID 4204 wrote to memory of 4720	4204	DEMA0D4.exe	92
PID 4204 wrote to memory of 4720	4204	DEMA0D4.exe	92
PID 4720 wrote to memory of 4772	4720	DEMF7BE.exe	94
PID 4720 wrote to memory of 4772	4720	DEMF7BE.exe	94
PID 4720 wrote to memory of 4772	4720	DEMF7BE.exe	94
PID 4772 wrote to memory of 5112	4772	DEM4E69.exe	96
PID 4772 wrote to memory of 5112	4772	DEM4E69.exe	96
PID 4772 wrote to memory of 5112	4772	DEM4E69.exe	96
PID 5112 wrote to memory of 2980	5112	DEMA4B7.exe	98
PID 5112 wrote to memory of 2980	5112	DEMA4B7.exe	98
PID 5112 wrote to memory of 2980	5112	DEMA4B7.exe	98
PID 2980 wrote to memory of 556	2980	DEMFB43.exe	100
PID 2980 wrote to memory of 556	2980	DEMFB43.exe	100
PID 2980 wrote to memory of 556	2980	DEMFB43.exe	100

C:\Users\Admin\AppData\Local\Temp\43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43b57993374f3f56d7031e11a5c30b5f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\DEMA0D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA0D4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\DEMF7BE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF7BE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\DEM4E69.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4E69.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\DEMA4B7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA4B7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Users\Admin\AppData\Local\Temp\DEMFB43.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFB43.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\DEM5143.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5143.exe"
        7⤵
        Executes dropped EXE
        
        PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4E69.exe

Filesize
14KB

MD5
d398a56b9b155b60b2d11e70b83959c6

SHA1
ee67521cb9f195d9aad6a6566ce27e2d21f50c79

SHA256
358786d13448909f5801fdb8a7a53fc58ad6cd6d60ca8a4aa69c65f0a664aa63

SHA512
417203511f6044bbb49bbdc1f4ecf59ac0249e3e89691213d7499af2653d81830ffd8bc7d150dab4f76e95693a9b50dea2a2e575b56cb41fba55243131618114

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5143.exe

Filesize
14KB

MD5
8778a92693fdc535571bab936aa06c98

SHA1
e0613802dbeee33e02f8cac58a433b0e3178d63d

SHA256
f0e5bb2323f5b4f3f11bf5a2f2aba2fc6121bd27db968f45fbe352ceb99849b6

SHA512
f804be0da98fccc526d5eec983eb82c19eb44c00bcd726b33d797c193700bfd9b8d0088b0c95a037ced58d00abe4d063bebe219dee73d29712da8acf951183d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA0D4.exe

Filesize
14KB

MD5
aa3933957924432d403c6abb5241b75d

SHA1
fdc3e69650b514ffaa09a8d8c4835bd8983da255

SHA256
3955504f101d76a322bd5a252be383819fea06aa2f1d4797f3582f1515816ac8

SHA512
a498969144a42e94ba0e484f6af991ca5c46fd98297dda1bddcd42de285b5e48dce933467b70b6078028cd1c0c8c8d2bbaf27dfa46a1d59e76816c6f27085809

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA4B7.exe

Filesize
14KB

MD5
6cf270944c744496d0daa542c583d78d

SHA1
5e2c52cece44d1ab08a7b1589ba82bfac2deadde

SHA256
a7a56811bce33477be12a00893f5f407ae33befd9607cc16804dcd3a8b094a30

SHA512
4d6b5efda3ab8d6f87a92f07c7f567481061481677928636c980a599e5559c6582b8efdac562f6b4fee8fcc949a294e89c97c0164bda1556d2692a38aa0621a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF7BE.exe

Filesize
14KB

MD5
9b2e256b25e0348131b3a4c22a7a3edb

SHA1
6c78c2806e71b4cc478d5ef817b37a72d2bd300f

SHA256
a44836ceb1a08822dcb84c22f5f1fcd2a82dcc3715578d6e82c99d8d7d68ccc0

SHA512
589f61e2d9f5c3cdb55a76a0bcb24f4464313beaaa8c34997c4fffc448299ed7ac3aa9a0f7fa2fac3539c0ac97ae4b20288111ab54b2596154941a225f26ea01

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFB43.exe

Filesize
14KB

MD5
3f91916490fc0e7298449b75f5daf17e

SHA1
c083c5daafc1d5eef7ef0fce4d8d10e257bdb8b0

SHA256
e0fafd992734837f54a0e2299c7609d050cccac14adcb4e5ea86b76b5d30ce9f

SHA512
6d1dbd9c1e07b5b6ccf111f2f1264dc5171f65decc54afa4b7288913e82ee54ca32bd3c74382ccee176ea8bd20d917dc822ac58642cb54d294c34d9fd96633b0

Download Submit

Analysis

Sharing