1d07e755bd3d332526e6d172018ac3e887ced44753bb6fe209a0634b974989d0

General

Target

471f65487a818945830a75387a9e8d12_JaffaCakes118.exe
Size

14KB
MD5

471f65487a818945830a75387a9e8d12
SHA1

bf7bd83d25fe095c19c6baa588c484523fdaf719
SHA256

1d07e755bd3d332526e6d172018ac3e887ced44753bb6fe209a0634b974989d0
SHA512

2b47f1f74ac41410d0cff8c7b8849d86a6df51b79354e132e9552d313e9d0ef83b8769320a5f8ff5b7be96c9ab3a9feed53e64d111dada15b31c6e377e0881e3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY41b:hDXWipuE+K3/SSHgxmM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	471f65487a818945830a75387a9e8d12_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM900B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEME704.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM3D33.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM93A0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMEA1D.exe

Executes dropped EXE 6 IoCs

pid	Process
4008	DEM900B.exe
1052	DEME704.exe
4696	DEM3D33.exe
2784	DEM93A0.exe
3848	DEMEA1D.exe
4920	DEM403B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4008	544	471f65487a818945830a75387a9e8d12_JaffaCakes118.exe	87
PID 544 wrote to memory of 4008	544	471f65487a818945830a75387a9e8d12_JaffaCakes118.exe	87
PID 544 wrote to memory of 4008	544	471f65487a818945830a75387a9e8d12_JaffaCakes118.exe	87
PID 4008 wrote to memory of 1052	4008	DEM900B.exe	93
PID 4008 wrote to memory of 1052	4008	DEM900B.exe	93
PID 4008 wrote to memory of 1052	4008	DEM900B.exe	93
PID 1052 wrote to memory of 4696	1052	DEME704.exe	95
PID 1052 wrote to memory of 4696	1052	DEME704.exe	95
PID 1052 wrote to memory of 4696	1052	DEME704.exe	95
PID 4696 wrote to memory of 2784	4696	DEM3D33.exe	97
PID 4696 wrote to memory of 2784	4696	DEM3D33.exe	97
PID 4696 wrote to memory of 2784	4696	DEM3D33.exe	97
PID 2784 wrote to memory of 3848	2784	DEM93A0.exe	99
PID 2784 wrote to memory of 3848	2784	DEM93A0.exe	99
PID 2784 wrote to memory of 3848	2784	DEM93A0.exe	99
PID 3848 wrote to memory of 4920	3848	DEMEA1D.exe	101
PID 3848 wrote to memory of 4920	3848	DEMEA1D.exe	101
PID 3848 wrote to memory of 4920	3848	DEMEA1D.exe	101

C:\Users\Admin\AppData\Local\Temp\471f65487a818945830a75387a9e8d12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\471f65487a818945830a75387a9e8d12_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\DEM900B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM900B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\DEME704.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME704.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\DEM3D33.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3D33.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\DEM93A0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM93A0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\DEMEA1D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEA1D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\DEM403B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM403B.exe"
        7⤵
        Executes dropped EXE
        
        PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3D33.exe

Filesize
14KB

MD5
04937e08bf9999e710df7fd13dda3454

SHA1
bc1020542c54b3b056f2d82b51470168afb06be8

SHA256
53264710b67ffc23dc70b549ac20a3cba3ef8e668014a89e60279aac132fb554

SHA512
798d3615cae618d06c33c569100898ed0a092e40ce506d5c94f2aa2467fc245ecd640a75caed263a759ab4f3ddf8ee472a0e924f22289e85844fba408ae03360

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM403B.exe

Filesize
14KB

MD5
77b33485a7b8065079381f753f4d229c

SHA1
038652391111b37e25b695b85887f233615ddc8e

SHA256
5cc0dc46cae2908bd0568210428beef6b734998061fcb806bff6210fb6014887

SHA512
56ff8c95a225541412d0c3c15dc3ae745d51e4ecf1d075b3f0028375947676bc539be1b4c231ef1f5d05596193d1e9e79bd8b571a3691911012b0386a34a2ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM900B.exe

Filesize
14KB

MD5
f431de407abe581c3e2462a58302db5a

SHA1
80728f50e47157343bd51a1983b7b0950bf3eea5

SHA256
948c0c64521a94e1fb9cf721ed1a30583762e7b72797a53ef49a87bbe52c94ca

SHA512
4f833c25ca9c1a3a7c56d5e3c7629f3649f309b9921f4180911c14cacd1455ae1fc983621aed3d62bf457bd3cc89478fa3d9151d4c3674674451f13c4a94e852

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM93A0.exe

Filesize
14KB

MD5
255d388d13f2d65595e12b277dba254d

SHA1
74104a3f8f32a8ff42eaed1c662906dec1b47714

SHA256
69fe3069dd254267ddbf33a7b6fa5c9d6d1cbfc6f98486fb162f0801dc72780d

SHA512
c9a138794f086ee077195f29391b9dd73c893e45559cfac15554180f2e6c020aa05b2c2bb17723d501854f425bc9f52114baa55f1e8a7bd229fd15d24c7d49e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME704.exe

Filesize
14KB

MD5
1cb1d1a3f61c9a0c64f4ec218d356615

SHA1
b567c62c6687ecc4d1e10ded1b9aa1c8b4c18adf

SHA256
d1dabd78484b44ad5a518b022645ed87fda7951d7bcdf508722e900a943643ef

SHA512
4602cfca7266cef76fd6e4e816cd79fa14091f2e592c4404eac3df7567424da5dccb6fd7b24f19891ad991c787c70040cd85c5544d3c979dcfe509b399460148

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEA1D.exe

Filesize
14KB

MD5
eed79a28ae474bfbd31cbde649221cff

SHA1
95caa78460ba35eed61a167965b5868903ed9038

SHA256
fcf53db5c76f9d91408de4b9e53acde535f51d81cae938dc0a4260a9e1ecc577

SHA512
557e4feab126d291ca9ac19706873ba48317e662e2c4d7e81050cdd853a179fc65a9f0ad1fee21da8beda9fe458861b749d5e05e03a6d40f2aa2b229fbd6c319

Download Submit

Analysis

Sharing