5ede7b284d02f82ee9bc88b2be465fec3241cb73b6e58533d285c8cf54f5bb9b

General

Target

4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe
Size

14KB
MD5

4b7ba561a9fd21ac1947cd1aa100a47c
SHA1

744da6b3357130c4c0f59de6fb8cf662e8e59245
SHA256

5ede7b284d02f82ee9bc88b2be465fec3241cb73b6e58533d285c8cf54f5bb9b
SHA512

365759e62ebcbf49517ba84fd9ae40535da0bd08ac41a3a4be966f7cf24453dbbdc23c7458a727e52c04b9c41d1a9f398766a3316e6f217dc87676ed39df424c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhm/:hDXWipuE+K3/SSHgx0/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEM7A41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEMD12B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEM273A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEM7DF5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEMD481.exe

Executes dropped EXE 6 IoCs

pid	Process
1064	DEM7A41.exe
1192	DEMD12B.exe
432	DEM273A.exe
4340	DEM7DF5.exe
4812	DEMD481.exe
3104	DEM2AFE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1064	3000	4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe	87
PID 3000 wrote to memory of 1064	3000	4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe	87
PID 3000 wrote to memory of 1064	3000	4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe	87
PID 1064 wrote to memory of 1192	1064	DEM7A41.exe	93
PID 1064 wrote to memory of 1192	1064	DEM7A41.exe	93
PID 1064 wrote to memory of 1192	1064	DEM7A41.exe	93
PID 1192 wrote to memory of 432	1192	DEMD12B.exe	95
PID 1192 wrote to memory of 432	1192	DEMD12B.exe	95
PID 1192 wrote to memory of 432	1192	DEMD12B.exe	95
PID 432 wrote to memory of 4340	432	DEM273A.exe	97
PID 432 wrote to memory of 4340	432	DEM273A.exe	97
PID 432 wrote to memory of 4340	432	DEM273A.exe	97
PID 4340 wrote to memory of 4812	4340	DEM7DF5.exe	99
PID 4340 wrote to memory of 4812	4340	DEM7DF5.exe	99
PID 4340 wrote to memory of 4812	4340	DEM7DF5.exe	99
PID 4812 wrote to memory of 3104	4812	DEMD481.exe	101
PID 4812 wrote to memory of 3104	4812	DEMD481.exe	101
PID 4812 wrote to memory of 3104	4812	DEMD481.exe	101

C:\Users\Admin\AppData\Local\Temp\4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b7ba561a9fd21ac1947cd1aa100a47c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\DEM7A41.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7A41.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\DEMD12B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD12B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\DEM273A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM273A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Users\Admin\AppData\Local\Temp\DEM7DF5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7DF5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Users\Admin\AppData\Local\Temp\DEMD481.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD481.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\DEM2AFE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2AFE.exe"
        7⤵
        Executes dropped EXE
        
        PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM273A.exe

Filesize
14KB

MD5
f161b65183c66f464fc6a497d202f3c4

SHA1
5892f54a04f4f40b8e85626bcdd26669ead17dcb

SHA256
3e135ff30f82e0f7da6fbbe615d7cfec84088e17a54f1d1bc8f92bcacbe84451

SHA512
fbfdb753e97bf052e8a151173455307855d4e4cae95538f9e30acc29dbf0268844cf2e992dc7338564de8419f57f5b5179757584c0ff449aa675b375923342e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2AFE.exe

Filesize
14KB

MD5
42af9a05367eaf99444c352d3e0d9fa1

SHA1
9ebd60d9190a8a1b4d26eddac3670b4846c54fe5

SHA256
11823cb52840115ce86ebcb07228cc79ca75be650da29301a7a8e440490e5b16

SHA512
c6f62dde960dadae206fb302b7e393ff8f9c375ac35891201cd323ddadbb05641042861aef06fba6a5d199bf669040edbfa2dc2012b50a18c6c3ef5848615d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A41.exe

Filesize
14KB

MD5
fa781a32a1346061cc9fb3484e2a0be3

SHA1
ad3e325de2c13ad0883c0d7974a570d2dcfdfc2c

SHA256
de91ef10cd9971054027dc78274f4d4162bcdc040600081399f81466ccc64e34

SHA512
8ccc981c3f6e40a437260b9d2179bb7319e0ffec5bc42b96844f389fb642ecb67728b4e849800141942f020f54a1aec56e681a467fee792cd734b2a015bb0ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7DF5.exe

Filesize
14KB

MD5
446eee6f2bd94546c2f17d6e6089dd43

SHA1
6e8f140dbd8422531e419ec824d20fdf3756ea5a

SHA256
7ee73730f2ddc6e2335d2460027504b1da3dc28f1bc06e2d938af4a3547bcbe4

SHA512
e8a42e50daaf1c78e6d334ef3f6d814533fb54e7f7b1a68139309a4dd8f081240cdef384cb3b08dfc088acb63d60c98b55e62d5a67ef7fa1cb4995559a73af2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD12B.exe

Filesize
14KB

MD5
33e4a4afbf36c34f542ef297a920893d

SHA1
33ab175b2890a623a23742ffda8d7e9bdf99c9dd

SHA256
85fb236e7a5215daff92cdc8422827d37570b9f69ba9dd3e341dc5563bafff0b

SHA512
d1841ed2fdb00db7331887275d61661f3447cb9b88be2760e04bceffc9e90dab102934e61ececcd6e32a83db5ccc2efcd70367b0558abd89aa06d83a8050ada6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD481.exe

Filesize
14KB

MD5
c9b7b3a401dfa6e6c9218c5fa604da9e

SHA1
d9ea6c4130acd63ceac4f14ba264a3fc13a80c26

SHA256
9763d4917410756c6c465f6a59627d704affe1ad5d807e66d885973917548290

SHA512
54779cf42c8bd9922c22b5dca25e161ef89292823ae6b20ae98da82e0a2d87c1f9fed5f7f25b6668f4eac3a5ff628d5c6b959ced54dddeb095ae91af517699e6

Download Submit

Analysis

Sharing