f92e0f6057ea8b58848c0d2cf98ee3115605087ac0f87ec4dbca0bea5225fbc3

General

Target

478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe
Size

15KB
MD5

478addbe3c33f4064ac691e7310a9eff
SHA1

70535c06a0702aebac4fd43ea0c5b830e7115957
SHA256

f92e0f6057ea8b58848c0d2cf98ee3115605087ac0f87ec4dbca0bea5225fbc3
SHA512

7291b56b3fe0f51b071789a4a52343b56943b1700b162cd42921a1c0a78d4b0be446076e5d4fdae4f530a73cb414f06d09428a4b2686fc2081d97d6718b34467
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEHe:hDXWipuE+K3/SSHgxWe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM96D1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMEDAC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM43DA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM9A18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMF076.exe

Executes dropped EXE 6 IoCs

pid	Process
4608	DEM96D1.exe
752	DEMEDAC.exe
3636	DEM43DA.exe
1104	DEM9A18.exe
4176	DEMF076.exe
3684	DEM46E3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4608	2364	478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe	87
PID 2364 wrote to memory of 4608	2364	478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe	87
PID 2364 wrote to memory of 4608	2364	478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe	87
PID 4608 wrote to memory of 752	4608	DEM96D1.exe	92
PID 4608 wrote to memory of 752	4608	DEM96D1.exe	92
PID 4608 wrote to memory of 752	4608	DEM96D1.exe	92
PID 752 wrote to memory of 3636	752	DEMEDAC.exe	94
PID 752 wrote to memory of 3636	752	DEMEDAC.exe	94
PID 752 wrote to memory of 3636	752	DEMEDAC.exe	94
PID 3636 wrote to memory of 1104	3636	DEM43DA.exe	96
PID 3636 wrote to memory of 1104	3636	DEM43DA.exe	96
PID 3636 wrote to memory of 1104	3636	DEM43DA.exe	96
PID 1104 wrote to memory of 4176	1104	DEM9A18.exe	98
PID 1104 wrote to memory of 4176	1104	DEM9A18.exe	98
PID 1104 wrote to memory of 4176	1104	DEM9A18.exe	98
PID 4176 wrote to memory of 3684	4176	DEMF076.exe	100
PID 4176 wrote to memory of 3684	4176	DEMF076.exe	100
PID 4176 wrote to memory of 3684	4176	DEMF076.exe	100

C:\Users\Admin\AppData\Local\Temp\478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\478addbe3c33f4064ac691e7310a9eff_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\DEM96D1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM96D1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\DEMEDAC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEDAC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\DEM43DA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM43DA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Users\Admin\AppData\Local\Temp\DEM9A18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9A18.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Users\Admin\AppData\Local\Temp\DEMF076.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF076.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\DEM46E3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM46E3.exe"
        7⤵
        Executes dropped EXE
        
        PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM43DA.exe

Filesize
15KB

MD5
cda457730f44edd16908cab0f6abd7d6

SHA1
a4d4a4bdfb7b9799971d58d0525bd023aa11ad5c

SHA256
b2c8441f36cbe82ce66e6bfc06986ce5873f6fc04afe5b1b4ca11db806e5874a

SHA512
16956d746810b00f9647085482e8a809c39170db0ccf363c5fa869c4a2ba669aad332300fe8afd9b23d1d4d1b4f53b88c6e3b5cee186b354f4315d47a8965ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM46E3.exe

Filesize
15KB

MD5
be12c6917654f10499645786fa2dd632

SHA1
b2c4bbe7ad9549ddd4667fefb413a0f3e2905f48

SHA256
918f98ef20fa536da79245fd6b5784e77deddcc2278e945736cb38c37d3ed42b

SHA512
7c95e2ede5f76d99bef24ea27b6c99c0115508a5a299edcb5481f0f1cc5cc2663bdf071d30ae3a6166e56ee5099e5caed9927ed203a6ea578029f533f513041d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96D1.exe

Filesize
15KB

MD5
e8f20ae6e288b4c486dc846f3bddb05f

SHA1
8b288bb986fbdca14242fc17a65619a91e854efb

SHA256
2304d02acb8ddf017db18f3449b6f381a12a10682f7bb412f3eee94ab5c0f8ce

SHA512
2ff0865eef54c6f057ca9378b414c78c87aeefd930f79d6cb17d2031c0d6df79cabb070a0c7dd8431ad744fad1a8e9dadf5cd75c7ab890578e1ab5fb38832546

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9A18.exe

Filesize
15KB

MD5
2c586439ee681d013d3d944e6135dff8

SHA1
aeb46cebbe94d5987b608257d0fdd80e054dcdea

SHA256
137a8429ba746b75653576450a688964f107ba0696ddb7fe5758238a423e4d95

SHA512
dc2cfbf45cbe6ef6faaa88a5c102c8f2121c610f303098b9297a978b0546431b12e78a324cd878339fe9fc63c5bba031ee2e55dc8c8fac4e30539f90d820f030

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEDAC.exe

Filesize
15KB

MD5
120c736d0922043f0bcfcaa395bd34cf

SHA1
7d3039f21423d7e518addd84f87fec3fb0f7066a

SHA256
28ca1c28650b67b42befde235144451904fc05b19b592a63cea7cc678fac63eb

SHA512
1a549ccc9ec25480bb5ebb2fe9a8fb0a175df32b9150efd4e53e065106c5349e077c6186b69a1f7b9205e2725bc48013795c6bac37a7582124d5ec5d006b9ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF076.exe

Filesize
15KB

MD5
79bdb4e2f9edcaefc36219f2ffc9512a

SHA1
ddd581c0ba9e56d8b3485a3bda4a404805fcef51

SHA256
9c503c163f95a245554262f06d5ec144c944f5b5946a5351a2d3929ddc9b362c

SHA512
7dc421386d627b7a4ee1127f82c6285b37698cdbc8da26d8a4e089bb17ea8aae123746a6df829e688ddb514333506de7a46ef3d3a1353c6ab6a03f596f524693

Download Submit

Analysis

Sharing