289d64e49c2e169d3706b3628134e01649f8ff743b2c113b1c825e20510d4633

General

Target

4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe
Size

14KB
MD5

4839a8e06072f0db66d680a6e4c27c78
SHA1

7037f28bff97503f334969d0811b74a340ab97c9
SHA256

289d64e49c2e169d3706b3628134e01649f8ff743b2c113b1c825e20510d4633
SHA512

bf7359aa0d0fc1e92270e5bab22f5b1e90a653aeeae63721165b651de24b60f0be1afa2a4146c9c405afa9cb744911d80cc7b6320b1499ce6028fd3198eeb062
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJP:hDXWipuE+K3/SSHgxD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM9006.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEME663.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM8C90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEME33C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM39B8.exe

Executes dropped EXE 6 IoCs

pid	Process
4484	DEM8C90.exe
2784	DEME33C.exe
4648	DEM39B8.exe
1844	DEM9006.exe
656	DEME663.exe
2088	DEM3C82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4484	2260	4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe	87
PID 2260 wrote to memory of 4484	2260	4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe	87
PID 2260 wrote to memory of 4484	2260	4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe	87
PID 4484 wrote to memory of 2784	4484	DEM8C90.exe	92
PID 4484 wrote to memory of 2784	4484	DEM8C90.exe	92
PID 4484 wrote to memory of 2784	4484	DEM8C90.exe	92
PID 2784 wrote to memory of 4648	2784	DEME33C.exe	94
PID 2784 wrote to memory of 4648	2784	DEME33C.exe	94
PID 2784 wrote to memory of 4648	2784	DEME33C.exe	94
PID 4648 wrote to memory of 1844	4648	DEM39B8.exe	96
PID 4648 wrote to memory of 1844	4648	DEM39B8.exe	96
PID 4648 wrote to memory of 1844	4648	DEM39B8.exe	96
PID 1844 wrote to memory of 656	1844	DEM9006.exe	98
PID 1844 wrote to memory of 656	1844	DEM9006.exe	98
PID 1844 wrote to memory of 656	1844	DEM9006.exe	98
PID 656 wrote to memory of 2088	656	DEME663.exe	100
PID 656 wrote to memory of 2088	656	DEME663.exe	100
PID 656 wrote to memory of 2088	656	DEME663.exe	100

C:\Users\Admin\AppData\Local\Temp\4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4839a8e06072f0db66d680a6e4c27c78_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\DEM8C90.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8C90.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\DEME33C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME33C.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\DEM39B8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM39B8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\DEM9006.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9006.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1844
      - C:\Users\Admin\AppData\Local\Temp\DEME663.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME663.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\DEM3C82.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C82.exe"
        7⤵
        Executes dropped EXE
        
        PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM39B8.exe

Filesize
14KB

MD5
cc0e94e63750aa33fb77aedc74f0da1f

SHA1
9b9bc2477cf002a98a34ff0ca3b6a80126246d4d

SHA256
ea70be68ab61a40ab93f768d2608d8b9766bc380ec65ba53fd3780597ba477f1

SHA512
fb05e4c1227608f08e99008468d28347e071c8c2931b0bba76b7aee881bd128a7efb59e4213ae6bac4ee8ed6e4b87686327d4030af1dbe2750bede9c597fc468

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3C82.exe

Filesize
14KB

MD5
f88197d7e4ff9f8fde29c8e41082f0e3

SHA1
92628331b9da46b06d98ca4974c0662903abcf79

SHA256
7358ca4f3c2585fac0bd2ec88aa51106bf62332ae88b2a75105b8dce5facfb2e

SHA512
7951c7d1698a7fdcd8a30d6bc1572711fcef50a1ee7065de66ce8d19043f1fe7017ea964ca48e9f8f0002e648fefd974faa3dcce124099674f5e5c6d5fbe52ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C90.exe

Filesize
14KB

MD5
d2b8fff63504143608193e74f24bca3c

SHA1
85786c963808d0b092a53616fe3c9ac554494d1d

SHA256
c29cdefb9b75f0e8a416de10e04b6860cfadae554d4426833053c56f55977404

SHA512
2a66f089332772d7c82ca98e9b29b333f05e6bac9c76bd196d9aa39068e3c787118805948ff0ffaf7e074f748fc261221f6faa4ba17ca5cc666be05c9d26f277

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9006.exe

Filesize
14KB

MD5
dd99fd2c66fd883705972e758bcbc8d5

SHA1
728d16e54477796c18d53e1b807c78b726b08361

SHA256
0fd4b753896b3214bd1bcd238b6dd1387f26129e90f81ce393a9911e81923af2

SHA512
eb61095bb03d6d592730c5561659606317e6a188240b82656d784e347344f23b2f5c7af202f6b2edb0ee31001d2a4e428ad107b14d489a80437da63e90648812

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME33C.exe

Filesize
14KB

MD5
efc5ec50d2b13deb2148c50475f3cb89

SHA1
73b9d968b3f584c3bb289bc14fdeafa9992ec015

SHA256
a232f39fe959ea511227c6ebf37b3902ca05825eea33dce0d7966d49012fd445

SHA512
7a704d79d6bf69267d521ecfd8943b41d0337ac6aead074b9cc3dffe306c08a2bef41989aa116a20d31c5117e16d0e62f0a2eec37ef48121fa4d0c72f3167bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME663.exe

Filesize
14KB

MD5
7743404068538f4320d17da8509ac50e

SHA1
189802e2b5fee959aa2fdda9c907e195eb321772

SHA256
50dc1e5f92862c7433d6385b2f48d564b245519142f7b3953f7a3dceea4e9502

SHA512
9f7be8712e9a975f0b48e441de9590ae146de0d2b94d32299949501084d96487409590e1c870520ed87878554b3f56531f0690b18bc848785b5e43ca39f49d14

Download Submit

Analysis

Sharing