d462ed2fb1f4a5c898c65a36d2392d7f52c87a4321453e9abbbc5dc230559b36

General

Target

65f9e5b40f90e52fb94f66e64db152c7_JaffaCakes118.exe
Size

14KB
MD5

65f9e5b40f90e52fb94f66e64db152c7
SHA1

0300030c7a6c436d38ebffdb23918ae43f091573
SHA256

d462ed2fb1f4a5c898c65a36d2392d7f52c87a4321453e9abbbc5dc230559b36
SHA512

1c2dce7651d92edf0eed1844113e85b5527c67803ca942aba0a6356e8dfba8be84491bbbefa6e7dbc3a7dc3ea9124cc4f6b52867caf1ebf60313ccf0a8bd4d4b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hp:hDXWipuE+K3/SSHgxm+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMB997.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMFF4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	65f9e5b40f90e52fb94f66e64db152c7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMB611.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMD49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM6387.exe

Executes dropped EXE 6 IoCs

pid	Process
860	DEMB611.exe
4108	DEMD49.exe
1092	DEM6387.exe
4896	DEMB997.exe
2368	DEMFF4.exe
3836	DEM6567.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 860	3688	65f9e5b40f90e52fb94f66e64db152c7_JaffaCakes118.exe	98
PID 3688 wrote to memory of 860	3688	65f9e5b40f90e52fb94f66e64db152c7_JaffaCakes118.exe	98
PID 3688 wrote to memory of 860	3688	65f9e5b40f90e52fb94f66e64db152c7_JaffaCakes118.exe	98
PID 860 wrote to memory of 4108	860	DEMB611.exe	104
PID 860 wrote to memory of 4108	860	DEMB611.exe	104
PID 860 wrote to memory of 4108	860	DEMB611.exe	104
PID 4108 wrote to memory of 1092	4108	DEMD49.exe	107
PID 4108 wrote to memory of 1092	4108	DEMD49.exe	107
PID 4108 wrote to memory of 1092	4108	DEMD49.exe	107
PID 1092 wrote to memory of 4896	1092	DEM6387.exe	109
PID 1092 wrote to memory of 4896	1092	DEM6387.exe	109
PID 1092 wrote to memory of 4896	1092	DEM6387.exe	109
PID 4896 wrote to memory of 2368	4896	DEMB997.exe	119
PID 4896 wrote to memory of 2368	4896	DEMB997.exe	119
PID 4896 wrote to memory of 2368	4896	DEMB997.exe	119
PID 2368 wrote to memory of 3836	2368	DEMFF4.exe	121
PID 2368 wrote to memory of 3836	2368	DEMFF4.exe	121
PID 2368 wrote to memory of 3836	2368	DEMFF4.exe	121

C:\Users\Admin\AppData\Local\Temp\65f9e5b40f90e52fb94f66e64db152c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65f9e5b40f90e52fb94f66e64db152c7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\DEMB611.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB611.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\DEMD49.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD49.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\DEM6387.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6387.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\DEMB997.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB997.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Users\Admin\AppData\Local\Temp\DEMFF4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFF4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\DEM6567.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6567.exe"
        7⤵
        Executes dropped EXE
        
        PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6387.exe

Filesize
14KB

MD5
9f792baadcc239d59f1a4fcae91a5498

SHA1
8179d55f71adb8781bb600fdee3afc87c0acdb31

SHA256
5a20e277451e5b382a43a623ed54f11832ce64ae643253fdec123642e899b881

SHA512
1f24e2b0f1f8d6a5034968117fb7a0da87216a28b536df90dd17699427b0cca017195b1084b6a591bffd8ca05236242cd3148696083915270d5274a438826416

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6567.exe

Filesize
14KB

MD5
6963fbd952f813a60906382a74eb0141

SHA1
b96fef9f0def2aa3704c8401a1abdcae4335019a

SHA256
72a0d455d7904799982439b587a841ed1ad9a4dda9f67d0c2d6f1db6cdb47d15

SHA512
076fc2267d9a5ddefc684d157934776a2b3c051822d8d6be20a127f8fd41ccd7a2d2c218186ae1c470bf6c6ce8a9480c786934992176c6abfa77d890dc0ca0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB611.exe

Filesize
14KB

MD5
31ea069a56d372d5ab4784b55898ab6c

SHA1
00c04605b00d287ab08155e76fbc1f3ff5d25fc5

SHA256
ea0e0d41bd65ea8545ac6c7aada3553a2fe99c03effc3280b0764ecdb59a4eb1

SHA512
016683548c040871d2068831beff6ac1bce4ee3b7e21b8f2e302d7f5f60851638059e97a1cddc8ceb6117a1cb4794d8ef1afb5227f2b711e73f0e616b2dd7b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB997.exe

Filesize
14KB

MD5
f4140c9210bc5dab1532e7295e6a3f12

SHA1
5b746e9ce7ab9cbecb9687dd29adce6204d54ba1

SHA256
fe35eb9d41a4d0ed0171c0cc5797fd40d29639750b83ae8b3a0c6fb96fe8eccc

SHA512
21a69c5efcc454079c23c874250634fa977a3cee9c3275e0baf2865d3987d9b20408f43169f505cceeaf9a8efe64ec43a8efad93174f76a7b2216e796ac291a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD49.exe

Filesize
14KB

MD5
9e7f9434f05372f794738b31ab394f2f

SHA1
e2336e2f18f482f02438025eb1cbfdb82077c87e

SHA256
b5c2372aaf7e2082a33c885168ac31a67431d2ad81b6e1e0dd5ec5ae2d5424c1

SHA512
7a12deb6f208e4d405ed062215cc1abe07c9f725f57bc0bd3dd0ad73d470b29a0703221a890f7a71652610489bbbfec4de128c1fbe42de096dcd08bd2004a3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFF4.exe

Filesize
14KB

MD5
7a7ba7f004d4005e2195ca0cca06db4c

SHA1
928cdef7718edeb6ab36fc443f11c27f50235cbb

SHA256
807af5633be55d2ffe7368db5b76aab5ec5c3c23fcb3c4dad32ebfc67e0e9209

SHA512
f432fffa361ed4622e53c916f0df22c86e4e0143a4689d1952f783bd47f08449340f44ae06723e787e5d73ed94a4943077a6ced70cd5773aea2700b0dfc95229

Download Submit

Analysis

Sharing