04ca7f4583896b615ebb662c8e7c6eb36ede6c05f836ab1457b3d0c9d10dc302

General

Target

67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe
Size

14KB
MD5

67e9a242f98b89b2e9b97c6b18fa52a4
SHA1

a1ff53748f8519c80d12d653abfee750026910bb
SHA256

04ca7f4583896b615ebb662c8e7c6eb36ede6c05f836ab1457b3d0c9d10dc302
SHA512

f269c6f964d6119965148ffcd4464f75a05ca680dbc011b6789e479b8b939fe2600ecfebf7396cf5d6f935b125b6068d9b027414468a5d1d1d6dd3d0021fd753
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/Q:hDXWipuE+K3/SSHgxm/Q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMED1F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM4447.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM9AE3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMF112.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM4750.exe

Executes dropped EXE 6 IoCs

pid	Process
4980	DEMED1F.exe
4020	DEM4447.exe
3148	DEM9AE3.exe
4008	DEMF112.exe
4648	DEM4750.exe
540	DEM9DDC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 4980	4236	67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe	97
PID 4236 wrote to memory of 4980	4236	67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe	97
PID 4236 wrote to memory of 4980	4236	67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe	97
PID 4980 wrote to memory of 4020	4980	DEMED1F.exe	103
PID 4980 wrote to memory of 4020	4980	DEMED1F.exe	103
PID 4980 wrote to memory of 4020	4980	DEMED1F.exe	103
PID 4020 wrote to memory of 3148	4020	DEM4447.exe	107
PID 4020 wrote to memory of 3148	4020	DEM4447.exe	107
PID 4020 wrote to memory of 3148	4020	DEM4447.exe	107
PID 3148 wrote to memory of 4008	3148	DEM9AE3.exe	109
PID 3148 wrote to memory of 4008	3148	DEM9AE3.exe	109
PID 3148 wrote to memory of 4008	3148	DEM9AE3.exe	109
PID 4008 wrote to memory of 4648	4008	DEMF112.exe	120
PID 4008 wrote to memory of 4648	4008	DEMF112.exe	120
PID 4008 wrote to memory of 4648	4008	DEMF112.exe	120
PID 4648 wrote to memory of 540	4648	DEM4750.exe	122
PID 4648 wrote to memory of 540	4648	DEM4750.exe	122
PID 4648 wrote to memory of 540	4648	DEM4750.exe	122

C:\Users\Admin\AppData\Local\Temp\67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67e9a242f98b89b2e9b97c6b18fa52a4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\AppData\Local\Temp\DEMED1F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMED1F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\DEM4447.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4447.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\DEM9AE3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9AE3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\DEMF112.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF112.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\DEM4750.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4750.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\DEM9DDC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9DDC.exe"
        7⤵
        Executes dropped EXE
        
        PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4447.exe

Filesize
14KB

MD5
d9836b4cfa9ca26b69175d58fe9f716e

SHA1
8e79cc247f3f0b8acea08d3870f82da3ffff60f8

SHA256
8f68f90f33c7fb6bc4f6679e4de0908977f3fa38fef5bc08b6b5614a310366d2

SHA512
6039d7937677541389bd4607caf9270bc562f89921a771c851482e74f4ca4e89423328e60f11d8479cb7d1fb921c6b6131de63b2afbbe4f81955fe5a19794db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4750.exe

Filesize
14KB

MD5
dc2946c31561b48138a3f31f6e0966be

SHA1
87049a11e1a7e94dd91d85d8093d1e510fc5b0e4

SHA256
359588779607297fadd6a08d59e593255b2730a9889fd7cb49ce2c3d78e9f1ad

SHA512
d3b9a5cea6075628ed2c569426532d92939b82e5a12d8cd0d36ac6948ab8d39c2cc3a4c728f6e01d15ae88ae34aec2993823c38f1c9f8d3caf733bbb981d1439

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9AE3.exe

Filesize
14KB

MD5
6c248d2d70d62fb06b7eb77856647737

SHA1
f2adf611a388c363f5b776d534ad9b61a6172103

SHA256
f7d532f81666c3f831048b979c8d66c72be2412fd3a4cb42a43d38528803633e

SHA512
7add760321c52ccd00f4a2c0b2a106f2962c22ff98cf40ea67a652d41c8952d12383e83fb3e8dba1b4b28e064132139f7b4f1faa31e05780783fd9a9ec53a92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9DDC.exe

Filesize
14KB

MD5
101ba1a90fbbf524e6bb4edcfd61f6ea

SHA1
3876c2505ac59628e3bc54099ae567b8ebdb7cbe

SHA256
92d9437ed88934d6fc9d7eb2172401eb5056b745b28002cbc049b7cd8fa1d948

SHA512
d4fda90a0948b92007fc1178919c9a30b9770f9df5a112fc2464c454b82bbccab76420fd0dfb6861587d1bf5c866cba335df5660e6286b00112a8eb75bf99905

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMED1F.exe

Filesize
14KB

MD5
697afdc8b25661e6478aa9056f5eca21

SHA1
8b06cb6cedfa61ff48a2ba68c7f5bb31c0f73ba2

SHA256
65f10e0e79b9ca48ce7b29b9094dbecb40282ca96bbe7bb00798a3fdf8c50d31

SHA512
1e10f26a22e09be1f1520a08b6b05d09972e30a08ac25fe953ccdddde165dbe735ee8c6aa643ef9c3284781388970a36b21a1b273a1c6e93f7e80b7efca7a2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF112.exe

Filesize
14KB

MD5
fbcbfca6ad2dd3bacbbac23659d6ad6f

SHA1
6479dad6374612d30ea943ba4200d6589f37a71f

SHA256
f5bef55719ccf8c5d2327695cb48f6a92bde696fe1f00c36467bbf6f1362462f

SHA512
37f3acb33bd296d65689d4258db32785e300b88aa653b0cad8e0a7c5a9c0037dd354074bee254e2f23e81e07654a4b5f93b6c9883e3c569a8fc008c69cce3995

Download Submit

Analysis

Sharing