de6181185003749b5e56e9b3bb855b2b121829e2ab998c41c0b06e610502363e

General

Target

10729b651c3838868f515dc723475d29_JaffaCakes118.exe
Size

15KB
MD5

10729b651c3838868f515dc723475d29
SHA1

b3d8855a1b9a951d6592f642e311f37c007f8dd0
SHA256

de6181185003749b5e56e9b3bb855b2b121829e2ab998c41c0b06e610502363e
SHA512

d03221ad55a52d5eab56d5a8f8052822f0a5a551cfe8690dd3b08d8bf85036874dda3292a132aeebe1df49017ba0a157fd71998dacb99da82460bab026e416f5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyhg:hDXWipuE+K3/SSHgxmyhg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM87AE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEMDDBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM341B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8A0B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	10729b651c3838868f515dc723475d29_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM3141.exe

Executes dropped EXE 6 IoCs

pid	Process
4780	DEM3141.exe
3076	DEM87AE.exe
4556	DEMDDBD.exe
2112	DEM341B.exe
212	DEM8A0B.exe
440	DEME039.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4780	816	10729b651c3838868f515dc723475d29_JaffaCakes118.exe	97
PID 816 wrote to memory of 4780	816	10729b651c3838868f515dc723475d29_JaffaCakes118.exe	97
PID 816 wrote to memory of 4780	816	10729b651c3838868f515dc723475d29_JaffaCakes118.exe	97
PID 4780 wrote to memory of 3076	4780	DEM3141.exe	100
PID 4780 wrote to memory of 3076	4780	DEM3141.exe	100
PID 4780 wrote to memory of 3076	4780	DEM3141.exe	100
PID 3076 wrote to memory of 4556	3076	DEM87AE.exe	102
PID 3076 wrote to memory of 4556	3076	DEM87AE.exe	102
PID 3076 wrote to memory of 4556	3076	DEM87AE.exe	102
PID 4556 wrote to memory of 2112	4556	DEMDDBD.exe	104
PID 4556 wrote to memory of 2112	4556	DEMDDBD.exe	104
PID 4556 wrote to memory of 2112	4556	DEMDDBD.exe	104
PID 2112 wrote to memory of 212	2112	DEM341B.exe	106
PID 2112 wrote to memory of 212	2112	DEM341B.exe	106
PID 2112 wrote to memory of 212	2112	DEM341B.exe	106
PID 212 wrote to memory of 440	212	DEM8A0B.exe	108
PID 212 wrote to memory of 440	212	DEM8A0B.exe	108
PID 212 wrote to memory of 440	212	DEM8A0B.exe	108

C:\Users\Admin\AppData\Local\Temp\10729b651c3838868f515dc723475d29_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10729b651c3838868f515dc723475d29_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\DEM3141.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3141.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\DEM87AE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM87AE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\DEMDDBD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDDBD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Users\Admin\AppData\Local\Temp\DEM341B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM341B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Users\Admin\AppData\Local\Temp\DEM8A0B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A0B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\DEME039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME039.exe"
        7⤵
        Executes dropped EXE
        
        PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3141.exe

Filesize
15KB

MD5
c04b272c4feeb3b684dc4d51d4c880e0

SHA1
57d008fb24e1894b202d11275d2325e2315e6417

SHA256
96c8dd57a9478e96e9f6fffba077ca10b606c85ee132ac2870e944f2a7395a99

SHA512
d57c308f5519f1da457bd304676245f5ede595e0378936c01cb37bcd00d3fc2ec5123c414d09824e379c91183ae20d520c1032964765eb0ac2c3cf7731e6923f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM341B.exe

Filesize
15KB

MD5
3f7f36125238005fe44bf7362fe0b74e

SHA1
4caf7f0a25af929129f372f8bed88dec4e787dea

SHA256
ce9dbaae7c9b7c3f9ef933a485c8156d87adf9580674d601d796bc748224b7d8

SHA512
5d0579d7d0c3e82fc6d44bbc99e112b6ae0b0b1d352bb8fff498bbe4f4040184d0e6ffe5d339c8607aec828f22ebc8ae785f648bbea5a51a4d0b49313670e8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM87AE.exe

Filesize
15KB

MD5
cb848d3cb4bf3bc16f35f200b8999cff

SHA1
088c820a563f6504b4205eea1b9335a324440145

SHA256
761e60a329a7165703ee6f7830317f5702884664c5aa4f5a0cb6e9bbe3bdc331

SHA512
6aa0d04db1203566bdc59dc398d34edab3c1993032d5126adb0c8434884b20756b812d7e01d2203972c8599efd9efcfe09e14eb0c43a21c22731cea4897aae7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A0B.exe

Filesize
15KB

MD5
8a05cc197e80ceee6395677a8f8a8aa7

SHA1
d2e13c5ae97aa4e6e219f93bb0fd7508243918c0

SHA256
97790f1f203b0359c6ad4456a7fdd12e4e93f6da110fb98e9ef28b853bcf6b12

SHA512
552e5c15a1bfd482f7b8507325d664103fa4e9d8d2a6ca9a7052ab07c65f493da9949b792871a4994f86d671212128465fcd55eaf24ab01b15aa708fe77d2d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDDBD.exe

Filesize
15KB

MD5
419e35d733fe99261f85094cff19e07a

SHA1
bd989f7835c101675aa67af9dbcd08870cbacf60

SHA256
3bf119fe48b5c4975828ec47b61b1b6a3195cd87fb6bd91a52bc9dda7878d8af

SHA512
f17ccae229f2d66b3e3691016b7600994be719776a7e170a605779ceb151db960abff6388675bcaa51e70e9a3a60d79be4c06522b57477000bf36ef1c1de7107

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME039.exe

Filesize
15KB

MD5
03dd641c78e6227012452ed6a0296036

SHA1
70dc6a01f5eff088dc11cec31172754c7bc9b34e

SHA256
5a31300f11e8f65e880234a2bfd5608dee0101ed5dd011153f4f828d90a10c87

SHA512
db817e4e935d628abb9d3e6ad15e74b4f9369a2c8d717777f4372df7fd2609c59358ab114784aecd3656741b9e82a7c8b50f39fc783b3c9c43ae8c0c8b3973a3

Download Submit

Analysis

Sharing