5ee70c6a70e08b08f5750c834a5427c06dc6d57465115bf2ff3242c81cedda3e

General

Target

01bcb854780d7f00608be821e05bae17_JaffaCakes118.exe
Size

20KB
MD5

01bcb854780d7f00608be821e05bae17
SHA1

830070206507fd323aabcfec037e852f8f1502da
SHA256

5ee70c6a70e08b08f5750c834a5427c06dc6d57465115bf2ff3242c81cedda3e
SHA512

04ef2d6e33a5acc8b46755bb4523af613ee874f1922ab18b487ee1aa2fb217acd579bda14607c1a695418acbc38ce5a33689e53fac9b9825a1bd2e4d7ad34e56
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4sLN:hDXWipuE+K3/SSHgxmHZsLN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3870.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM8E9F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	01bcb854780d7f00608be821e05bae17_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3623.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM8C90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEME290.exe

Executes dropped EXE 6 IoCs

pid	Process
3700	DEM3623.exe
8	DEM8C90.exe
4532	DEME290.exe
4420	DEM3870.exe
3180	DEM8E9F.exe
2880	DEME460.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3700	3596	01bcb854780d7f00608be821e05bae17_JaffaCakes118.exe	97
PID 3596 wrote to memory of 3700	3596	01bcb854780d7f00608be821e05bae17_JaffaCakes118.exe	97
PID 3596 wrote to memory of 3700	3596	01bcb854780d7f00608be821e05bae17_JaffaCakes118.exe	97
PID 3700 wrote to memory of 8	3700	DEM3623.exe	100
PID 3700 wrote to memory of 8	3700	DEM3623.exe	100
PID 3700 wrote to memory of 8	3700	DEM3623.exe	100
PID 8 wrote to memory of 4532	8	DEM8C90.exe	102
PID 8 wrote to memory of 4532	8	DEM8C90.exe	102
PID 8 wrote to memory of 4532	8	DEM8C90.exe	102
PID 4532 wrote to memory of 4420	4532	DEME290.exe	104
PID 4532 wrote to memory of 4420	4532	DEME290.exe	104
PID 4532 wrote to memory of 4420	4532	DEME290.exe	104
PID 4420 wrote to memory of 3180	4420	DEM3870.exe	106
PID 4420 wrote to memory of 3180	4420	DEM3870.exe	106
PID 4420 wrote to memory of 3180	4420	DEM3870.exe	106
PID 3180 wrote to memory of 2880	3180	DEM8E9F.exe	108
PID 3180 wrote to memory of 2880	3180	DEM8E9F.exe	108
PID 3180 wrote to memory of 2880	3180	DEM8E9F.exe	108

C:\Users\Admin\AppData\Local\Temp\01bcb854780d7f00608be821e05bae17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01bcb854780d7f00608be821e05bae17_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\DEM3623.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3623.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\DEM8C90.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8C90.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Users\Admin\AppData\Local\Temp\DEME290.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME290.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\DEM3870.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3870.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
      - C:\Users\Admin\AppData\Local\Temp\DEM8E9F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E9F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\DEME460.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME460.exe"
        7⤵
        Executes dropped EXE
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3623.exe

Filesize
20KB

MD5
99c334b2c655d455d18eb795bb91dcda

SHA1
1e5a4d686ec3da8247c745c00cd96918d5e6944b

SHA256
6e46475d17a7eeea2aa9785048966581cdf83ea30c243051b819097374585522

SHA512
d674e9913e4034609862219fd3f06477ec161346c94288542d358624fa2b291cc73de354b7c8da59f4167d1dbee2f6ecd8fc1194121182490b64f814e54924f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3870.exe

Filesize
20KB

MD5
d0e1a68b76423186bfd5ff17ea272e90

SHA1
23a06e0b33065eea8ce230d386b3d1b82e2b9868

SHA256
574acfdc8642f21d2f92c50d191aaa049f84e058f902c76e0ba2607b8ab879e8

SHA512
c986256452188c693aba0e08f37bfd441e402fe3b49b5cff7142d69272e2c600e1f5b26ad2e6870dfbb6a30899bc3ffde50b1d4705e27fdcf300de099bb19164

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C90.exe

Filesize
20KB

MD5
be8b195751d31fd723d69401e51afa95

SHA1
657c7153ba3e15e2e43096b189dcdcbef4a07217

SHA256
92ab9a41bd01b812d89e7c9cefc9ab8e4a52fe8988060552534d3f51a08c51e4

SHA512
b811566bc82abf0652517f314fdf7173f16d20414f8873bc434b7f381bd0ce9c080b287b54506312e24574696243d3e70b95e994540d27bc0c30446156ea2e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E9F.exe

Filesize
20KB

MD5
5cde7c729d2824b81b672a5a46ff3004

SHA1
b88186907bda8e94851dcd9388d1d7dc08760726

SHA256
bd17b2aafa0d8261ccb035f86154068592a54f18bac1b6a05ed7013bb08844b9

SHA512
832d3466bd5f2ec99629b50662da04bf8538cad3c860dc3f809bb41342b578b2855622de2fa779dfaab4e5d043bd970e440f387023219af39f1202cee7b64ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME290.exe

Filesize
20KB

MD5
3a91ca1ce4526ced7558a45741717a78

SHA1
a590d31a418fb1994fdccf6a4736a26d5bb0e8ba

SHA256
629c1696a8c12b3e3f8216992f70c8ed4219f713080733b92046b9b9e5162537

SHA512
87039edbf1098b573951562dbd731313d2ab7ec7f5b98763dcce3b9f3b2f18092590bbd39d64d9e7799932d69b261d1cb663015365ee238cd4031a21aa5b22bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME460.exe

Filesize
20KB

MD5
e8800335be1113733f229d2ff2e53c6f

SHA1
3c794f625b725aee3c23959bafae25a0d631afdf

SHA256
f12c0e94c180bfa2ddd977701de74e2703b31aa1acaa0c0a05d598ee85378fa7

SHA512
33f01a9b413d5db55c7fb9b13e8db7da4b94bac3d3656fd2a62f43732917d82da2ca4e51d768f3672953195f18fb94933014cfc0db2074e78d6bcb4de16de534

Download Submit

Analysis

Sharing