0f51b6c2f5ae1eef21dda2036a57113f5cb7a739e372bb904b906173ad97d6a9

General

Target

02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe
Size

15KB
MD5

02630073f2a232321dfd12ceafeef987
SHA1

8b0ad259468cb47211417feb342dc6abc16fa97a
SHA256

0f51b6c2f5ae1eef21dda2036a57113f5cb7a739e372bb904b906173ad97d6a9
SHA512

a98098c76165211f793eef67c54b89f77e9dce3ca3c6fec647e5b9cdfa21fb000b8e1ce0a7ba4d3ed44d7bdc36a59e8c67b1b834e2c1348cd38136ea5caec960
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwK:hDXWipuE+K3/SSHgx/wK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM39E7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM8FF6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM373C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM8DB9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEME3E8.exe

Executes dropped EXE 6 IoCs

pid	Process
2684	DEM373C.exe
3508	DEM8DB9.exe
2156	DEME3E8.exe
1536	DEM39E7.exe
1424	DEM8FF6.exe
4480	DEME5F6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2684	4720	02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe	96
PID 4720 wrote to memory of 2684	4720	02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe	96
PID 4720 wrote to memory of 2684	4720	02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe	96
PID 2684 wrote to memory of 3508	2684	DEM373C.exe	99
PID 2684 wrote to memory of 3508	2684	DEM373C.exe	99
PID 2684 wrote to memory of 3508	2684	DEM373C.exe	99
PID 3508 wrote to memory of 2156	3508	DEM8DB9.exe	101
PID 3508 wrote to memory of 2156	3508	DEM8DB9.exe	101
PID 3508 wrote to memory of 2156	3508	DEM8DB9.exe	101
PID 2156 wrote to memory of 1536	2156	DEME3E8.exe	103
PID 2156 wrote to memory of 1536	2156	DEME3E8.exe	103
PID 2156 wrote to memory of 1536	2156	DEME3E8.exe	103
PID 1536 wrote to memory of 1424	1536	DEM39E7.exe	105
PID 1536 wrote to memory of 1424	1536	DEM39E7.exe	105
PID 1536 wrote to memory of 1424	1536	DEM39E7.exe	105
PID 1424 wrote to memory of 4480	1424	DEM8FF6.exe	107
PID 1424 wrote to memory of 4480	1424	DEM8FF6.exe	107
PID 1424 wrote to memory of 4480	1424	DEM8FF6.exe	107

C:\Users\Admin\AppData\Local\Temp\02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02630073f2a232321dfd12ceafeef987_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\DEM373C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM373C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\DEM8DB9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8DB9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\DEME3E8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME3E8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\DEM39E7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM39E7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Users\Admin\AppData\Local\Temp\DEM8FF6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8FF6.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\DEME5F6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME5F6.exe"
        7⤵
        Executes dropped EXE
        
        PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM373C.exe

Filesize
15KB

MD5
8055a51efa976c26302f68917584cab9

SHA1
a2d50a07e439acf3acbb8a9ad8725f5ebe03f88d

SHA256
9856591d03c1a26f7ba3075caa08883fef79093fb0eacaf3450665a458e3000a

SHA512
d5e5def79ef492fd3b365b61c2347ccb907e3dd371820a280b0c07488c155b0395101bf4ee5d45f56b8be904c10cdb75e7cdf6d4dc5c5e791d916a0a5dd96419

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM39E7.exe

Filesize
15KB

MD5
cec98dc7d3d97868845536878076f54d

SHA1
8597554a36fd6e80292d8ebef48071b15f9ba2a0

SHA256
b7031694b32b8aa06fc630b7e560bec4a4d1ad02399eaa9c7bb7d211ae582ad5

SHA512
68ece4d63e5b62409a6dab923d493dd8b435f15eb39a90a72ca21cff3035d91b72a1f6dd0dcc7e33d51aa77d7b66e60c7bfb871907472bd0d93d3fc3ce8f5d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8DB9.exe

Filesize
15KB

MD5
b720b590e77b0872a4195bbb8b31032f

SHA1
6ae11d02f2eb9966af2ad989a5082656e41c359b

SHA256
a4f6e6d116c3bc5e9be44002c99d59c7be1c40bae38f21d4b174ce6f54fdba8d

SHA512
ee6092ed6ec516002b1131ca212ef1e73ab5844d82a049fd9b1fa2d94530c77157cb16274da8efa77c6ff81a42889a0adec901976bdd4bcb6fca6ea87188d097

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8FF6.exe

Filesize
15KB

MD5
3aa27045342d7474597ee45a3757e5fa

SHA1
c766841cf222db437cb123993d33d72d1cc309ee

SHA256
9ab02afe85418e526a44f4d5ab0dd5d5974adf70b1f558890b3ed6ed7d1acce8

SHA512
4fa651c004d7d7676e470dbf1394835885a9a51d0fe2dae73e5d6944954b29a9543d3afcfaef26a014df7da170c0c7885f68a644183429f65264e5916d2bf432

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME3E8.exe

Filesize
15KB

MD5
88ddf34fc458fd8141ebd9e6382f847a

SHA1
f8ae536adeb7e9f25975ed841af8b117546fe27e

SHA256
b5d1f7bed2bad031484e63c02ae7a5f8f1939e6ba8c959dd7a5bfec57f7b63cb

SHA512
ead2132c96783283379a6960e802b031f6919be2b73c1baac68c55eb6f2193b5202507d5d2dea0d105bfa78e4c910b689f8da663f61789b66414104437dbe693

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME5F6.exe

Filesize
15KB

MD5
de8a558a7b2825eabe0ea55ceeb3f164

SHA1
080e40ffc803115fd41986747d71b6ecb2e651d8

SHA256
6b195772a47d60b04a4a16225894d3c4b2211c1ba5e2db74a4b07f217237c943

SHA512
963949eec0352ffce9d2a0f949e32866f0ddfa706cb4dab0261da7889625d322ca206578c421dc09203ef54c05306866098809deaf242deeef993668e25b8aaa

Download Submit

Analysis

Sharing