aea8b09933b1bb79770b1fe70ce8c385ac61e4869dd03b4502bd50ff5775046c

General

Target

05ac589b307cfdf0db3ac869671b2615_JaffaCakes118.exe
Size

14KB
MD5

05ac589b307cfdf0db3ac869671b2615
SHA1

453da7c38873bb52a7c22dffd2c9748a47249994
SHA256

aea8b09933b1bb79770b1fe70ce8c385ac61e4869dd03b4502bd50ff5775046c
SHA512

fcf8fcc652126b3583b193ec783b767958c7f3a0cd32478f07612a30afa7affde7b94a40d076d973a6e0d2f23d20d380bbb30f15829456ebdbb7b826f0d7dfd3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhiw:hDXWipuE+K3/SSHgxLiw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM852E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMDB3D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM314C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM875B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	05ac589b307cfdf0db3ac869671b2615_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM2EA1.exe

Executes dropped EXE 6 IoCs

pid	Process
1108	DEM2EA1.exe
2328	DEM852E.exe
1192	DEMDB3D.exe
808	DEM314C.exe
3704	DEM875B.exe
3308	DEMDD6B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1108	2028	05ac589b307cfdf0db3ac869671b2615_JaffaCakes118.exe	98
PID 2028 wrote to memory of 1108	2028	05ac589b307cfdf0db3ac869671b2615_JaffaCakes118.exe	98
PID 2028 wrote to memory of 1108	2028	05ac589b307cfdf0db3ac869671b2615_JaffaCakes118.exe	98
PID 1108 wrote to memory of 2328	1108	DEM2EA1.exe	101
PID 1108 wrote to memory of 2328	1108	DEM2EA1.exe	101
PID 1108 wrote to memory of 2328	1108	DEM2EA1.exe	101
PID 2328 wrote to memory of 1192	2328	DEM852E.exe	103
PID 2328 wrote to memory of 1192	2328	DEM852E.exe	103
PID 2328 wrote to memory of 1192	2328	DEM852E.exe	103
PID 1192 wrote to memory of 808	1192	DEMDB3D.exe	105
PID 1192 wrote to memory of 808	1192	DEMDB3D.exe	105
PID 1192 wrote to memory of 808	1192	DEMDB3D.exe	105
PID 808 wrote to memory of 3704	808	DEM314C.exe	107
PID 808 wrote to memory of 3704	808	DEM314C.exe	107
PID 808 wrote to memory of 3704	808	DEM314C.exe	107
PID 3704 wrote to memory of 3308	3704	DEM875B.exe	109
PID 3704 wrote to memory of 3308	3704	DEM875B.exe	109
PID 3704 wrote to memory of 3308	3704	DEM875B.exe	109

C:\Users\Admin\AppData\Local\Temp\05ac589b307cfdf0db3ac869671b2615_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05ac589b307cfdf0db3ac869671b2615_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\DEM2EA1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2EA1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\DEM852E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM852E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\DEMDB3D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDB3D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\DEM314C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM314C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:808
      - C:\Users\Admin\AppData\Local\Temp\DEM875B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM875B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\DEMDD6B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD6B.exe"
        7⤵
        Executes dropped EXE
        
        PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2EA1.exe

Filesize
15KB

MD5
dcab3fe701eed24869310980e692da6b

SHA1
f04baeab36624dd436a3cc8540ba821683fcb95e

SHA256
e640afb5d98024dad5fc67bf2ce227919a01f937e8a5e4f7c3ff2089978b80af

SHA512
9ed1781cb222cf00fecf132bc8f78f2e893b51c9c3850cbd499c58655ffcaed2f960333c3c55cc0ab4c1797c90397ab693bcca3e9add4fa5adc9630104299537

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM314C.exe

Filesize
15KB

MD5
42583e92349a9328d2addb4767e48883

SHA1
d1d5bd3ca14022f3f7731aa90d0967a62cc8d181

SHA256
8eb1d63de890c929fac09b30d5ca735277fa8daf5983cb0ca2c57337bedb986f

SHA512
768e982f33ca596dd5c6c84689acf12bdd47091a628b1d8d37832268486f9cc098ab7545c9d03f043773a90bbf3a2787ab15e2fe6c146357a65623ec03a43ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM852E.exe

Filesize
15KB

MD5
d63f8a3c00d8f9ee59d1732736966f17

SHA1
cb49c067e6c8adbf0110ac0eaf1280166454dc91

SHA256
3a18a6037ee8f49c3e2fa232be847ecd2f13676e679b5804140bb54a35450d29

SHA512
8d600e54ba6758324a4062d0e2a96ce7b9aa46f38a0c00d21d48bd8b433114b7dd1eb1b846ae9b33247343d988089f3f73be38e098ef53021a377d7808581140

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM875B.exe

Filesize
15KB

MD5
192f2b96ca4a41c42efbee7550a2463c

SHA1
77a24dc9acc77d9163c24410ef2a90a46177b232

SHA256
a9e0fdb60478f41bc502c19f23bc0f65781044279f45979b56b28287a85c3a45

SHA512
79b6276ccd8f8abf16835ca3473f84b61d5c8281cfe86814b485d8ad8ef67c42d39e508532a4bd2df03c3b20e9a7060ecbf4da6615079fac9b68b3b6c2ca679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDB3D.exe

Filesize
15KB

MD5
73284d890c01ac34a466b302e53b67dd

SHA1
880af87a77d3c42c7243e95786cf7dfa98d04441

SHA256
6e0a929e3e989c524367fbebf25d9be98bdb83f036256385f0e1e9de75c2c4d7

SHA512
040b3e7597e97b7913443667a48e298b033b30384f691eaaa22087c6e67a4d86d64eec81e731774d6e7f21c431654828803b27306b50ad0ca2e0b53832d66274

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD6B.exe

Filesize
15KB

MD5
b91e2dc3041f599234617dd388354ed9

SHA1
be9d657383803cc67df6e119b301e9b28bb2f355

SHA256
7f5a1f69b7445891722b4c3be6416254d08abf51ef1ebb32a5445a08181d484a

SHA512
07d3a1d6d79139db9bbe0ebcffe7fbbe4bc39b1b504a3769850742ac42948881d4454a3065d1fbd98424b9cf17142f52614c32af6254572acbd673df44d345d3

Download Submit

Analysis

Sharing