43a37d65260cc4c09c238e40a320147b336572a22a5838b4ee754df20c19bc43

General

Target

07633919b26187d28e305657cbb9326c_JaffaCakes118.exe
Size

15KB
MD5

07633919b26187d28e305657cbb9326c
SHA1

a609e1c4348ffd9fd4926fb0335b98f7526cc963
SHA256

43a37d65260cc4c09c238e40a320147b336572a22a5838b4ee754df20c19bc43
SHA512

38f74b57da98d813d8e0c90a6d957cb169dfc287c3a9a0de0624638146a0d776f7e691f9777c7a1e37d15652c27d1c6c073421304920e4da29cd379e1373e9cd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwF:hDXWipuE+K3/SSHgx/wF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMF84A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM4FF0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMA7B5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMFFA8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	07633919b26187d28e305657cbb9326c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM7F13.exe

Executes dropped EXE 6 IoCs

pid	Process
4200	DEM7F13.exe
5088	DEMF84A.exe
2888	DEM4FF0.exe
456	DEMA7B5.exe
208	DEMFFA8.exe
2720	DEM578C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 4200	1108	07633919b26187d28e305657cbb9326c_JaffaCakes118.exe	97
PID 1108 wrote to memory of 4200	1108	07633919b26187d28e305657cbb9326c_JaffaCakes118.exe	97
PID 1108 wrote to memory of 4200	1108	07633919b26187d28e305657cbb9326c_JaffaCakes118.exe	97
PID 4200 wrote to memory of 5088	4200	DEM7F13.exe	106
PID 4200 wrote to memory of 5088	4200	DEM7F13.exe	106
PID 4200 wrote to memory of 5088	4200	DEM7F13.exe	106
PID 5088 wrote to memory of 2888	5088	DEMF84A.exe	108
PID 5088 wrote to memory of 2888	5088	DEMF84A.exe	108
PID 5088 wrote to memory of 2888	5088	DEMF84A.exe	108
PID 2888 wrote to memory of 456	2888	DEM4FF0.exe	111
PID 2888 wrote to memory of 456	2888	DEM4FF0.exe	111
PID 2888 wrote to memory of 456	2888	DEM4FF0.exe	111
PID 456 wrote to memory of 208	456	DEMA7B5.exe	113
PID 456 wrote to memory of 208	456	DEMA7B5.exe	113
PID 456 wrote to memory of 208	456	DEMA7B5.exe	113
PID 208 wrote to memory of 2720	208	DEMFFA8.exe	115
PID 208 wrote to memory of 2720	208	DEMFFA8.exe	115
PID 208 wrote to memory of 2720	208	DEMFFA8.exe	115

C:\Users\Admin\AppData\Local\Temp\07633919b26187d28e305657cbb9326c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07633919b26187d28e305657cbb9326c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\DEM7F13.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7F13.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\DEMF84A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF84A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\DEM4FF0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4FF0.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Users\Admin\AppData\Local\Temp\DEMA7B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA7B5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:456
      - C:\Users\Admin\AppData\Local\Temp\DEMFFA8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFFA8.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\DEM578C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM578C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4FF0.exe

Filesize
15KB

MD5
227c4307dc2143ce606117c8e06a1316

SHA1
5a7e03ee60220c829f25a37d6e0b739a822ba27a

SHA256
fdc9b40c574245b49552fda76427bfdc75b0e713e9deee19b932b45b416f7d4c

SHA512
0c92c2b73bc793002c29e941eaa4a65edf66822c3832a8af51a2f3c30fbad22f05adba66a094be96c2022f66c44ad5bf0a64110a89cfaf3d5443f5ded0091c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM578C.exe

Filesize
15KB

MD5
c7752b1a0e8ad8d2231f27cd284acd83

SHA1
5f9dd4ef68d817dbf259053727c0d4a8eee09c67

SHA256
39da79100373648f028647c99c051989b22eec5be7720172cc2b714027cb8146

SHA512
2513437560fd00230a211e39245ecdaf41e9c4b5c802758e66886384290398f5b8e4cd6ab8392af0f256ac418f8a2d10e088b3954fe2062f4a93291e11f04fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F13.exe

Filesize
15KB

MD5
b7e42e8bdd54a7a33a680de6c1678510

SHA1
f39b850725813cd10a50da4e903d6ccd5136b23e

SHA256
c45d82ebf5aa2eb8bb4659defe182f9cf8a3bc32e9db37b6b4520a4b985d75f5

SHA512
ffaee0252bce4a11fe38dc899c147abd4bf168fcb092c138596728e6626e67183ae7aa3152eda94befa1b35723424eb87a1455b72fe6313c91ead45779468e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA7B5.exe

Filesize
15KB

MD5
2ba73902ead5bb6fd5cdcf56da2026d1

SHA1
df7c3ca2e3455447eabf1ce4e1a35060fbcae05c

SHA256
859176dbef2c3fb32b4116521e1787650bd9be663cf4ade939d5cfa17c10f2f4

SHA512
0d4b7c1745c232892d9b0b42955d82581d389630c0144468be5190ad433404c14a9b9666dbd98b30afa288c25a21cff889a208d0888762441dca9f01702164a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF84A.exe

Filesize
15KB

MD5
663168ead23db651d9d8ffdf8d713040

SHA1
b34de57fbcb35b8a775d02bfdfc199dafa785de1

SHA256
a03a159015b0485e43f8a6c54e92a5f701a14961ec519fc6a8f99e8b05e7c191

SHA512
0c66bf112b20cce1ceddcf15fb5b962a228c5cfa83206d01ddef39dd43e7a486a3f28d46e1e2916c6b903acb7a4a63d7afab8eabaeb499508e74e9dcffd2a5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFFA8.exe

Filesize
15KB

MD5
9c28af94454d94b405201e21edf1f7ca

SHA1
b5cbfb0723f9fefc7fac3f7175f1b2db4a7c17aa

SHA256
5b701a2731be91c69b8dad9a6444dd89cda8790e59c80306698dd0eed77bd209

SHA512
3ae0ca8b0046bff8122530a645d41c29162226de4520df78ff36fe20fa5cc98c9e79cacf9b3554068f0149005062337570712dfafd974f0e02ab5c8a8995c39b

Download Submit

Analysis

Sharing