a3e2813e93903931d0e1bf90353086ba64c5b00ae0b2d32bed7f8061f9104681

General

Target

08cb383f22ef6187f4cca322c159d636_JaffaCakes118.exe
Size

16KB
MD5

08cb383f22ef6187f4cca322c159d636
SHA1

64201b639ce59a706011a330390f6610e22733a0
SHA256

a3e2813e93903931d0e1bf90353086ba64c5b00ae0b2d32bed7f8061f9104681
SHA512

dfb31a0fcb81d8c1fc4926f7d986516fa22d4dc1b9e477b1edc726d8d839748cea46543017f38af4d2f2afe0453530f785e76f3a8beedd514ea95a588103a4a0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4:hDXWipuE+K3/SSHgxm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3132.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM87CD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEMDDEC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM342A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM89AD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	08cb383f22ef6187f4cca322c159d636_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3208	DEM3132.exe
316	DEM87CD.exe
4872	DEMDDEC.exe
5004	DEM342A.exe
2552	DEM89AD.exe
1396	DEMDFDC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 3208	3352	08cb383f22ef6187f4cca322c159d636_JaffaCakes118.exe	98
PID 3352 wrote to memory of 3208	3352	08cb383f22ef6187f4cca322c159d636_JaffaCakes118.exe	98
PID 3352 wrote to memory of 3208	3352	08cb383f22ef6187f4cca322c159d636_JaffaCakes118.exe	98
PID 3208 wrote to memory of 316	3208	DEM3132.exe	101
PID 3208 wrote to memory of 316	3208	DEM3132.exe	101
PID 3208 wrote to memory of 316	3208	DEM3132.exe	101
PID 316 wrote to memory of 4872	316	DEM87CD.exe	103
PID 316 wrote to memory of 4872	316	DEM87CD.exe	103
PID 316 wrote to memory of 4872	316	DEM87CD.exe	103
PID 4872 wrote to memory of 5004	4872	DEMDDEC.exe	105
PID 4872 wrote to memory of 5004	4872	DEMDDEC.exe	105
PID 4872 wrote to memory of 5004	4872	DEMDDEC.exe	105
PID 5004 wrote to memory of 2552	5004	DEM342A.exe	107
PID 5004 wrote to memory of 2552	5004	DEM342A.exe	107
PID 5004 wrote to memory of 2552	5004	DEM342A.exe	107
PID 2552 wrote to memory of 1396	2552	DEM89AD.exe	109
PID 2552 wrote to memory of 1396	2552	DEM89AD.exe	109
PID 2552 wrote to memory of 1396	2552	DEM89AD.exe	109

C:\Users\Admin\AppData\Local\Temp\08cb383f22ef6187f4cca322c159d636_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08cb383f22ef6187f4cca322c159d636_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\DEM3132.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3132.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\DEM87CD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM87CD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\DEMDDEC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDDEC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\DEM342A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM342A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\DEM89AD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM89AD.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\DEMDFDC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDFDC.exe"
        7⤵
        Executes dropped EXE
        
        PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3132.exe

Filesize
16KB

MD5
19b313bf3379eb4fd6f3b0f380372f57

SHA1
acddbe044777f55d2adf13d652d29b4918eaa835

SHA256
4edf2b3948dc61e57afb33db41a84de006350074213581325a43d57e194cd903

SHA512
92f121f6c7ffd78fca32fe807ecae759addf77203c601ee3bed3391f78a161f5bebbf339ac69461b1d9feb5529f6bf078c8fb5bf9551e9067f707d254ccbf4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM342A.exe

Filesize
16KB

MD5
0de311cd406971abb7ade40faa59a862

SHA1
674b959747790b0f32d4bf292c80b106a2f97b93

SHA256
f1b0843dbc7cdddb877a82f1a79db1ab788b5ce26d48dd7397d78a408acadb7b

SHA512
73f565d21c25a3b308e54dfe07f1e6fd002ce0bd9749ad5870c76d2f003f230062df0be3d7f467022946659cbe7e28e1074719ff5477eab02eaa3b1257eac7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM87CD.exe

Filesize
16KB

MD5
5d07bdfbc25fbb28f78a73c2597c0bf0

SHA1
247f34e1f60f18e2516106d4824078870ba6e162

SHA256
8e37b2ae8d56bed1c3a8646fd61b8391952b5f075ce247128d5568258ae1df9b

SHA512
d3b19b78fe2e56490ce29b552ae0ab406e8360f1fcfd3378f4a2a24e1496038ae18ac4c4b4bf1e80b0d5b285371f20e43b3aeb70d656d3cd13938dcef4040492

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM89AD.exe

Filesize
16KB

MD5
55e54cad9585b958b4ae06abfaee936d

SHA1
01f419964bb5daa8bbd1c7db6abfe74365f00424

SHA256
3ace9db4c46f2a7e82b96dc8d8b8da9fbc66875d77118c3611dca6ca2ddfb3d9

SHA512
48c642ca0e45854d49a4a70e9238f3141c456d2715198841262468a8c46e41ede20fb26a9366e8a2d88c98c84ad024afbdd5c256c23a17e3805adf8883f4457b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDDEC.exe

Filesize
16KB

MD5
9c30061e1f232c9396bc0c1d2f1a771b

SHA1
ede907730c89ab3ecad8c766b70327621383c5d6

SHA256
e87519206703ddfef60d564a5f75e70f0fbcfa95656fefab32c9361a51fd0251

SHA512
deeca3623db40b66d868066e35383dd727559e5f632f24ba82ee8e12998007fb62a8ae846e009489d51ed403aeee415290717f8dac96af4234138745be76a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDFDC.exe

Filesize
16KB

MD5
6ed0e2cc8e3af7ac7a34b2d32fbd6bdf

SHA1
69d453dd479d413c4b9b00139212a7055ab6b7e4

SHA256
ed8ee12404af79ebc280be3d0b15bda0cd34586ec02288d8752430c0d5a9d041

SHA512
3eccd0f4d386a6c4be4fd8bb437d2b4fc5d5e57d357ef9d1df2ed9db0f8a58ea6b75bcf3f3ffb993d88ed464a96f7ea93dd286c97110e8c184fb31b1246f6fd1

Download Submit

Analysis

Sharing