413426c77969c59ddb4f29e1fd441485fcd01270dc42bb4262692e4bee7c521f

General

Target

0afa56435c060e72af517134776a8fe0_JaffaCakes118.exe
Size

16KB
MD5

0afa56435c060e72af517134776a8fe0
SHA1

00e1cd12dc86788e8daf734708bd31917887cb4e
SHA256

413426c77969c59ddb4f29e1fd441485fcd01270dc42bb4262692e4bee7c521f
SHA512

0377f902830b450c2f932985d8194d38fbfa47ff7d6ada93555a841b46bac2d5198e09b60ebf9598ecc850a16c8bee8ee08562b9ad8e0be82d4561c29091038b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxV:hDXWipuE+K3/SSHgxmHL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	0afa56435c060e72af517134776a8fe0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM668A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMC052.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM17F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM6FDC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMC7DF.exe

Executes dropped EXE 6 IoCs

pid	Process
4424	DEM668A.exe
4212	DEMC052.exe
1052	DEM17F8.exe
4300	DEM6FDC.exe
3672	DEMC7DF.exe
2936	DEM1F46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4424	3528	0afa56435c060e72af517134776a8fe0_JaffaCakes118.exe	95
PID 3528 wrote to memory of 4424	3528	0afa56435c060e72af517134776a8fe0_JaffaCakes118.exe	95
PID 3528 wrote to memory of 4424	3528	0afa56435c060e72af517134776a8fe0_JaffaCakes118.exe	95
PID 4424 wrote to memory of 4212	4424	DEM668A.exe	98
PID 4424 wrote to memory of 4212	4424	DEM668A.exe	98
PID 4424 wrote to memory of 4212	4424	DEM668A.exe	98
PID 4212 wrote to memory of 1052	4212	DEMC052.exe	100
PID 4212 wrote to memory of 1052	4212	DEMC052.exe	100
PID 4212 wrote to memory of 1052	4212	DEMC052.exe	100
PID 1052 wrote to memory of 4300	1052	DEM17F8.exe	102
PID 1052 wrote to memory of 4300	1052	DEM17F8.exe	102
PID 1052 wrote to memory of 4300	1052	DEM17F8.exe	102
PID 4300 wrote to memory of 3672	4300	DEM6FDC.exe	104
PID 4300 wrote to memory of 3672	4300	DEM6FDC.exe	104
PID 4300 wrote to memory of 3672	4300	DEM6FDC.exe	104
PID 3672 wrote to memory of 2936	3672	DEMC7DF.exe	106
PID 3672 wrote to memory of 2936	3672	DEMC7DF.exe	106
PID 3672 wrote to memory of 2936	3672	DEMC7DF.exe	106

C:\Users\Admin\AppData\Local\Temp\0afa56435c060e72af517134776a8fe0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0afa56435c060e72af517134776a8fe0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\DEM668A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM668A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\DEMC052.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC052.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\DEM17F8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM17F8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\DEM6FDC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6FDC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4300
      - C:\Users\Admin\AppData\Local\Temp\DEMC7DF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC7DF.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\DEM1F46.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1F46.exe"
        7⤵
        Executes dropped EXE
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM17F8.exe

Filesize
16KB

MD5
dabea7ec8dba0b5f70aba63c18f9c5e3

SHA1
2f88444a5ea4d81f45fe44926c98cc1ccc998ae2

SHA256
4624f8242ff792ce94f3a96221dc6e5ec70a17580bf936842d4d1cf5ab2e85ab

SHA512
2483f01bb937dd5def34a7523f44f5151f9be687ce57b8ec815851136d23e462191bada4355ae8397be5faf0017e24e77f661470c5168951bee2ea4d1f84a73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1F46.exe

Filesize
16KB

MD5
8a8ec6d00ece0264016acd18e301fb58

SHA1
b9fb1575d15afdccceedfc9235cc2c863e5a138f

SHA256
bddb59ede2ed76a7761b042cbf10e31bdae0059ebd359802ee4b3af69b0ba599

SHA512
98f6acc41ac047b9180afdb2683cd09bb8439d1bec70169bd926321af95184fd27a238bff55aaf9389b796c3af1c2929c03aab9b2e582bfc2b7b7fc530ea68e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM668A.exe

Filesize
16KB

MD5
198b1c6be5dd1410af3f3257f9dde8c5

SHA1
a33b3f3a1292d7935302ad1e34623b954a10cb78

SHA256
d85328402a8f6655f177a575d311ab5039ac10e380d339ae6b2e12313b8d5fd0

SHA512
3440869e9efc92de04b2852b44bdba9dc9f55103b39517a5a3c1bb63d3e3cbf13432f87ddb589687d6ca8e8281c1d45c46d08f3c12e77a4e08b323cf6c04110f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6FDC.exe

Filesize
16KB

MD5
f3166a862d77c75bb9d83c1e1b173818

SHA1
50a51e8a1145c1b9879ae74fbf88493b34a7974a

SHA256
21333cc99ecd78c0a05f815df70a1a5cae27a3db6da3ac6f3c17f45703a3815c

SHA512
046544f2dc5ed85314f93f51fa05c84638d40d5b70cbaffbf69fa43461d9f2861ea505875e5d55670f9e79259f6cef51306e49901ed20f896ba9ac429e24ce36

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC052.exe

Filesize
16KB

MD5
28fc4eddf7a7e6dd29568ea3006c3801

SHA1
a5b2442d99d41f8554ce1929a9c34117f1a097f5

SHA256
f7d9c4895ddafb3d0da5a0424f48590210d8329bff1f8a7bf73159c33bb14e24

SHA512
9fc31b560f0fd81cbd23fac0c00fabe803ebb230ae470b09859659063a79d5762c3de7d8d70d5b7866f5da0400525d6ab2d018a1f949f64a41ba91fd7b59127b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7DF.exe

Filesize
16KB

MD5
c9c402498a967dcdb9fa04224c86fde1

SHA1
2d9cda14f2c41f2d7631e0b611d7bd6d6e7b1b6d

SHA256
31b204989439ddc9c49a451543c7707b759add4857563c62f5e7d4ba5371ce92

SHA512
0c0e4b2d5e331d153287203ff2ef3cebba3eb2148995f817b2d8e4fa199d4a24c519555881a8663f3f490c587ee6e02d89bba57241f1c9d4510d708b17b3def5

Download Submit

Analysis

Sharing