ee66bed3f91e3c44d53ff8f25acf6c4b3b7035b14fb66544624e62cc997fadc4

General

Target

0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe
Size

16KB
MD5

0b6b226a6a0670501eee05d0ec8ec82f
SHA1

7af2cbb1ba2933e09c6a70cd59001d9f8a968ce8
SHA256

ee66bed3f91e3c44d53ff8f25acf6c4b3b7035b14fb66544624e62cc997fadc4
SHA512

a5b800b4e95a3f8bdc74ca28ea1757d9220032798d931be7869bfef3aea80100bb7682ea3abd76a3740cd834db9d4f1b13eaf94c00435e1a6722f755c388f3da
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlgJ:hDXWipuE+K3/SSHgxmlgJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMCFB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM6462.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMBB5C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM5B9D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMB508.exe

Executes dropped EXE 6 IoCs

pid	Process
1392	DEM5B9D.exe
3864	DEMB508.exe
1368	DEMCFB.exe
4368	DEM6462.exe
4700	DEMBB5C.exe
3564	DEM1255.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1392	2992	0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe	97
PID 2992 wrote to memory of 1392	2992	0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe	97
PID 2992 wrote to memory of 1392	2992	0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe	97
PID 1392 wrote to memory of 3864	1392	DEM5B9D.exe	100
PID 1392 wrote to memory of 3864	1392	DEM5B9D.exe	100
PID 1392 wrote to memory of 3864	1392	DEM5B9D.exe	100
PID 3864 wrote to memory of 1368	3864	DEMB508.exe	102
PID 3864 wrote to memory of 1368	3864	DEMB508.exe	102
PID 3864 wrote to memory of 1368	3864	DEMB508.exe	102
PID 1368 wrote to memory of 4368	1368	DEMCFB.exe	104
PID 1368 wrote to memory of 4368	1368	DEMCFB.exe	104
PID 1368 wrote to memory of 4368	1368	DEMCFB.exe	104
PID 4368 wrote to memory of 4700	4368	DEM6462.exe	106
PID 4368 wrote to memory of 4700	4368	DEM6462.exe	106
PID 4368 wrote to memory of 4700	4368	DEM6462.exe	106
PID 4700 wrote to memory of 3564	4700	DEMBB5C.exe	108
PID 4700 wrote to memory of 3564	4700	DEMBB5C.exe	108
PID 4700 wrote to memory of 3564	4700	DEMBB5C.exe	108

C:\Users\Admin\AppData\Local\Temp\0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b6b226a6a0670501eee05d0ec8ec82f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\DEM5B9D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5B9D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\DEMB508.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB508.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\DEMCFB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCFB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Users\Admin\AppData\Local\Temp\DEM6462.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6462.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Users\Admin\AppData\Local\Temp\DEMBB5C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB5C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\DEM1255.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1255.exe"
        7⤵
        Executes dropped EXE
        
        PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1255.exe

Filesize
16KB

MD5
293c47bba6d1d83e7f772e1bba21a63b

SHA1
deae5466732efd2a2a78aeeece5c76303e160cd8

SHA256
3f6a7fde5ca2a4e9368012c6092bb2d2b1ecfa22ee7273f8445ef11ed720358f

SHA512
93e01708b82076ff992d25087c4495f077e58be80f3ce18d0fcf3495fb5d4940a9e77222bc19b012e6a7b5ac30999ab837da6e04401774295b6c8b4f83c51b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5B9D.exe

Filesize
16KB

MD5
356cb84ae18727a4dfb7535b0428a67e

SHA1
a321d5976e8b8d81888c82141d3f695f606480f7

SHA256
8770ebc12d4aa6b40ba931c0a5d73cc98373a80e2bd2d8cd6881dac99c773b99

SHA512
4b469495ade9e642c87da3d3d47d8c07dfce64e8ed96ab5c5ee7146077cca663be1674997312443b6f86007098b67f8edb55601dd643a3a6da8c9e5f57c5c6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6462.exe

Filesize
16KB

MD5
406f0a5c4618d9e6d599fb59ab8a862e

SHA1
b200c8a35ddfb01e2f52311d31fc61ea835b4432

SHA256
e529f2aa66f3d028acccc3754b76a9493f56199aa75af99d1a122b9dc54e65d8

SHA512
3c2c92e02098b55403d1b587a8dca01e4ca29e520ce6924e6b69f39134a7d79335e0193c110776be0ec6346e06d2c2a2ec29f8706b3fc9573691764b516452ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB508.exe

Filesize
16KB

MD5
4334ff580c6dc940e481bc9e2d8444a6

SHA1
f114c5d0c9416f4aa1f4cdec14bafa97a1069fc7

SHA256
996e3d7792b0501d3aae688a3aeda1be067f80df7c145245be57ff67fbcc7cce

SHA512
d9eb08426640d3ee59ea5b3f9da9e6f9d3987c18f01e9cae76d5299479313ce96b9ac7619701c3d2870e99bd9fb43875737fa58d6d22d397d9fd482e51046f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB5C.exe

Filesize
16KB

MD5
83050e6aaa8984c1e9568f9f47ea2aaf

SHA1
0d47a6595466bf531bf73418594a285bce617c72

SHA256
eea4e5f3e30b92dd6dc154209e1835a18241f0ba5f9db7da3399efd4ba9bdd39

SHA512
28e31c460bd05afd390ad9d8780cc4958a86a4a2cf4b7587a6bc1fd859376857dd67d70159a9528ae1a65cf0238e7754eccb98ea7354684acc7f12430f93b139

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCFB.exe

Filesize
16KB

MD5
53f4d461ef588a7e370b8fddad48b6a4

SHA1
37cea6cd818d67bd886d4b7de9694836675f7866

SHA256
1f5566aa4d40015b54c846b26d9fba27542d8b3f8e4c67f212ebdc36095254d7

SHA512
7464a218f25a976b043cfe33d3b131962abc90929bc0376cdeffdfa456dc2d2236cc4255970df6740c9956d8e1d4be708dd462b4222feb34e57f08dba4a1c1a9

Download Submit

Analysis

Sharing