48f5931c51df86fc67695db2e54694fbe1631e5ea27ff5b47cb381ec34ac7344

General

Target

0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe
Size

15KB
MD5

0ce98910be0fd7271444f04fb92ece8f
SHA1

fac1663749b336489f50a8206bb2c81835f6450e
SHA256

48f5931c51df86fc67695db2e54694fbe1631e5ea27ff5b47cb381ec34ac7344
SHA512

ccec3f0ad6ed91fc662ff9de6ff947cedd214121ff82c1e6ad67d341e79042303e119f4b208ff969ccb7288b6f676ffc0402246eb4530e4ef05f4ffe42e7ed50
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlPgt:hDXWipuE+K3/SSHgxml4t

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM88B8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMDED7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM34F6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM8B34.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM325A.exe

Executes dropped EXE 6 IoCs

pid	Process
1776	DEM325A.exe
1228	DEM88B8.exe
4752	DEMDED7.exe
4268	DEM34F6.exe
5112	DEM8B34.exe
4112	DEME143.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 1776	3080	0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe	96
PID 3080 wrote to memory of 1776	3080	0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe	96
PID 3080 wrote to memory of 1776	3080	0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe	96
PID 1776 wrote to memory of 1228	1776	DEM325A.exe	99
PID 1776 wrote to memory of 1228	1776	DEM325A.exe	99
PID 1776 wrote to memory of 1228	1776	DEM325A.exe	99
PID 1228 wrote to memory of 4752	1228	DEM88B8.exe	101
PID 1228 wrote to memory of 4752	1228	DEM88B8.exe	101
PID 1228 wrote to memory of 4752	1228	DEM88B8.exe	101
PID 4752 wrote to memory of 4268	4752	DEMDED7.exe	103
PID 4752 wrote to memory of 4268	4752	DEMDED7.exe	103
PID 4752 wrote to memory of 4268	4752	DEMDED7.exe	103
PID 4268 wrote to memory of 5112	4268	DEM34F6.exe	105
PID 4268 wrote to memory of 5112	4268	DEM34F6.exe	105
PID 4268 wrote to memory of 5112	4268	DEM34F6.exe	105
PID 5112 wrote to memory of 4112	5112	DEM8B34.exe	107
PID 5112 wrote to memory of 4112	5112	DEM8B34.exe	107
PID 5112 wrote to memory of 4112	5112	DEM8B34.exe	107

C:\Users\Admin\AppData\Local\Temp\0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ce98910be0fd7271444f04fb92ece8f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\DEM325A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM325A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\DEM88B8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM88B8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\DEMDED7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDED7.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\DEM34F6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM34F6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Users\Admin\AppData\Local\Temp\DEM8B34.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B34.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\DEME143.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME143.exe"
        7⤵
        Executes dropped EXE
        
        PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM325A.exe

Filesize
15KB

MD5
c96d1d09c00270bf001aac6f53d80691

SHA1
0f304c8a600d17a6a1fecf9331ce7e2f21abbcc9

SHA256
1052f4e4e781f10e5d86e0e317494471a38edd63b3af24a94c80da7a3ee663ca

SHA512
9e9b990c50bb5cecfb808f8e42742ab2d10bf92390c548bb46be8f67e6eb600180e9a3224d5d35f64bf81e0b28e7133331bb70ae1cc514a810121d000010b036

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM34F6.exe

Filesize
15KB

MD5
5df80fccada377088dc63643cef8ed74

SHA1
c78a57453b3bc25263fcab8f89ebe7de393c0f03

SHA256
059bad03d99bb3104e40be18527726898cd08917d44a543b4dffc9d26fbd5670

SHA512
3a2318c343b0466d954b26edbc5717ca1333d51c420bfb913fead3a273f7848619dfd43027c3f9aed91ba698335b950d663c519c3b077db8f633acbb801d68c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM88B8.exe

Filesize
15KB

MD5
12a972f94fa24193b1a37948e4e75f5c

SHA1
2b6ceaedd3db3dda2f662c7abd506589842532a2

SHA256
bf1a29c9f286a9799f8b55a8c00b76e3dd22b62d37073c5d7325a35d75b004eb

SHA512
49ba067b8627306ab077d728398753a45c52f0d88055538a4a58496b138cc8a1073b6ff3cf6cb3852845ac54a04cec784489453e63b359747c089ff5149239cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B34.exe

Filesize
15KB

MD5
a257be26b0a0926000a295b230d16cde

SHA1
311d62c5a7c7f25f28d2894e200d1937de67bcdd

SHA256
71ce8cfa6ee452e683a285c91c87cb99f7c738f284f5282f334fab033db2c37d

SHA512
9531e5ef8c6772c360973e49fd389540a3a641b665dcfb7302c5094b560ff44b4736da2772df044717e66938d46344a2ca8b66b5408ea494b391875e4d97e003

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDED7.exe

Filesize
15KB

MD5
64ca5e1506b96a9a013bf022d61dda4c

SHA1
f430726ba7c053b07b34e4492fc99af929d5bffb

SHA256
edfef791f153ebe8891195a7fe0cfcb08ffec436e9ba5c40f6e61dbbb6faeee0

SHA512
ddb4be2689f87ceaf0a69134264dc1c6747e00d079b820428cabbaa18f5b50842c3a70de36a41696b150cbb9974d7dc2778446b6368ca1ad0ec51131bac9908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME143.exe

Filesize
15KB

MD5
5037478c64866c0c3b65106357829169

SHA1
992c3cb15cbf6c865c08b0208659b3afa2b96bf6

SHA256
fc70af6ba09aada1b463beeae4ef0be1b299c7efa9ed300ad0585145e84b437d

SHA512
8045e29865e1de4562c3977f8fc08b2fc3a9429304e3493a9e96ddb3983405ac54f5beb00f4cad993d48a11c573ed0eae2162e29844e29064e38d24d3fd30489

Download Submit

Analysis

Sharing