92f3a51ed46a4f638f342778aa7d3435f530ba9b32730ab7f312b088747f64a6

General

Target

0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe
Size

14KB
MD5

0d06e4b8f305ff629b596a78750dce92
SHA1

c8b4825e1f1de1619a7838d0c4b7351802df6f54
SHA256

92f3a51ed46a4f638f342778aa7d3435f530ba9b32730ab7f312b088747f64a6
SHA512

45f0b8ae51cf6b5dd0975f7754da3dd148568adfb5624f4fa27d7ce842eac0f8a6a513b3a92972eab3daea0240efea877ceea44bf4a2b73329d39f922a13789a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhH:hDXWipuE+K3/SSHgxt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEMF8C7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM4EE6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEMA498.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM4C4B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEMA2A8.exe

Executes dropped EXE 6 IoCs

pid	Process
1672	DEM4C4B.exe
1012	DEMA2A8.exe
2320	DEMF8C7.exe
4500	DEM4EE6.exe
4468	DEMA498.exe
4488	DEMFA88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1672	1864	0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe	98
PID 1864 wrote to memory of 1672	1864	0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe	98
PID 1864 wrote to memory of 1672	1864	0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe	98
PID 1672 wrote to memory of 1012	1672	DEM4C4B.exe	101
PID 1672 wrote to memory of 1012	1672	DEM4C4B.exe	101
PID 1672 wrote to memory of 1012	1672	DEM4C4B.exe	101
PID 1012 wrote to memory of 2320	1012	DEMA2A8.exe	103
PID 1012 wrote to memory of 2320	1012	DEMA2A8.exe	103
PID 1012 wrote to memory of 2320	1012	DEMA2A8.exe	103
PID 2320 wrote to memory of 4500	2320	DEMF8C7.exe	105
PID 2320 wrote to memory of 4500	2320	DEMF8C7.exe	105
PID 2320 wrote to memory of 4500	2320	DEMF8C7.exe	105
PID 4500 wrote to memory of 4468	4500	DEM4EE6.exe	107
PID 4500 wrote to memory of 4468	4500	DEM4EE6.exe	107
PID 4500 wrote to memory of 4468	4500	DEM4EE6.exe	107
PID 4468 wrote to memory of 4488	4468	DEMA498.exe	109
PID 4468 wrote to memory of 4488	4468	DEMA498.exe	109
PID 4468 wrote to memory of 4488	4468	DEMA498.exe	109

C:\Users\Admin\AppData\Local\Temp\0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d06e4b8f305ff629b596a78750dce92_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\DEM4C4B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4C4B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\DEMA2A8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA2A8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\DEMF8C7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF8C7.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\DEM4EE6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4EE6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Users\Admin\AppData\Local\Temp\DEMA498.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA498.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\DEMFA88.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFA88.exe"
        7⤵
        Executes dropped EXE
        
        PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4C4B.exe

Filesize
14KB

MD5
d54a270552af8e9d162a70eb09b2a5fa

SHA1
336a95a493d9f835d29853c29c0fba5f02b851ec

SHA256
cb0b8bd7b3f31362e4c3cbc4a10540f6b569e655834a9742a464e6024b8c6f0c

SHA512
237451ee170b2339b7b8edc4c33369f23d060b607eea47a1b59cc055eb99e16c33bade43882079b027167e2dc931168dc9117ab3677ca443fdfa1c8a31d096b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4EE6.exe

Filesize
14KB

MD5
3c2e4a908f3b9972cb57082d2b68eaa1

SHA1
d8f228c457c5036515a584434e294b0348b40ecd

SHA256
383d99d2de2481e8e1992aa347fa204f9cd03e0559b691736917ea43262acb1e

SHA512
e495247b98582871017563bf2757b883a8bd07c36d7d824a5b68f86d766969294733becefccf36815bdfa15da242b5217442ce3ae950dff1b9e31546275c7501

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2A8.exe

Filesize
14KB

MD5
9cc1164e615d66265cbfa604966db819

SHA1
beee3255786243d18811af79353a15f0bd7ec39f

SHA256
a91a798513666cd26a0f164b4d1007f1b7bb9dbba260189adce0254a55bb9e64

SHA512
8841b1da45617db75a0bbb7de73da704abcce14e14938f029c3e2939edcdf9e461417289d6b1d990484a5061d66f465b5ddaf794ece947f685a1a3ddba0f907f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA498.exe

Filesize
14KB

MD5
2ebcf5c3603293a2b4f3ec187f87a04d

SHA1
3d582cc4f349fb1c1c54522d8fdf3d8837d2f848

SHA256
e4cbb6bf9350e6aed9772c7b04e0bddda01f3c647cf02703541ef2e4d128e559

SHA512
0652e42b10986afff3be5a5e50ca311fd1d6374e56766b2a2e283a93ebf7b2afb010b661327307cc592fc25e24a018f82c8821c88b3cea75f4314942b28deee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF8C7.exe

Filesize
14KB

MD5
f3d0f90389f3c84fe57228c8545e53bb

SHA1
47b63c8775cbf7b31bc70b5315b2646e77de7d31

SHA256
e0c680370d193291401db56c843bf8d38bafd2e10942c4e4506df7522bb07d54

SHA512
c17137ab391ee522cad07034568039227df8b62cf68c83e3b0023ea73ccb7e422ce53331c73e90ca812a7341ab3527f57d04702c515dac5d1d84510130b4b1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA88.exe

Filesize
14KB

MD5
96e1ef0c8cae93072f5976f2c2fe4325

SHA1
55b18c25f3c82e567fc09ed466f7fb07bd957729

SHA256
9174daa6857b19ca13e68f678e86c040add7d331db2c22d5f69f622f3b3dede1

SHA512
c53812b670a9273889253994c7c5d4721d239e2bd5cb9acd27c0fe784ee2db2ff7ae4299df96a014c5db8c1ea7727f67bd4838371278fef90167dead3ea2f0fd

Download Submit

Analysis

Sharing