d118e64af1fde860bfc765630e5e7b7e4f962e90bd9ee930a4147b4fa2e112e2

General

Target

0d42f3ba00728312f75e172872be0720_JaffaCakes118.exe
Size

14KB
MD5

0d42f3ba00728312f75e172872be0720
SHA1

4852f144279ecbf46ef3ce695a7ec415e0d147dc
SHA256

d118e64af1fde860bfc765630e5e7b7e4f962e90bd9ee930a4147b4fa2e112e2
SHA512

081ba84a830d59f7bdd8c374247e11d8e6d8b921dc51ee239f13c8884ef6f4fb7d79678cfbf73f1b176e5259bf04b37a5c22f65140ffb9320433ced8f33a1346
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh0:hDXWipuE+K3/SSHgxG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEME927.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3F27.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM9565.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	0d42f3ba00728312f75e172872be0720_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM3C7C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM92E9.exe

Executes dropped EXE 6 IoCs

pid	Process
4724	DEM3C7C.exe
1356	DEM92E9.exe
2556	DEME927.exe
4800	DEM3F27.exe
2704	DEM9565.exe
4312	DEMEB74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4724	4128	0d42f3ba00728312f75e172872be0720_JaffaCakes118.exe	97
PID 4128 wrote to memory of 4724	4128	0d42f3ba00728312f75e172872be0720_JaffaCakes118.exe	97
PID 4128 wrote to memory of 4724	4128	0d42f3ba00728312f75e172872be0720_JaffaCakes118.exe	97
PID 4724 wrote to memory of 1356	4724	DEM3C7C.exe	100
PID 4724 wrote to memory of 1356	4724	DEM3C7C.exe	100
PID 4724 wrote to memory of 1356	4724	DEM3C7C.exe	100
PID 1356 wrote to memory of 2556	1356	DEM92E9.exe	102
PID 1356 wrote to memory of 2556	1356	DEM92E9.exe	102
PID 1356 wrote to memory of 2556	1356	DEM92E9.exe	102
PID 2556 wrote to memory of 4800	2556	DEME927.exe	104
PID 2556 wrote to memory of 4800	2556	DEME927.exe	104
PID 2556 wrote to memory of 4800	2556	DEME927.exe	104
PID 4800 wrote to memory of 2704	4800	DEM3F27.exe	106
PID 4800 wrote to memory of 2704	4800	DEM3F27.exe	106
PID 4800 wrote to memory of 2704	4800	DEM3F27.exe	106
PID 2704 wrote to memory of 4312	2704	DEM9565.exe	108
PID 2704 wrote to memory of 4312	2704	DEM9565.exe	108
PID 2704 wrote to memory of 4312	2704	DEM9565.exe	108

C:\Users\Admin\AppData\Local\Temp\0d42f3ba00728312f75e172872be0720_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d42f3ba00728312f75e172872be0720_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\DEM3C7C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3C7C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\DEM92E9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM92E9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\DEME927.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME927.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\DEM3F27.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3F27.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\DEM9565.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9565.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\DEMEB74.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEB74.exe"
        7⤵
        Executes dropped EXE
        
        PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3C7C.exe

Filesize
14KB

MD5
da2dd3c81c17e3b0f1517e0fe04c52ba

SHA1
419ad608f4f2d7af6aa03ca106ecfd0531ed3e54

SHA256
14d4b4a104590214436df57a1a92c51f075f178a074ca166b337cfc72ace421e

SHA512
3f011940188f70150d2463ef141f218079a2e20acd5669f5b9c3104f4f462fc30d901a90c626ce71400c56e8ec52671d1a4b772f7835693adb577d51ba5695d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3F27.exe

Filesize
14KB

MD5
9d1628b98e4802d0f35b9c569f2ead15

SHA1
89c17e232f57e9a840e5861d60a8d908101504bf

SHA256
b8f7323ec51bbc8a034ac8cf10e99454c253ce5098497b07d6085d97f93bbda9

SHA512
43b9885a643b225a4c78b9dd824ef9946aa188d551767dc450d0f379349961caf8f43e1b279f05776a253f0fee2e60678681540a1783647d1b4178bd39501d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM92E9.exe

Filesize
14KB

MD5
0e8100cd71a30ca8b279d4aaf89a6883

SHA1
8f32a4c54ed5afb93e2046919885010e75a7eda0

SHA256
aef75eef705110b822fbe17cb21f3b0faadb7c8978d6a49a43af9b0631082704

SHA512
60dc569c06e4dadd9f38a01de57f4079625cf8015077e13ec30fa681502e483fb500731a11dbe1402e2a981cfd314082284414e5ccd14139a5b262d7114fd6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9565.exe

Filesize
14KB

MD5
4f7f0afe4c5d970c6e26a09f236eb66d

SHA1
759b2188675472de4dc3ede3648d39fcdf2ad618

SHA256
5ec693e9239ad861d4959dc87342809b98f230e0aaf7bf34b40cb284529c2105

SHA512
9f611212fd9de7a90c8e3393fe92c6084a8fb4d823b8cf5cc58350ebbddb9165c2d5daf2fe246a953b5348923e0783cf6871c582d958f6c3b4eff3768eeb2c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME927.exe

Filesize
14KB

MD5
e4d442ac755f38564c7c4c91beaa9bf4

SHA1
6a35832e9434cb1214a944535a8c3d577025d453

SHA256
b901805eb0ca971c54687f7d221640057c3d43f61a82e21e8d31e8cbaaa93d2f

SHA512
7cf7215c86849e9262ff3b16b145c3971c6cbcd3532d65a7084065fa1c6b6e96dd4c8e03bba2f57dc8a8c17fbb91944c5c9bad1b4cb1ee07d0bdc3cb6bea8296

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEB74.exe

Filesize
14KB

MD5
7689443346c67506a3407a86e3c8d72c

SHA1
7760035703d35668b012c4cd5ed5ebda74619d74

SHA256
b883cd5422f377f5087c07f3c6617f2c11a2ee5d97338f06335cae7ce19c7ffc

SHA512
75156633cf6dbfea75d6ea729e0c19fe00c46fc0e063f9bdc2f82279f38b8a9d2c41d6df38f70791b8502a0fea555dadf299a1ef60c8858fa743aceab9db7237

Download Submit

Analysis

Sharing