7af6595ef53007e9468b13e717e21d1e906ee8ec61bf0cc57e06d74ad492fb96

General

Target

0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe
Size

15KB
MD5

0d59cdac6efe4042bba9243e6a5e4e19
SHA1

a523a703649a0567b14f7b7e861f143158e785be
SHA256

7af6595ef53007e9468b13e717e21d1e906ee8ec61bf0cc57e06d74ad492fb96
SHA512

1d684731752e32feb1c73199c18dfa52db38cc467b21a9fe6e665d35f961f52623d35f01e27b0088c8faf14ac0d288d5cc27e0d601e8ef43457123e1be77bf7a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8QaK:hDXWipuE+K3/SSHgxm83K

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM96B2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMF0D8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM487E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMA11D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMF95F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3008	DEM96B2.exe
4552	DEMF0D8.exe
1712	DEM487E.exe
2768	DEMA11D.exe
4132	DEMF95F.exe
4616	DEM50B6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 3008	4916	0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe	96
PID 4916 wrote to memory of 3008	4916	0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe	96
PID 4916 wrote to memory of 3008	4916	0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe	96
PID 3008 wrote to memory of 4552	3008	DEM96B2.exe	99
PID 3008 wrote to memory of 4552	3008	DEM96B2.exe	99
PID 3008 wrote to memory of 4552	3008	DEM96B2.exe	99
PID 4552 wrote to memory of 1712	4552	DEMF0D8.exe	101
PID 4552 wrote to memory of 1712	4552	DEMF0D8.exe	101
PID 4552 wrote to memory of 1712	4552	DEMF0D8.exe	101
PID 1712 wrote to memory of 2768	1712	DEM487E.exe	103
PID 1712 wrote to memory of 2768	1712	DEM487E.exe	103
PID 1712 wrote to memory of 2768	1712	DEM487E.exe	103
PID 2768 wrote to memory of 4132	2768	DEMA11D.exe	105
PID 2768 wrote to memory of 4132	2768	DEMA11D.exe	105
PID 2768 wrote to memory of 4132	2768	DEMA11D.exe	105
PID 4132 wrote to memory of 4616	4132	DEMF95F.exe	107
PID 4132 wrote to memory of 4616	4132	DEMF95F.exe	107
PID 4132 wrote to memory of 4616	4132	DEMF95F.exe	107

C:\Users\Admin\AppData\Local\Temp\0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d59cdac6efe4042bba9243e6a5e4e19_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\DEM96B2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM96B2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\DEMF0D8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF0D8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\DEM487E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM487E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\DEMA11D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA11D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Users\Admin\AppData\Local\Temp\DEMF95F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF95F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\DEM50B6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM50B6.exe"
        7⤵
        Executes dropped EXE
        
        PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM487E.exe

Filesize
15KB

MD5
19d0f56574f93601ad3ff2427c4c1784

SHA1
c93068d64568f6b913f912d3f790a7a79110c7b4

SHA256
ab44ca647ce5045bfec6a3bbacc2d20504f600a3db5c2a38ebd1dc2363d1b140

SHA512
2049dfb79e562a9fd87efd5a1408c754ec701e0804d780d04a9bc89dfb5f0af118c41cf4f9c9ff1767fed1784a8660fe1e846697391c93bc595f57e070ae9b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM50B6.exe

Filesize
16KB

MD5
cc3f984d8ac7b49557010abff0a823f2

SHA1
162fca0417e8d29c59ab707c59e79fab6c17120a

SHA256
568ed88a8798723d4a2f116ffdc19815be886aa1d7726a78e891bee6a7ccbe93

SHA512
61dcfeac83407a97100e139aae6d13fc8d9d38eb941e5495035757db2a580183a175cf1cd7f3711f1e07acd534efb189be529addeb2937575c2af7498e9d0b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96B2.exe

Filesize
15KB

MD5
c1b4ddc767cfafccde6aef2d69d96699

SHA1
85f415fa8a0d64384d02a8fc23c726f19fc1af67

SHA256
5ae0253ca0b454aa17714ea3bbd74b36723d33673a7a6c19713cbba98ebbd60a

SHA512
507f8a70c936e460182cfbcd3b3dde7d5efd4aba55f49d1d6319ad3759ecaedfeb85d0c53deff84287a04f7a457ebaec693ef6043ff23c395a4ca3c3f1e3fb21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA11D.exe

Filesize
15KB

MD5
154ae9c0ebd81ea25d20e1be1eac441e

SHA1
6ec873941776c5856594fb2287bdd3d71f29cf20

SHA256
83e228085a25b22a4e4ab5f2b97003f27b7169db65fddfa4ff8930a3268ace4c

SHA512
f8a08622a5273929b4a978be10f36e6f322bbdcdaf674b4747ee018f145f7fae88d8289a2ff289a8e218e1e9d2113886474108d3d4fbb95b2b6f05d4a788e70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF0D8.exe

Filesize
15KB

MD5
8eb65dd7ac592c1da0566f02e5d9a4c5

SHA1
a64b97053bf7743363ae1f74f03851b5a77f4760

SHA256
03aa732c6f56e1bea4b68064397b5580e2658dd40c3ebf39b6df5f3e63de8190

SHA512
b446ab8d0a6fc38d6fcad81344f1e10180d7b0e826562c34049b33e5e07d111d43b09374e2a791d15515fa9d904de08d8740c049788f2c674e42a953e4657ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF95F.exe

Filesize
16KB

MD5
9015751f9b427ee6c42ff94cf05b4b25

SHA1
d93c87fc26e8486518618ad8251d740204ee2dd9

SHA256
6e7a4c7224db9f57b6181b73e99c65f43b4c8234ae2d1779999d72da1e176237

SHA512
c909a9d73922e80b53471665dbc7c962d44e60abbdec032be9857f25980c3642a97f6435031d2e6787e27e8b4e1078cb8a256a2a95ac1889c9c87e89b682fa06

Download Submit

Analysis

Sharing