9e610c7984a4f6b33f8cdf5a750416dcfccd6465a8fafb4402d2697834cb191d

General

Target

0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe
Size

16KB
MD5

0d6ff9174f3c184d8eff282262df94ef
SHA1

f614db1fca3b47f6c88b7246b4e2f1f7ec310615
SHA256

9e610c7984a4f6b33f8cdf5a750416dcfccd6465a8fafb4402d2697834cb191d
SHA512

0b101a054f2fb30adadc02df07c7c5c53b33a132fbec5e53138dd1db3f7ccde6058fb0919519d6f7081922a185e8c2c09329e62599f59cc22a00dd7ff2df59ef
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZV:hDXWipuE+K3/SSHgx3V

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM8A0B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM319F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM882B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMDE69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM344A.exe

Executes dropped EXE 6 IoCs

pid	Process
4148	DEM319F.exe
3016	DEM882B.exe
4500	DEMDE69.exe
4476	DEM344A.exe
888	DEM8A0B.exe
1276	DEME039.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 4148	1512	0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe	97
PID 1512 wrote to memory of 4148	1512	0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe	97
PID 1512 wrote to memory of 4148	1512	0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe	97
PID 4148 wrote to memory of 3016	4148	DEM319F.exe	100
PID 4148 wrote to memory of 3016	4148	DEM319F.exe	100
PID 4148 wrote to memory of 3016	4148	DEM319F.exe	100
PID 3016 wrote to memory of 4500	3016	DEM882B.exe	102
PID 3016 wrote to memory of 4500	3016	DEM882B.exe	102
PID 3016 wrote to memory of 4500	3016	DEM882B.exe	102
PID 4500 wrote to memory of 4476	4500	DEMDE69.exe	104
PID 4500 wrote to memory of 4476	4500	DEMDE69.exe	104
PID 4500 wrote to memory of 4476	4500	DEMDE69.exe	104
PID 4476 wrote to memory of 888	4476	DEM344A.exe	106
PID 4476 wrote to memory of 888	4476	DEM344A.exe	106
PID 4476 wrote to memory of 888	4476	DEM344A.exe	106
PID 888 wrote to memory of 1276	888	DEM8A0B.exe	108
PID 888 wrote to memory of 1276	888	DEM8A0B.exe	108
PID 888 wrote to memory of 1276	888	DEM8A0B.exe	108

C:\Users\Admin\AppData\Local\Temp\0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d6ff9174f3c184d8eff282262df94ef_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\DEM319F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM319F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\DEM882B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM882B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\DEMDE69.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDE69.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\DEM344A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM344A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Users\Admin\AppData\Local\Temp\DEM8A0B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A0B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\DEME039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME039.exe"
        7⤵
        Executes dropped EXE
        
        PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM319F.exe

Filesize
16KB

MD5
80b65ef2c544b6994d9c3d0b60a88d64

SHA1
ec595e5d53a7e46908e8a3b7ec3ad06804da32f8

SHA256
c81bc9412c0de4cebc98865fa27e68fb6b1fa4c961b5051f468d7aeab183b8a7

SHA512
df22788880e519d8096e3be9222caec794e439b65b90dfa6abf5c7b3327d762d63a2864153af94925ff5719b6824dd5d4eb3f56467f5a6d82bd569f72d0b8ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM344A.exe

Filesize
16KB

MD5
2a65b66bed80732a5cecc3976cff0c06

SHA1
652bb86484d50cd0e8ebbe6bd19d79b82aca7918

SHA256
3a8425d45afd7ed3572e5bb14782eb3edda243bff192ff9663437d837bce258f

SHA512
ed0f5e9d255db4e6efa4e3dc45b1516554497b9e19f7a6376f5bc101e8fff4d7aba73024fa39e0b299da3e7628258c7926d53543159b7aee2aea2f7079dacd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM882B.exe

Filesize
16KB

MD5
f45b3ade2bb4764060a8ef1c7c61a07f

SHA1
671382c11c724611c728844438f3d4c2ff0440f9

SHA256
5468632311dd99fc215ded877413d12fd22c9f13ba5c12c603f9721789fd974c

SHA512
198d315330e13ee9a786f0d67b60ace5f73ae070727c62233403c5b7697c48c39f07fece57cb71822fb27f719ee2fb13799a8be06541c0aeded5601c22f5c06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A0B.exe

Filesize
16KB

MD5
3f8eb32cd57d95a9f0afdaeb0ad7dbb2

SHA1
c3036ea4f91c772aebeac19284541631c671a61d

SHA256
7c8bd1e1bd28044c48517e74399931941462a78db9f4aa9bb68b245305b2a697

SHA512
5650289d6b36453587dd6de9f521ac1bcdec8a02406e395a5ad889a038ae0035d2879af1363f3c80699a19127b5411329960526cb2eff5f0feb7d51cc8b04aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE69.exe

Filesize
16KB

MD5
b7f9d17c8d7ed70ecd7a77f0b2aef3d8

SHA1
f25134365f5f094476c49725b3bcfd9abd98aec2

SHA256
20ea5085eac29fb83c91586f4f28fc6c7feb5b1a2ebae958ba2cce7ff8c05f6f

SHA512
8300248f52287deda744e4f09e3888f26bf256a6977abb95c17ff2a4f2394d79e710ebc094dd5394dc2c1baa90d026a940099818f04ce05da125528c5351611f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME039.exe

Filesize
16KB

MD5
fff967962a95e643ab7337dc7bb2c194

SHA1
79b918e4c6960b698fc91538da8cbb30a02f28e4

SHA256
c30e284f505c4abb712a4ab3edb1d2474727e4f0abd58c89bd5f12271c6fbd57

SHA512
a36cca7c382be9b62c56209faedd7c6a0fd23eedc553da916c81d171a3015a8082a9b2bf2eebf6b6ca93c3a2dd5610b268ad0b599ef30efe441e53b88eba63c0

Download Submit

Analysis

Sharing