d3cf89dbe93384ddef21fc72473e468caf3516bb13fe1709d016da747c0928b3

General

Target

0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe
Size

15KB
MD5

0daee50240f2be6f8f336d17371c4cdb
SHA1

2936b10498b4d2c3cb83e11642108eda1f1b65e5
SHA256

d3cf89dbe93384ddef21fc72473e468caf3516bb13fe1709d016da747c0928b3
SHA512

d4c425a030cce70f9eadf7d393149e7660e8fa7ae005eb29b9c845b08c09fa02e60af19fa753f7fda699d8af33656306b513c2d752051445635821cd6d212ac2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6q:hDXWipuE+K3/SSHgxmyh6q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA335.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMF964.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4F73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA5B1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4D35.exe

Executes dropped EXE 6 IoCs

pid	Process
1832	DEM4D35.exe
1188	DEMA335.exe
4600	DEMF964.exe
5064	DEM4F73.exe
2672	DEMA5B1.exe
3672	DEMFBA1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 1832	4116	0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe	93
PID 4116 wrote to memory of 1832	4116	0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe	93
PID 4116 wrote to memory of 1832	4116	0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe	93
PID 1832 wrote to memory of 1188	1832	DEM4D35.exe	96
PID 1832 wrote to memory of 1188	1832	DEM4D35.exe	96
PID 1832 wrote to memory of 1188	1832	DEM4D35.exe	96
PID 1188 wrote to memory of 4600	1188	DEMA335.exe	98
PID 1188 wrote to memory of 4600	1188	DEMA335.exe	98
PID 1188 wrote to memory of 4600	1188	DEMA335.exe	98
PID 4600 wrote to memory of 5064	4600	DEMF964.exe	100
PID 4600 wrote to memory of 5064	4600	DEMF964.exe	100
PID 4600 wrote to memory of 5064	4600	DEMF964.exe	100
PID 5064 wrote to memory of 2672	5064	DEM4F73.exe	102
PID 5064 wrote to memory of 2672	5064	DEM4F73.exe	102
PID 5064 wrote to memory of 2672	5064	DEM4F73.exe	102
PID 2672 wrote to memory of 3672	2672	DEMA5B1.exe	104
PID 2672 wrote to memory of 3672	2672	DEMA5B1.exe	104
PID 2672 wrote to memory of 3672	2672	DEMA5B1.exe	104

C:\Users\Admin\AppData\Local\Temp\0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0daee50240f2be6f8f336d17371c4cdb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\DEM4D35.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4D35.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\DEMA335.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA335.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\DEMF964.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF964.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\DEMA5B1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA5B1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\DEMFBA1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFBA1.exe"
        7⤵
        Executes dropped EXE
        
        PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4D35.exe

Filesize
15KB

MD5
e544843a884d6214d5262b73ce21f919

SHA1
16b7415288bbbd9df43e8cd6965fd8be6d48ed48

SHA256
07750f8fa2236fba2e00a280c08a6a0b89dc39b43aabdfaed215010c2f8ec7e6

SHA512
b09e7f273b4102d55957ebf8b50c04ee4658fb42e602c713da0f81be4a2793c65eec608d7e4b1d10932c958862d23e38387b9e333a7f1b4b9fe1303634eb52fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe

Filesize
15KB

MD5
992e70f0cffe8f5110f193e9256b2072

SHA1
799f2c6ffbccff8598b693ade11f6cefbe0c01ff

SHA256
fc5bbb942dd2ff4effcbc2ca6e39dc898e238a7ddc6825b317cfa2dd6bb26872

SHA512
f9112a1384f515ca11b4e27bb765153d19fc75755bf60222673f867d0f7e4f0919f2b7079e66d07a9739c6894e85589bcdd86a46718f2ddff699c50743889976

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA335.exe

Filesize
15KB

MD5
ce83331b5d56a1d9622c1eabf6411fe7

SHA1
21d997542fcabeabcdc8c36591b2a7524bf220ee

SHA256
a0a2795d657129adc4a413bc3c3f6af7f77023abfcaf06103b2f89a3e864dce5

SHA512
3f27413b5a1c361097c7cbe6b5e19a824300e7910dbd9f7d9e1b8d7d72185d65edd4c93d455c117d2c3f9548cf71b9fe069ad487b137f1f81571e6dbddf024df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA5B1.exe

Filesize
15KB

MD5
c6bb639d93a15f9356a1885c91573b15

SHA1
5ffe4e2cc7487d737cf9ee415e81424976347d00

SHA256
fcda7d442b080586b789515108db4b8e007c12d01a63eeab8743b26dac93f827

SHA512
a867f3df4a1dbfd128899c6b71bff4422353a1b806f297314592887867d01757edf36d07dbc7b6716947d8b4863dcd613256fac7e6418f9f51403dc192a4dd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF964.exe

Filesize
15KB

MD5
e79a4f41c7b97914223c6ecbf2a0c4bd

SHA1
566b7c64780bc1c8fef43f8b017219219769f2ee

SHA256
d5f07cd14ee7cabc8a1f90bd38c16661d77f84ff39fa464714e8afb2151a176c

SHA512
944cf238f92292d1768aa5d7e938e83e78d595b39a6fd7eda24fbb583af973f2d9904ef54a82edd5e48cd7ddddf27846169f61b2c35507ab0faa2b4d04b41846

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFBA1.exe

Filesize
15KB

MD5
c3cfe367a33ef86921b32d4a4d7cad0f

SHA1
76646ea012ce3cea47f218b7cc9de09f2223bce3

SHA256
33a698ee12b5c9b076fa5e5e02aa5290e6a62ecf834af55866cb53c187f5b18a

SHA512
5f741fd85fdf93b051a88e99c254bce722c98d568b669beec66c065e1995d3a113b449a8fbf97b4784b2eff55182ea50eaa4ab1aadee166f42b5c00f4bb38198

Download Submit

Analysis

Sharing