58785660b8a82827273d5f5ce2b4c1c2596de6c2e3efbba9f5e80a76f4693eb6

General

Target

0e4986899bf4348071697571a48cc8b5_JaffaCakes118.exe
Size

16KB
MD5

0e4986899bf4348071697571a48cc8b5
SHA1

728583446fab6914e9342e744a10c782f8e9879f
SHA256

58785660b8a82827273d5f5ce2b4c1c2596de6c2e3efbba9f5e80a76f4693eb6
SHA512

d3791405de631003abdc6619a7da6471c7972f19f14dddb41b9a9aefb1685bb784f7960051461b90e2c227561afcab6214fc31a5f4436230d57d97e7cb878447
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRN:hDXWipuE+K3/SSHgxp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMD040.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM2D35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM84EA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMDCAF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	0e4986899bf4348071697571a48cc8b5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM5CC6.exe

Executes dropped EXE 6 IoCs

pid	Process
3516	DEM5CC6.exe
376	DEMD040.exe
2480	DEM2D35.exe
4312	DEM84EA.exe
4884	DEMDCAF.exe
4816	DEM3483.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3516	4376	0e4986899bf4348071697571a48cc8b5_JaffaCakes118.exe	97
PID 4376 wrote to memory of 3516	4376	0e4986899bf4348071697571a48cc8b5_JaffaCakes118.exe	97
PID 4376 wrote to memory of 3516	4376	0e4986899bf4348071697571a48cc8b5_JaffaCakes118.exe	97
PID 3516 wrote to memory of 376	3516	DEM5CC6.exe	99
PID 3516 wrote to memory of 376	3516	DEM5CC6.exe	99
PID 3516 wrote to memory of 376	3516	DEM5CC6.exe	99
PID 376 wrote to memory of 2480	376	DEMD040.exe	101
PID 376 wrote to memory of 2480	376	DEMD040.exe	101
PID 376 wrote to memory of 2480	376	DEMD040.exe	101
PID 2480 wrote to memory of 4312	2480	DEM2D35.exe	103
PID 2480 wrote to memory of 4312	2480	DEM2D35.exe	103
PID 2480 wrote to memory of 4312	2480	DEM2D35.exe	103
PID 4312 wrote to memory of 4884	4312	DEM84EA.exe	105
PID 4312 wrote to memory of 4884	4312	DEM84EA.exe	105
PID 4312 wrote to memory of 4884	4312	DEM84EA.exe	105
PID 4884 wrote to memory of 4816	4884	DEMDCAF.exe	107
PID 4884 wrote to memory of 4816	4884	DEMDCAF.exe	107
PID 4884 wrote to memory of 4816	4884	DEMDCAF.exe	107

C:\Users\Admin\AppData\Local\Temp\0e4986899bf4348071697571a48cc8b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e4986899bf4348071697571a48cc8b5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\DEM5CC6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5CC6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\DEMD040.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD040.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Users\Admin\AppData\Local\Temp\DEM2D35.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2D35.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\DEM84EA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM84EA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\DEMDCAF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDCAF.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\DEM3483.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3483.exe"
        7⤵
        Executes dropped EXE
        
        PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2D35.exe

Filesize
16KB

MD5
0a4b112b7d8d759e27b723eb43a4ca35

SHA1
08b66274ac5d9e22ef733d1862ed71701bec0fc4

SHA256
f9485ca0126ff7d5bc00e633c0bfef3ea94f0e964c18eb0394b8a433d026104e

SHA512
aa4dd52b8473d84c7194dcc54849b322e137f52f9fe9c422cbe4b5d9b1f483b0761ad90b11b73e6748725eb143684af2840588be0467a186b5f5c4e5c766f5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3483.exe

Filesize
16KB

MD5
11320f16444f7e903a0ebcdb1963b7b9

SHA1
9b45c13044e11acd2469d65c668652d6779dfa5c

SHA256
a971cbf2fbfc7510bca015feefaf9a9f36880fbde60f25c1d705d538e2b8ec6f

SHA512
85e1dfce1a060f041ec1e6f72e35afe245768eaaf564249b322103a55d9dde87dd3a4fcd6fc19b83e07b4a368cb2cff3d22a19ea4a27e68611d438b426405c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5CC6.exe

Filesize
16KB

MD5
b8df7ebed5eaa26a4874687f43dc4048

SHA1
c818c4724c3cd5c15fee78e645c399a1010c0286

SHA256
8c42d57e7f15977233dcdbdacf548ff8c70728cae032636dab5c9a26439f1d54

SHA512
4852669dc645046146dd8f8d076d7be1d9dbfda1aff930c25d6da959f594b052936728d1fea62809b322905c6910acd087cbf7ef6a2b69d7a265cf3db9d5b2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM84EA.exe

Filesize
16KB

MD5
800cf59436a9f7d3de38cf87fe709671

SHA1
9ee535a8e7bf0142506c80ceedec09a3e04eb934

SHA256
4ddc18d7398572b61d637d06eb1065fb28ae8f8e4647efcb0195ddfe2d7ca232

SHA512
f968992912e36519f3dff30ac0036aecde2b12ad92dc160c87825e4879877557b15f810632f82b6c821db970961f7c16a66a7325ba91eead1af1e7028118f59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD040.exe

Filesize
16KB

MD5
30b871c1af977bcfb209a9ed25eb24e4

SHA1
fa9be43dbceeeb620bbe667b0a1d0543b258766d

SHA256
e915251b8988029f0495a4b5629af0b3e8e2a06a13a504aebafe05c17b8fa30e

SHA512
7b7b543ecfebb061fa41a6075152c0a354aea3ee4f36ad50a136422021a6cdd708f3b266233c11ae4324ff1344cea35dacdee176c3fd73241e6a93010fa89e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDCAF.exe

Filesize
16KB

MD5
178b0e9c81875fa25318f32045adc788

SHA1
f585503b98bd0e596de663b69456e32189f00197

SHA256
29d64572df8d7d3fa2bdcbf1423aee6c5794d96a0283efcb0953bf3c72f6aeb7

SHA512
f132f50edf1e38ab151ff43f8463b775d9e4c54db81fb62abd847cb23963264913bd93c2e839bce0054b7d746258a76ec0dc1670dd3c589d711cae3863d4d9ba

Download Submit

Analysis

Sharing