4ffe8306d45f80bc0f46bf4b3692875186253b3dd2eaa048d600a9efb8ecc3b1

General

Target

13743212590bf633b419e5ce923e683a_JaffaCakes118.exe
Size

16KB
MD5

13743212590bf633b419e5ce923e683a
SHA1

5c5876bd88bd7d30f699923b58645d71a78a836c
SHA256

4ffe8306d45f80bc0f46bf4b3692875186253b3dd2eaa048d600a9efb8ecc3b1
SHA512

70aa93e8fa20509e79acea703dcd271456e4f0c5e8a2de9854c69a9e70688926ac1001fb78e8db6c0b24e3da7aeda69480356708edf3b29af82f11f4b70b39f8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvC:hDXWipuE+K3/SSHgxma

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM560A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMAC29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	13743212590bf633b419e5ce923e683a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM5331.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA9CD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMFFFB.exe

Executes dropped EXE 6 IoCs

pid	Process
4872	DEM5331.exe
3940	DEMA9CD.exe
1360	DEMFFFB.exe
3360	DEM560A.exe
4316	DEMAC29.exe
952	DEM238.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4872	5028	13743212590bf633b419e5ce923e683a_JaffaCakes118.exe	92
PID 5028 wrote to memory of 4872	5028	13743212590bf633b419e5ce923e683a_JaffaCakes118.exe	92
PID 5028 wrote to memory of 4872	5028	13743212590bf633b419e5ce923e683a_JaffaCakes118.exe	92
PID 4872 wrote to memory of 3940	4872	DEM5331.exe	95
PID 4872 wrote to memory of 3940	4872	DEM5331.exe	95
PID 4872 wrote to memory of 3940	4872	DEM5331.exe	95
PID 3940 wrote to memory of 1360	3940	DEMA9CD.exe	97
PID 3940 wrote to memory of 1360	3940	DEMA9CD.exe	97
PID 3940 wrote to memory of 1360	3940	DEMA9CD.exe	97
PID 1360 wrote to memory of 3360	1360	DEMFFFB.exe	99
PID 1360 wrote to memory of 3360	1360	DEMFFFB.exe	99
PID 1360 wrote to memory of 3360	1360	DEMFFFB.exe	99
PID 3360 wrote to memory of 4316	3360	DEM560A.exe	101
PID 3360 wrote to memory of 4316	3360	DEM560A.exe	101
PID 3360 wrote to memory of 4316	3360	DEM560A.exe	101
PID 4316 wrote to memory of 952	4316	DEMAC29.exe	103
PID 4316 wrote to memory of 952	4316	DEMAC29.exe	103
PID 4316 wrote to memory of 952	4316	DEMAC29.exe	103

C:\Users\Admin\AppData\Local\Temp\13743212590bf633b419e5ce923e683a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13743212590bf633b419e5ce923e683a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\DEM5331.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5331.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\DEMA9CD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA9CD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\DEMFFFB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFFFB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\DEM560A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM560A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Users\Admin\AppData\Local\Temp\DEMAC29.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAC29.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\DEM238.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM238.exe"
        7⤵
        Executes dropped EXE
        
        PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM238.exe

Filesize
16KB

MD5
be79da47ddb040a23d75001cfc7bf1d7

SHA1
749a6882f3c2a831bd70f92d0711ec481ae35e9d

SHA256
dd1e9e37f7c12c0b87119733b12056049d29095ce6bf77c16377e92d0d133703

SHA512
9c286e4785ea6bfa519acd7aad705a0e6f191cad158e66a78dd25cf4b012f05415cf272c839365a2582eb3f43170aa3e1a684f258c53b295c0b4ba69c4a0a732

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5331.exe

Filesize
16KB

MD5
28c38641ecd6d676a952991c6dbb0d17

SHA1
ddc5b71325d7128a139a43897c7cec8a0d14fcc1

SHA256
c7a252a1b3917f6f1520de444086253dc58082b3d1aa5640f2e322e6f398805e

SHA512
21fb19644b3c7f3cd18cd8fdfc8f44b261c09e6b804b3a695803023ff145fc1ef501e9717596d0d69687dd8a7f529722b3eadd58b85c4b57d614f58fb2332700

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM560A.exe

Filesize
16KB

MD5
de3b4b3ac0c4d20edbfbc8b707802ed9

SHA1
bf87490c733687d63913db5c8a34941c1d8d1151

SHA256
0a125721d01dcaa3d4668832ef398f039d713754b7c38c9ba7726658aa4212cc

SHA512
b340147cd7fa1d5f1dc5bc21c0eb89175a49fdcaff993d0ea44b2ffa0c255700cf35a14fa2f4779bee0461d8fa2cfe93fad9cbf363b467439136b7ad9b0584ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA9CD.exe

Filesize
16KB

MD5
80dfbd2a79ce462060168c62150d8f24

SHA1
868575f6413999763d82f585a0136c39adb547e9

SHA256
1eefed711cfbc06fde21c7bfda3bb3eeb6f524a918723b166e6b2779d8915740

SHA512
07c8f02ec6d44d6780a03ab8e2a0ccde4e8d98e5a6657e769e677c771ef4522b95020bb6f8078a62ba7032df972429fe55f837a29abab2685e91ec0e0565c167

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAC29.exe

Filesize
16KB

MD5
439f6631304f624e4748ff7c4a8010b7

SHA1
da14c9b192095a911da0946fe9138a6cf07636c2

SHA256
99e73dd676ca91c47b9bdbed2302e6d347d508ec12c3a2ceadbd3cd9776ad5c4

SHA512
71483399d3a1f9a9e6aa0cceb7d0a22cc28ae0575cb3e0400bdc71c189f82273690985e428975147d324d7b7093a010319de2f6e5175c6431fc57fc2b6c8ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFFFB.exe

Filesize
16KB

MD5
7a9ca59374e0d736160def2c4260486e

SHA1
c7c6dcb33dba8a2d29fbb5d7322baf9af3e7de0d

SHA256
b70d9aa58509f17d4cfe9477570457bb000fc96fd154e67cb39b0b22f11bbaa8

SHA512
cd07706e1ced94027d65cf6212228ebb4a63f416a3350f1955d92a176cf5c5582aaeba145c3fff5faa85b9b8c1f86992713b437659f15be8f40051100de018b7

Download Submit

Analysis

Sharing