4151a755adf90ae22062ffd43b5709bd0cc6b0a9972d7fc49e2da680dde7f227

General

Target

14aed211d675c954891c6defbae12b06_JaffaCakes118.exe
Size

20KB
MD5

14aed211d675c954891c6defbae12b06
SHA1

75692dcc3e4ec20460d20999dd514c27fbe0f50f
SHA256

4151a755adf90ae22062ffd43b5709bd0cc6b0a9972d7fc49e2da680dde7f227
SHA512

08cb44626966e916af3596eabddc9bfc8ab6eb3f498d2ae10443d37989b8162b47db39edaed384e72c02af39e317368296a75add234b436b2fa2a3cfe533c840
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4sf:hDXWipuE+K3/SSHgxmHZsf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEMDE69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM34B7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8AF5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	14aed211d675c954891c6defbae12b06_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM31DD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM884A.exe

Executes dropped EXE 6 IoCs

pid	Process
2500	DEM31DD.exe
1968	DEM884A.exe
3736	DEMDE69.exe
3868	DEM34B7.exe
2588	DEM8AF5.exe
2608	DEME104.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 2500	4036	14aed211d675c954891c6defbae12b06_JaffaCakes118.exe	96
PID 4036 wrote to memory of 2500	4036	14aed211d675c954891c6defbae12b06_JaffaCakes118.exe	96
PID 4036 wrote to memory of 2500	4036	14aed211d675c954891c6defbae12b06_JaffaCakes118.exe	96
PID 2500 wrote to memory of 1968	2500	DEM31DD.exe	99
PID 2500 wrote to memory of 1968	2500	DEM31DD.exe	99
PID 2500 wrote to memory of 1968	2500	DEM31DD.exe	99
PID 1968 wrote to memory of 3736	1968	DEM884A.exe	101
PID 1968 wrote to memory of 3736	1968	DEM884A.exe	101
PID 1968 wrote to memory of 3736	1968	DEM884A.exe	101
PID 3736 wrote to memory of 3868	3736	DEMDE69.exe	103
PID 3736 wrote to memory of 3868	3736	DEMDE69.exe	103
PID 3736 wrote to memory of 3868	3736	DEMDE69.exe	103
PID 3868 wrote to memory of 2588	3868	DEM34B7.exe	105
PID 3868 wrote to memory of 2588	3868	DEM34B7.exe	105
PID 3868 wrote to memory of 2588	3868	DEM34B7.exe	105
PID 2588 wrote to memory of 2608	2588	DEM8AF5.exe	107
PID 2588 wrote to memory of 2608	2588	DEM8AF5.exe	107
PID 2588 wrote to memory of 2608	2588	DEM8AF5.exe	107

C:\Users\Admin\AppData\Local\Temp\14aed211d675c954891c6defbae12b06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14aed211d675c954891c6defbae12b06_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\DEM31DD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM31DD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\DEM884A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM884A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\DEMDE69.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDE69.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Users\Admin\AppData\Local\Temp\DEM34B7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM34B7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\DEM8AF5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8AF5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\DEME104.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME104.exe"
        7⤵
        Executes dropped EXE
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM31DD.exe

Filesize
20KB

MD5
15ad1c3c22ffc4707767a9e16ac2ddbe

SHA1
68a72e019aeb9587328fb93dba4dd6ed2f84e3de

SHA256
b0cf38cc1d492b04f2e549ffe109984309c4abddd5878b4d7c69b3a5adbbc570

SHA512
c3ac0cf51ee6e5b9caeed43ea8161ef4e1cfa6afa9aafeb477901b23c0b29c751684c0b4b612087d42c50b64d237cef23c3ba59e2be16822c1facad47d8384c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM34B7.exe

Filesize
20KB

MD5
ac78a60798d56f4444cb87cc0031cc51

SHA1
162cec5d14066bfd06addc1ef796d07b41f2aba5

SHA256
b5e35325fa6c2099312a9d2ff42a256f744eae21142284d89be9ee5c27346eec

SHA512
98c7ecb22f0e43494d73845c3ed3b3035d216262c9cb39dcd30951a914e7845845276304f084a3c4ddbf4dfbf9afaa8dd9c2a7d6e5e596963ad5c986af0d9739

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM884A.exe

Filesize
20KB

MD5
3113f4ed9bb0497283ce24772580f089

SHA1
ce6e4960011fbfdba9fe2b33e8a51f2fcff6ea8d

SHA256
5467df6a725ebc5bd61593c6a7fe907c7c28ed60eb285f9546cc07f676160c4c

SHA512
a593d9b8ce0550d6c77c47b1c69233ee747a46e29f2c4ea163360859846dbd9be0b93ddc8648d69b16c487e787eff9657cd4483a7159a415d41003ddddc2e7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8AF5.exe

Filesize
20KB

MD5
27456a73e152592c2bd3f564060cc1be

SHA1
2ad740710f579be66ed5e13fb6fa3b42fa78bcff

SHA256
0b9298c966707dee4451280053067ee21a1a3dfc0b7a4b570fc340cee0ec4b73

SHA512
9430adb70e87e86340178f0cac1773ae15d56b21e84327bc855a00cd3b2c3e886124674c5711c91822393d516e1af192e8c0010a603617705a4bc445236ee9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE69.exe

Filesize
20KB

MD5
1d76c542a6450d1d51b5924fe1f09d2c

SHA1
4a48cc854ac5e2bcd3adcf2cd2a0e2b42745a3e3

SHA256
d2e1153f16c4e9849fcf1eee7626b953272e16774ac1ed280b318a2914f6a9af

SHA512
ffff1fb2978cad9cff7992403dc091c94039aaa7e3c57e42247a8fdc583fc8b55301fc0d003a4fe7f9a705aeeecde685a6a6cd606d63fd84ab6796a2d137722e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME104.exe

Filesize
20KB

MD5
23f81f0c6e4f7ca4aa1f4dc20983cdb4

SHA1
6b84666b4ba9aecff225f6cab0f44c772ee7cc09

SHA256
1fcd4d698bbc5e9943693863c702a82bd9a8b9285e1c7e909c0520c1fa7e44da

SHA512
4a21cc42315c01d0fae48e749e25f24c0153bbdea71311c6087be5449e8f57a6cf413fde452ef5e22a8961fa76535830a573ccb55e0cc0e1e43ac98af283b828

Download Submit

Analysis

Sharing