c9f9c426051c7592651f3fc5d4086aedc19d0d04f2eaaf4086d3ad35ed0d9a36

General

Target

17e5c454d20a0c1928b539dcaa4cc9de_JaffaCakes118.exe
Size

20KB
MD5

17e5c454d20a0c1928b539dcaa4cc9de
SHA1

d441b4fedf145cba4c8df3160e9644ec8bdc5107
SHA256

c9f9c426051c7592651f3fc5d4086aedc19d0d04f2eaaf4086d3ad35ed0d9a36
SHA512

91072304b4f62b329e4b6f1bf2d3cee33aded9e37f00bacb3343a1fc0f6e6f5bd5ee5f4767d03db09eaa18f930271709166ba5d825d8ee36d139c38cdeaced6a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PSJk:hDXWipuE+K3/SSHgxmHZPSa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA0A5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMF6B4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4CD3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA2C3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	17e5c454d20a0c1928b539dcaa4cc9de_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM49DA.exe

Executes dropped EXE 6 IoCs

pid	Process
3656	DEM49DA.exe
2524	DEMA0A5.exe
4780	DEMF6B4.exe
4412	DEM4CD3.exe
5028	DEMA2C3.exe
4968	DEMF8C3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 3656	1116	17e5c454d20a0c1928b539dcaa4cc9de_JaffaCakes118.exe	94
PID 1116 wrote to memory of 3656	1116	17e5c454d20a0c1928b539dcaa4cc9de_JaffaCakes118.exe	94
PID 1116 wrote to memory of 3656	1116	17e5c454d20a0c1928b539dcaa4cc9de_JaffaCakes118.exe	94
PID 3656 wrote to memory of 2524	3656	DEM49DA.exe	97
PID 3656 wrote to memory of 2524	3656	DEM49DA.exe	97
PID 3656 wrote to memory of 2524	3656	DEM49DA.exe	97
PID 2524 wrote to memory of 4780	2524	DEMA0A5.exe	99
PID 2524 wrote to memory of 4780	2524	DEMA0A5.exe	99
PID 2524 wrote to memory of 4780	2524	DEMA0A5.exe	99
PID 4780 wrote to memory of 4412	4780	DEMF6B4.exe	101
PID 4780 wrote to memory of 4412	4780	DEMF6B4.exe	101
PID 4780 wrote to memory of 4412	4780	DEMF6B4.exe	101
PID 4412 wrote to memory of 5028	4412	DEM4CD3.exe	103
PID 4412 wrote to memory of 5028	4412	DEM4CD3.exe	103
PID 4412 wrote to memory of 5028	4412	DEM4CD3.exe	103
PID 5028 wrote to memory of 4968	5028	DEMA2C3.exe	105
PID 5028 wrote to memory of 4968	5028	DEMA2C3.exe	105
PID 5028 wrote to memory of 4968	5028	DEMA2C3.exe	105

C:\Users\Admin\AppData\Local\Temp\17e5c454d20a0c1928b539dcaa4cc9de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17e5c454d20a0c1928b539dcaa4cc9de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\DEM49DA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM49DA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\DEMA0A5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA0A5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\DEMF6B4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF6B4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\DEM4CD3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4CD3.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
      - C:\Users\Admin\AppData\Local\Temp\DEMA2C3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA2C3.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\DEMF8C3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF8C3.exe"
        7⤵
        Executes dropped EXE
        
        PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM49DA.exe

Filesize
20KB

MD5
f861a7230061a5b734fd47fffdd2e2e1

SHA1
d25121d31e7b533e463771cc8b903ff6db21fb01

SHA256
205942476c3719f2575f6b840c20843c8bc93d90e00bbbed8d39f66b258218c5

SHA512
31ed0bfc0b6fe478e12895549ad46f47f64de6a2c547aec64ff56010774950ff632eb08068c1601fa23cd553fb0d17a3faa7f4626adee5cdfb8b0520e297640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4CD3.exe

Filesize
20KB

MD5
1421a39bbbbf728c4a4bfdec9a0baad5

SHA1
8e523639967dda3e90c1b62493fe3f17b095609f

SHA256
512bf6b6d5b51c5d89098cff58002a8a2acea363338e653cb4eb8a8329962cc9

SHA512
8dadeba63aedf63f71590fad7df1b932dc9526c6b4f16162d315f8bba7b97b3a4e2284de7ccb5c15826d004e4e5b815db63e7c14ed3b3275dd79eea030fa1bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA0A5.exe

Filesize
20KB

MD5
09099680927eebc9e5672c87298ad930

SHA1
97389446871de99b98c555a12e42d48cd9d601c4

SHA256
edad7d4c809ca59c85187419cdbee8cff3d1e7945d18f93c33763aaa6a500473

SHA512
2b4a2da9fbb2a46b830dd99db717be83f606ffa8ab08fd49865d14e878b733db3fe516a53e85f541e2d471dc1535543bbde8d2b19d3fb36f4db52ad412b3e488

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2C3.exe

Filesize
20KB

MD5
2ffdefc901cd13e004a5acb9c818bbe6

SHA1
844f9e57baea8ea508320436f593f392d6a18742

SHA256
59c24bf54005dd49ede13bb43fefea560324a680bc782c394fda751785178d7d

SHA512
70f20b9c0979aed17643392e5555fc8c89b4446fae697e3b7d3437f10495be4dad26fd604c97d1f4e8c9502e2b4c8625a20beedae58957efc3b5b1638622a8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF6B4.exe

Filesize
20KB

MD5
0ea47dc3fb88c96e037067496d4aac60

SHA1
43ce3717220846a31b7555fa4b2b3a22cf314cb0

SHA256
e289a3510e7c7d60f8dccf8b1502a3d25ee0e7fcc5be13751cfba2886c1f5d1b

SHA512
a37de0a2882b70b0ffde65181e1ca893fcf19673506ba8aae292222ea04a3882638499a0a22a4f8ac3b500822a44a70942a08f98aea3399ed95cb078f544d676

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF8C3.exe

Filesize
20KB

MD5
e2c9a5a891d8f1444fe82205f1c376b4

SHA1
427aece0c197cafcea88f99ccb58e18a1a01ab74

SHA256
ab5c17e23658788a2feb1248b0cb8c156ad3eedb0a562b0139e35d791d81422e

SHA512
13507036a5ebb2a6089602ff7a9311010b0e4525bf594ec3aed5c098d836e3ebcdebcb1886357b1680113b06c03e26725904de53483ba1a406cc793c9a297976

Download Submit

Analysis

Sharing