305019b0eb5ca9a6bb1703c4d4c569528835f8cfe40065815532e228c9c9b4ac

General

Target

1a16124e6323eb1ab1ac71e0f1cac8f5_JaffaCakes118.exe
Size

15KB
MD5

1a16124e6323eb1ab1ac71e0f1cac8f5
SHA1

ef58b89a95f9cd6aa7a95507e6225d312f4e48f5
SHA256

305019b0eb5ca9a6bb1703c4d4c569528835f8cfe40065815532e228c9c9b4ac
SHA512

58679a793ae7c9b7018d35fe7adb70a9575f6bc96db0c42127a6c12735c8d4089ac0c15dd806a5e1018e0baf35a59ac0600716ca453f05f2ed9170c92a040a04
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlPM:hDXWipuE+K3/SSHgxmlk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEMD949.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM2F87.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8558.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	1a16124e6323eb1ab1ac71e0f1cac8f5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM2C8E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM832A.exe

Executes dropped EXE 6 IoCs

pid	Process
4180	DEM2C8E.exe
2468	DEM832A.exe
1404	DEMD949.exe
4076	DEM2F87.exe
228	DEM8558.exe
628	DEMDBA5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4180	412	1a16124e6323eb1ab1ac71e0f1cac8f5_JaffaCakes118.exe	98
PID 412 wrote to memory of 4180	412	1a16124e6323eb1ab1ac71e0f1cac8f5_JaffaCakes118.exe	98
PID 412 wrote to memory of 4180	412	1a16124e6323eb1ab1ac71e0f1cac8f5_JaffaCakes118.exe	98
PID 4180 wrote to memory of 2468	4180	DEM2C8E.exe	101
PID 4180 wrote to memory of 2468	4180	DEM2C8E.exe	101
PID 4180 wrote to memory of 2468	4180	DEM2C8E.exe	101
PID 2468 wrote to memory of 1404	2468	DEM832A.exe	103
PID 2468 wrote to memory of 1404	2468	DEM832A.exe	103
PID 2468 wrote to memory of 1404	2468	DEM832A.exe	103
PID 1404 wrote to memory of 4076	1404	DEMD949.exe	105
PID 1404 wrote to memory of 4076	1404	DEMD949.exe	105
PID 1404 wrote to memory of 4076	1404	DEMD949.exe	105
PID 4076 wrote to memory of 228	4076	DEM2F87.exe	107
PID 4076 wrote to memory of 228	4076	DEM2F87.exe	107
PID 4076 wrote to memory of 228	4076	DEM2F87.exe	107
PID 228 wrote to memory of 628	228	DEM8558.exe	109
PID 228 wrote to memory of 628	228	DEM8558.exe	109
PID 228 wrote to memory of 628	228	DEM8558.exe	109

C:\Users\Admin\AppData\Local\Temp\1a16124e6323eb1ab1ac71e0f1cac8f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a16124e6323eb1ab1ac71e0f1cac8f5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:412
- C:\Users\Admin\AppData\Local\Temp\DEM2C8E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2C8E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\DEM832A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM832A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\DEMD949.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD949.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Users\Admin\AppData\Local\Temp\DEM2F87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2F87.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\DEM8558.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8558.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\DEMDBA5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDBA5.exe"
        7⤵
        Executes dropped EXE
        
        PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C8E.exe

Filesize
15KB

MD5
b09b58e22f9ce5c6a6835ce6e5e52fc8

SHA1
3d1976f5aa8f1df60b9cf62ea72a78b21cc99a32

SHA256
88ce4b024d654ed264c78405be09c57fa755693b80ae61b5465cd7570c781a22

SHA512
4d45abea10e1880669015b37d9223a6d0e81842ec7cfa222d4e690ffc8595cb248c67f1baf85bd6f6f902ffa2b0665891b6b43be86de00e003854684f99936db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2F87.exe

Filesize
15KB

MD5
a8ae0b7640548b8eb7b03a7e1c1eb7ae

SHA1
2cc1793fe04308a9890253001fa90bce41687e5b

SHA256
387b905b812e21dbefde6da45c93508c027dba12a723fcfe1e2b362d0fec4992

SHA512
f2edee82cd422e97fbdb86db177ea35519a741547f4fd58a57bb52d036597de454ffc90a2ece4bd32f968eeb9f10c1c4eb677acbf9eae64964e07d1b5b26b25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM832A.exe

Filesize
15KB

MD5
12c19ff954a55dce3689c2f7b02edda8

SHA1
14944ceffdc4734ccf4fc884a2f23af4d727ef3c

SHA256
5fd72ced7205c43a3247c2321d059e793cfd63ac55f06087fd96b3914be68920

SHA512
e499fcec058428a0fe7e2a1c2ff47684035a9f2116e1a82c0e1db3f6e9effa0ce8c0aa576101bb0b58a87a0765297831e33cbd2055b310b837b02100336e431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8558.exe

Filesize
15KB

MD5
7bdf065c8207ced7d1cb0e3fea1e4666

SHA1
66896fa9ae3982c2e8399a46f564f65291d4c930

SHA256
6be68ff0f6928dd6689c4326ec7865985e413c55c909cb6e37328eaa69539d33

SHA512
d0910c1db2304d6323efd2b494427449d648a18e7c2e47ea5ca10be4f62279423d6fbb7062fa696d3c58c9697a96f69288307cdb2467a211efcf6b0b9027dc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD949.exe

Filesize
15KB

MD5
d965bfb644b6eaac903fe5f63a85f91c

SHA1
6718f5d94c085d8bd2d7e8391362815c837c6b7a

SHA256
08cd562d0208525448157781739aefd86240c26e74e9a48f38c3e39f4978f1d5

SHA512
0d46e7023f4ea2db2c1d4dba39bcc647a81975b7d9dce59275d33076d84164050671d58736806af7833b2a40619036c391d7d5321a3128092b7a1e6542326f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDBA5.exe

Filesize
15KB

MD5
cbef027fb906bcd43975fd7575058c4e

SHA1
bd1b18d3fa60aa8355003b12455bbee3e1313a53

SHA256
b6c9b5ba27539112a73189993449ee8ebcd4e509a6b225c2f7c3989ef9e2b0ee

SHA512
557ffe4965df54202ee02645db730c84e18fe53b763a202e4f9e3ffd72f94cf6bf18ddf5174fda115da58f14902266e4c46fe5f313c6626c824f7efa0d29ee43

Download Submit

Analysis

Sharing