710952d934d3e3d9bed34967fdec4745ea21e1b31606f203493a6efedad784f7

General

Target

1b8990543b6ca2b30583e46f6327af29_JaffaCakes118.exe
Size

16KB
MD5

1b8990543b6ca2b30583e46f6327af29
SHA1

eb6daeea8ac07a52de28e1028394879eeb074fa1
SHA256

710952d934d3e3d9bed34967fdec4745ea21e1b31606f203493a6efedad784f7
SHA512

624aad5fe9b9b46a2c08a1a8aafdd0d4717dd9323d5ff8d2f5d56df07e4b4de65e09298e99a5db173493b570d89956b5623b4342f43450f43449d275049d24d8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5JQ:hDXWipuE+K3/SSHgxl5u

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM7C54.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMD65B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM2ECB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM86EE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMDE93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	1b8990543b6ca2b30583e46f6327af29_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
4248	DEM7C54.exe
2944	DEMD65B.exe
3868	DEM2ECB.exe
4084	DEM86EE.exe
3204	DEMDE93.exe
4052	DEM3743.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4248	4512	1b8990543b6ca2b30583e46f6327af29_JaffaCakes118.exe	97
PID 4512 wrote to memory of 4248	4512	1b8990543b6ca2b30583e46f6327af29_JaffaCakes118.exe	97
PID 4512 wrote to memory of 4248	4512	1b8990543b6ca2b30583e46f6327af29_JaffaCakes118.exe	97
PID 4248 wrote to memory of 2944	4248	DEM7C54.exe	100
PID 4248 wrote to memory of 2944	4248	DEM7C54.exe	100
PID 4248 wrote to memory of 2944	4248	DEM7C54.exe	100
PID 2944 wrote to memory of 3868	2944	DEMD65B.exe	102
PID 2944 wrote to memory of 3868	2944	DEMD65B.exe	102
PID 2944 wrote to memory of 3868	2944	DEMD65B.exe	102
PID 3868 wrote to memory of 4084	3868	DEM2ECB.exe	104
PID 3868 wrote to memory of 4084	3868	DEM2ECB.exe	104
PID 3868 wrote to memory of 4084	3868	DEM2ECB.exe	104
PID 4084 wrote to memory of 3204	4084	DEM86EE.exe	106
PID 4084 wrote to memory of 3204	4084	DEM86EE.exe	106
PID 4084 wrote to memory of 3204	4084	DEM86EE.exe	106
PID 3204 wrote to memory of 4052	3204	DEMDE93.exe	108
PID 3204 wrote to memory of 4052	3204	DEMDE93.exe	108
PID 3204 wrote to memory of 4052	3204	DEMDE93.exe	108

C:\Users\Admin\AppData\Local\Temp\1b8990543b6ca2b30583e46f6327af29_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b8990543b6ca2b30583e46f6327af29_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\DEM7C54.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7C54.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\DEMD65B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD65B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\DEM2ECB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2ECB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Users\Admin\AppData\Local\Temp\DEM86EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM86EE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
      - C:\Users\Admin\AppData\Local\Temp\DEMDE93.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDE93.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\DEM3743.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3743.exe"
        7⤵
        Executes dropped EXE
        
        PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2ECB.exe

Filesize
16KB

MD5
c2c924d4762352a3b5b2cb7c6ea0e1df

SHA1
58c0ff8f705491f16d789a1ec001b58d8026b1e1

SHA256
7aedb652f4291cfe28f43cfb8d43e4155ba7d852acc9434cddf852e2d40cf24c

SHA512
36ed327f9115cd1fc336498f0a014a84a375a0bbac7363e0768dd3740fe4bce4bbe2c4dc5fc058d80572804f6ecec4bae0d1761c6a566a1c90f7eff998428607

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3743.exe

Filesize
16KB

MD5
61e067028fc53fddd3474f2258049077

SHA1
23c63352c51e485be66303343a803f486776162d

SHA256
2c3a1381647758b578996b27f90dd0bc779208321e37147a6ddbe080e9e59c3c

SHA512
643cbeafa3df6f5bd6a01bb6902ca18fd8248af88ada6032002f8518c372a605eabc110cb9057efb4358161bcba8f4818db4a3f5216f90685e1b24e5cb44cf2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7C54.exe

Filesize
16KB

MD5
515b93d7dfc638ca2fb2866f9b0207ef

SHA1
17934343c02227b567d236e9b5d13b0d821bf6f5

SHA256
6fd9e9a452e2ca7c3d15447aaa7b0b4fe4dc73b92d71c3fda1ddf6542330c859

SHA512
64da04c033447d6b353e24558c05f20e0917494555ed1dd5f004c9bcd17f32471da7826995beff866ec289fa843cd40aed37e0b3e54a4f92596d45ac68dfd217

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM86EE.exe

Filesize
16KB

MD5
46bc2d5912b3dd7594df53e2859c65e2

SHA1
cdcc0a7e0798982be75e802fb9e81842831d90d2

SHA256
67f4a64e79f65e615188726d98e31fa2cd6a0f1ae3d540b16f2b57f5ac03f6c5

SHA512
e30a9b400ab4e0134440f8157e4a227d8c828f4263802e9983347b7ce797e44e6c2d3e87abe09210623bfa6b40bf2cc47c674a3fc5585fbf25ae120cfb55e388

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD65B.exe

Filesize
16KB

MD5
c68ea1729f462ff4f85fcf4e8023b11a

SHA1
d34bc77bd6d2bcb4a1321bd8e5d6167250c86311

SHA256
c9fff1b68ef4bc2015afc5903204d627be1e73e67696d1b2d1a45005dd17662c

SHA512
3ec7d5fba5ab3b1bcbd1a515999a1a27e72e7a449386c0e74b7f3d093ce36d23b90d33c3b5325894883da292aea838b290e734d921d8b4a71788aacb445d8c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE93.exe

Filesize
16KB

MD5
204fc516bbc2152dc0828b90e886e031

SHA1
bd2f9e4063a6fd206df88723b60cd3cf4ed594c6

SHA256
aae167f61e08186045f80ad52699f66d70390c7061785979d9e1f619bf2d2115

SHA512
65ebd689b6d7a4c1092ba98de3d4a730cf1e8d1be68f42c7ee8bb16e2f5c0f0869a5755e72e84da27977bac744ce7661cb87558e52c49c1048b50fb65ad572d1

Download Submit

Analysis

Sharing