0d833e719d93403e66b29861ba178daabee52e91c0afd051af6f075e5030d2cd

General

Target

1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe
Size

15KB
MD5

1c6d59271e05d417695f7c9c7c283838
SHA1

e8e8d5b5a4bed12f82eadb4672b2992b1d7b81ad
SHA256

0d833e719d93403e66b29861ba178daabee52e91c0afd051af6f075e5030d2cd
SHA512

fca12859cc4350be7440ddbd65c370db8f3c64c418d04e30ff10eee1f5fa0ab88eeffbc6f40c8fa69206b60fb60c4bbb223f755a8ec002cf111993eac41748f7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8YBO:hDXWipuE+K3/SSHgxm8eO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEME03E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM365D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8C5D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM3364.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8A00.exe

Executes dropped EXE 6 IoCs

pid	Process
3468	DEM3364.exe
2268	DEM8A00.exe
3328	DEME03E.exe
4504	DEM365D.exe
412	DEM8C5D.exe
3620	DEME27B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 3468	3744	1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe	97
PID 3744 wrote to memory of 3468	3744	1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe	97
PID 3744 wrote to memory of 3468	3744	1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe	97
PID 3468 wrote to memory of 2268	3468	DEM3364.exe	100
PID 3468 wrote to memory of 2268	3468	DEM3364.exe	100
PID 3468 wrote to memory of 2268	3468	DEM3364.exe	100
PID 2268 wrote to memory of 3328	2268	DEM8A00.exe	102
PID 2268 wrote to memory of 3328	2268	DEM8A00.exe	102
PID 2268 wrote to memory of 3328	2268	DEM8A00.exe	102
PID 3328 wrote to memory of 4504	3328	DEME03E.exe	104
PID 3328 wrote to memory of 4504	3328	DEME03E.exe	104
PID 3328 wrote to memory of 4504	3328	DEME03E.exe	104
PID 4504 wrote to memory of 412	4504	DEM365D.exe	106
PID 4504 wrote to memory of 412	4504	DEM365D.exe	106
PID 4504 wrote to memory of 412	4504	DEM365D.exe	106
PID 412 wrote to memory of 3620	412	DEM8C5D.exe	108
PID 412 wrote to memory of 3620	412	DEM8C5D.exe	108
PID 412 wrote to memory of 3620	412	DEM8C5D.exe	108

C:\Users\Admin\AppData\Local\Temp\1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c6d59271e05d417695f7c9c7c283838_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\DEM3364.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3364.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\DEM8A00.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8A00.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\DEME03E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME03E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\DEM365D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM365D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Users\Admin\AppData\Local\Temp\DEM8C5D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8C5D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\DEME27B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME27B.exe"
        7⤵
        Executes dropped EXE
        
        PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3364.exe

Filesize
15KB

MD5
86797b3c08e24beaac84c381a576275b

SHA1
0bfa2a4da35add2d0e38a995696ab5f722c7ab21

SHA256
b54ec31f72fda8e5f711b2eec7b44e72afbb601ffc2767529921bf93ac636fb6

SHA512
907e3383542668a457594489598189d644e3b16a2f754d7a2a172cd1fd67ccb7e4cf41df78df78539884505dcf98e732c11befbf062586e92061505c8e658d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM365D.exe

Filesize
16KB

MD5
4faf6376e5c893c5f750095763b22fbf

SHA1
2701f26f3e2bf30a93de85c2a79625ebea4e082f

SHA256
722ba802953d86bd701b7f174f86f21678f209361b211d8c0ba19def0692211c

SHA512
3e9df6dc1593ade9b4cf1624e778e2962dcf6ac070695b936eef1fdf6ca6e3e090f0e38234092bf1abf62a49d736ea18b47ea79afd19e2ff52ea96a3636948e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A00.exe

Filesize
15KB

MD5
72299b9850839e4640a1f11d628f6ad6

SHA1
902761e188e04c856d40e27b37f785ff19feb5fc

SHA256
6d2e288242b541e7faa1b42b59ad56ff48017e374fe565351263f281cd292385

SHA512
f7d45d97d85c82cbf499bd17130891b1014501053cfba64aa2bc54e5a8686cb08b4a04129e443ec4081c5fcf14aa8bff2ffa38e894768007cf34ceae20378484

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C5D.exe

Filesize
16KB

MD5
92cbead57289b86dcd8fdbce7c0f5424

SHA1
06364fffcce7c3698e54f1490120f7605b19a658

SHA256
d9e5c341c73a294878a7529a736eb36595a3b4a2df59d01e7b58fe91db8179e7

SHA512
ad8b4fdb0978567b30a6a5a34e751809a5f4d1b6027dc4b9ee7e7fd2ed4fc9909f3ee0344340572138e607e122b22973bcdec10d0cb7f7db1dfb0f79724d43d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME03E.exe

Filesize
16KB

MD5
ef72e5cefc9cd41204b5d51fc0e089af

SHA1
1eb566b1377c9f480826d47799ee024d88d97e00

SHA256
3382107fd60ccc013bb1ea0928a45fb152d53ad4c6d936fd73e54e433252680e

SHA512
493fbc3fb694dfd45f509ba662c27fc07633287f317b1915ff7856d97b0b196298142234bd0244ddc7dda17ff9dc8123b3dcd9cbcfc5660bdf87681d0c3a17e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME27B.exe

Filesize
16KB

MD5
f3bcfc58cbc12c80bd3e316ad849d574

SHA1
b7b643a9b02e3ad25a58da0e8ae936e0ef446472

SHA256
8e7a897ce62ae2182f107422c8423ed7d9fef892d4ec88e5cd6bc279fef7d1de

SHA512
e39d2c0474cab4b48a92b3f773da381f4e30ec125b29a6570c12cbcb9d4f0f04867b226383d90c6227810aaa6f50e0de3dccce8c2ae9ff0c3b69c6fe7ccf40f8

Download Submit

Analysis

Sharing