b5c140e26ba05e2d7ad118e4e3345094cc4dd0f2e9f4ee2dd5392bc079fdfe43

General

Target

200334e124e058b2732f7e9ac7b0a2bd_JaffaCakes118.exe
Size

14KB
MD5

200334e124e058b2732f7e9ac7b0a2bd
SHA1

a233fb47695bb69f435d66fd30db073d1df9a33a
SHA256

b5c140e26ba05e2d7ad118e4e3345094cc4dd0f2e9f4ee2dd5392bc079fdfe43
SHA512

4eb66640ed2f00a5345f1ddf8675c6db8f954cb40239f91bebb146a95afaf19bc5e45fcfe2b6a78308c01f138b8cb6cbe0a6feabb4b0801d5da3d08244558fc7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHup:hDXWipuE+K3/SSHgx3NHHO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM567C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMAE12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM4ED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM5B89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMB263.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	200334e124e058b2732f7e9ac7b0a2bd_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3628	DEM567C.exe
3784	DEMAE12.exe
4308	DEM4ED.exe
3928	DEM5B89.exe
4052	DEMB263.exe
4792	DEM95D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 3628	3652	200334e124e058b2732f7e9ac7b0a2bd_JaffaCakes118.exe	98
PID 3652 wrote to memory of 3628	3652	200334e124e058b2732f7e9ac7b0a2bd_JaffaCakes118.exe	98
PID 3652 wrote to memory of 3628	3652	200334e124e058b2732f7e9ac7b0a2bd_JaffaCakes118.exe	98
PID 3628 wrote to memory of 3784	3628	DEM567C.exe	101
PID 3628 wrote to memory of 3784	3628	DEM567C.exe	101
PID 3628 wrote to memory of 3784	3628	DEM567C.exe	101
PID 3784 wrote to memory of 4308	3784	DEMAE12.exe	103
PID 3784 wrote to memory of 4308	3784	DEMAE12.exe	103
PID 3784 wrote to memory of 4308	3784	DEMAE12.exe	103
PID 4308 wrote to memory of 3928	4308	DEM4ED.exe	105
PID 4308 wrote to memory of 3928	4308	DEM4ED.exe	105
PID 4308 wrote to memory of 3928	4308	DEM4ED.exe	105
PID 3928 wrote to memory of 4052	3928	DEM5B89.exe	107
PID 3928 wrote to memory of 4052	3928	DEM5B89.exe	107
PID 3928 wrote to memory of 4052	3928	DEM5B89.exe	107
PID 4052 wrote to memory of 4792	4052	DEMB263.exe	109
PID 4052 wrote to memory of 4792	4052	DEMB263.exe	109
PID 4052 wrote to memory of 4792	4052	DEMB263.exe	109

C:\Users\Admin\AppData\Local\Temp\200334e124e058b2732f7e9ac7b0a2bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\200334e124e058b2732f7e9ac7b0a2bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\DEM567C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM567C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\DEMAE12.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAE12.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\DEM4ED.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4ED.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Users\Admin\AppData\Local\Temp\DEM5B89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5B89.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Users\Admin\AppData\Local\Temp\DEMB263.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB263.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\DEM95D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM95D.exe"
        7⤵
        Executes dropped EXE
        
        PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4ED.exe

Filesize
14KB

MD5
9deee85fdead77de03f571ff43240c1f

SHA1
a6b622dd8ec79495f4b85cd5a79a8fb35214ef08

SHA256
8bf7b5d090c7dfa63a188cae1fb41cf0e5432b9e954dd4672bdd241fc5a06d9a

SHA512
70d2f2800dc12a88fb0b991accfaca9ad8bddf251bd4d5ee25c5d220bd4a62993763b2b633e5a94a490423306ab4d98419909dc0d5f10a46da905855012bb615

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM567C.exe

Filesize
14KB

MD5
046781784cd38cd5e4f5abf6da3bfe6f

SHA1
0442db8b39d2a5406d46a87cae81f8574e809717

SHA256
2e553f4e0e383d5b296ad9e141c121ec2b27c0a04cdc6c293da306ea25fe9e23

SHA512
7f29aa319dda8a18a076908ac57d15eb3bb785dfc5e83e3c530c662d8023bfa8c0acb4a08156f2eba7dd42f6753f3da6404f242111e92968a2f182d1cbf78486

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5B89.exe

Filesize
14KB

MD5
dd6227e3e08552088f84cc339d618875

SHA1
f760ab85ec877053f367b04cb6df72c690517f06

SHA256
cfbdeed38e6401f56aa983791ed002c7ec33044112a77b4fe68b6c10eda31eb9

SHA512
291e0255d8e20e30b5092351eddf81cc72e3d2aff2de025c9db461f1ede0a8a43cf9628307cad2a9e60bd4473141c22b6a44c9fb1edff91669f725e763ae87e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM95D.exe

Filesize
14KB

MD5
61496eb2b06c798016105e7c88076851

SHA1
d53d6078740fcf444ecf7203cf804b571c011857

SHA256
185a6f75c748fa4d884371f2bca799f6bcb066d909771aee825ec51ce6038104

SHA512
1fd557c725c945f0f3f2dcb78fe6a3ef4f0c5ad8881131351222e5b91fffb0d85f0dff994a626a0ed2f6048e673fbc11b7971e1bde87603e31239833a1b9b147

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAE12.exe

Filesize
14KB

MD5
49588d48a8ef709987392c8ee21a22d1

SHA1
0f252cacc819b1b322301319bf9e8b13f17b83d4

SHA256
b4f01146947d27e06e486a9dd62d130fc7588e2221a33a585d61d2ccf2b160c4

SHA512
9d8c865563265e71141076488f131aee2c36a935642e6eb4445680755def0148cb70b7b67b8d0ddb2896ca1f167559b58bbecf063ca3d598209fbe80f53d1956

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB263.exe

Filesize
14KB

MD5
d1dd2e4738532353885f305505851638

SHA1
0e7c56023db79b1a7ade1638f4280c4dce2ca358

SHA256
967f297a3fdd4c4e19340979b55891f3d041bed20c4f931931c70b7fd8d60eb6

SHA512
c7d02865ed11ce885995c104b44f67b6ae71e036fd2a9c20f4abb6c932421072ec4cab992c301b78ba9119a8fc187bf945f7cb09cb15f8fd6fd1da7927d01771

Download Submit

Analysis

Sharing