9e374b415799b74f1d741213949949bcaa53b48cf47b201186f4348f299b7d5c

General

Target

2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe
Size

15KB
MD5

2270c74260b1ad51174ac62ea8ebdbbd
SHA1

261fd4a22bbcf8537f1bae2b9999d7afca6063da
SHA256

9e374b415799b74f1d741213949949bcaa53b48cf47b201186f4348f299b7d5c
SHA512

d32e4900b32b72805fffb8313e286c9664e594e0d7e6b61112457a7256d5cc143e934d22cfb762961d9f5f8bde156902d816c12393120563da97047ed086d43e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYluhfn:hDXWipuE+K3/SSHgxmluZ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM753F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMCE9A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM24AA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM7A7A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMD02C.exe

Executes dropped EXE 6 IoCs

pid	Process
1528	DEM753F.exe
4996	DEMCE9A.exe
4328	DEM24AA.exe
1072	DEM7A7A.exe
1080	DEMD02C.exe
4636	DEM2820.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1528	2312	2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe	96
PID 2312 wrote to memory of 1528	2312	2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe	96
PID 2312 wrote to memory of 1528	2312	2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe	96
PID 1528 wrote to memory of 4996	1528	DEM753F.exe	99
PID 1528 wrote to memory of 4996	1528	DEM753F.exe	99
PID 1528 wrote to memory of 4996	1528	DEM753F.exe	99
PID 4996 wrote to memory of 4328	4996	DEMCE9A.exe	101
PID 4996 wrote to memory of 4328	4996	DEMCE9A.exe	101
PID 4996 wrote to memory of 4328	4996	DEMCE9A.exe	101
PID 4328 wrote to memory of 1072	4328	DEM24AA.exe	103
PID 4328 wrote to memory of 1072	4328	DEM24AA.exe	103
PID 4328 wrote to memory of 1072	4328	DEM24AA.exe	103
PID 1072 wrote to memory of 1080	1072	DEM7A7A.exe	105
PID 1072 wrote to memory of 1080	1072	DEM7A7A.exe	105
PID 1072 wrote to memory of 1080	1072	DEM7A7A.exe	105
PID 1080 wrote to memory of 4636	1080	DEMD02C.exe	107
PID 1080 wrote to memory of 4636	1080	DEMD02C.exe	107
PID 1080 wrote to memory of 4636	1080	DEMD02C.exe	107

C:\Users\Admin\AppData\Local\Temp\2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2270c74260b1ad51174ac62ea8ebdbbd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\DEM753F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM753F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\DEMCE9A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCE9A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\DEM24AA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM24AA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\DEM7A7A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A7A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Users\Admin\AppData\Local\Temp\DEMD02C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD02C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\DEM2820.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2820.exe"
        7⤵
        Executes dropped EXE
        
        PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM24AA.exe

Filesize
15KB

MD5
c9d8de4914795bb25c7932ab20e6443d

SHA1
f6f0ae07fb13548b316d3ea878b26e1a5008b923

SHA256
25b39d1e3f6ba997d8efe24b71742315ddede8ab56432541927cdc204b3fc913

SHA512
ca62a726e62636a8a63362e9dc5c99df322ac5d0ec7616f55fcfaf5dd2c53a3000e4efbc668b8c0dac8c319d65731346b4446a1156ee2206e0013ae314868123

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2820.exe

Filesize
15KB

MD5
e582e45d9451b864fb31e7c97365debd

SHA1
29e1b8d5237a56d423523d0cede9724c87e2472a

SHA256
45cb5f11fe293a2eae977366e1a7729c1a400ed51a37c5634e4f40c5beedba0f

SHA512
906dfead97aa08f04c0ad9247a6922bc2723e1193387f24ecceb95a402c804cb11e4e00a58a96a28e771de3b87e3148fc1859ec855bbe409a34f2d7c391c286a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM753F.exe

Filesize
15KB

MD5
0eba2dedc7c00ec2d7cf77e5c1416d82

SHA1
87532961149d8640bc617db35584c5a04baab6c9

SHA256
4d74ae4f14a776f958f5f1039218f1cd921459c139b70031a513ccbb63c34d2b

SHA512
225c37f74f756c34e05112da12f18d4e897c7c3b357824d9574a2624ebfd41eb959e5a8032b1919fd9ef403a2a0440bc5dfdce5e845984258e239c33a0090ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A7A.exe

Filesize
15KB

MD5
d0bfc4e3839e24fd847cdd4fbfbcf6c8

SHA1
6113870f5f4d84a3efaef3c7538d0c511bce2f4a

SHA256
2b69df62eca704a58a694259858219ea0d7341c14c2e753b1ccb67429a3af09c

SHA512
3980f2bc3d88b95e989da0d60d6815275c6ce7d893765f6d5c51bb41e3c74f051a4ef317a1ef3f5a7eb2753a851283c597442b35fefad40add10e574dee4d1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE9A.exe

Filesize
15KB

MD5
378bc9b0f08703eb6c1424c88265228f

SHA1
bbfc20435719045bffcff270d1914beaffdd6837

SHA256
93e962390495da759edcc37b060493bbe5f921d4f28e693d5c26d85bf1972d27

SHA512
5ca36e470b5558dbf69e5b41ca9b0a654a148428f5a249dc4eb0cff66150b395b1b85573125097de51630253c3658def4594fe668ca4f0cac798966c62f29249

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD02C.exe

Filesize
15KB

MD5
b9abb20300105f27e1e21f606f69b74f

SHA1
104a9cfcd112fbbf0a87cc53e5fa6daba6215609

SHA256
d7e96e334794b8683592950d7c28c78fa1683ccd7e18acf446387463ddc03803

SHA512
573e60315be31cd08101c19de7401b9df895bd9c7511511c1481f7a94317cb9a2ba0e48a3c7d7cd18596a8e63cc350b8483d5c15cb47a0f9bf9d2a5aab7e0e58

Download Submit

Analysis

Sharing