e23d001b519832bb7d6f543c6c3b4cd5e3b55a1b087ebcd8155a4c01b8557027

General

Target

2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe
Size

16KB
MD5

2232a64613b4796ddc75bc7da924ab50
SHA1

f5e84da7d5fb753be7c6108f060bb4ee81b02b0a
SHA256

e23d001b519832bb7d6f543c6c3b4cd5e3b55a1b087ebcd8155a4c01b8557027
SHA512

7a579fc2a98ee6ec0f4451c5b5a0755a50f62a99f0f8950b77040e327d0a544dd04a29dc03ad4f13b8f7a061a68fccf639d439e71087b985dd1d28b4180fcf1f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Ftv:hDXWipuE+K3/SSHgxm0Lv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9ECB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM45F2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9C5F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMF27E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM48CC.exe

Executes dropped EXE 6 IoCs

pid	Process
2444	DEM45F2.exe
4808	DEM9C5F.exe
1624	DEMF27E.exe
5076	DEM48CC.exe
3196	DEM9ECB.exe
1372	DEMF4DB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2444	5112	2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe	91
PID 5112 wrote to memory of 2444	5112	2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe	91
PID 5112 wrote to memory of 2444	5112	2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe	91
PID 2444 wrote to memory of 4808	2444	DEM45F2.exe	94
PID 2444 wrote to memory of 4808	2444	DEM45F2.exe	94
PID 2444 wrote to memory of 4808	2444	DEM45F2.exe	94
PID 4808 wrote to memory of 1624	4808	DEM9C5F.exe	96
PID 4808 wrote to memory of 1624	4808	DEM9C5F.exe	96
PID 4808 wrote to memory of 1624	4808	DEM9C5F.exe	96
PID 1624 wrote to memory of 5076	1624	DEMF27E.exe	98
PID 1624 wrote to memory of 5076	1624	DEMF27E.exe	98
PID 1624 wrote to memory of 5076	1624	DEMF27E.exe	98
PID 5076 wrote to memory of 3196	5076	DEM48CC.exe	100
PID 5076 wrote to memory of 3196	5076	DEM48CC.exe	100
PID 5076 wrote to memory of 3196	5076	DEM48CC.exe	100
PID 3196 wrote to memory of 1372	3196	DEM9ECB.exe	102
PID 3196 wrote to memory of 1372	3196	DEM9ECB.exe	102
PID 3196 wrote to memory of 1372	3196	DEM9ECB.exe	102

C:\Users\Admin\AppData\Local\Temp\2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2232a64613b4796ddc75bc7da924ab50_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\DEM45F2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM45F2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\DEM9C5F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9C5F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\DEMF27E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF27E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\DEM48CC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM48CC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\DEMF4DB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF4DB.exe"
        7⤵
        Executes dropped EXE
        
        PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM45F2.exe

Filesize
16KB

MD5
4aae58caa1eb87a4ff0977c2eae22b83

SHA1
acd08bda16bf6fb14934f99cdbfee29bba29bf01

SHA256
c45b825bd32345c4b3227252138208e67e917c0565a1049fe9a04a7e5d171cb1

SHA512
fb9c3f07475dafdea49e23b80a2c5ed3b4e6aec79d6fb01df77e348f1f6056d07d4c19fa7b3ad9adab306300d45b4df358e61c4b25826bb3cc79b25b03ac2eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM48CC.exe

Filesize
16KB

MD5
29b1e7efa24fa6694bb694e837007a2e

SHA1
e03b18ca887691587965c73da1a0cbea3ec86d47

SHA256
e257e246782a3ac68d7061e6493ab738c18ac4708ded9c70e24a423ada7f2c4b

SHA512
79984b63ef88b5f01d556c769caa59778a0fb2c0012cdff714fc816c2016f228434c7793704aaa5ad79fbe67e1f4c45582aa1605a5ecf7f31f5e94111ce26c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9C5F.exe

Filesize
16KB

MD5
bb9051b6dc73083e770e8a8b06f39099

SHA1
76921f0de4a7961cbc8994cc4603735e4569883f

SHA256
09a69940e6ce5cfc56c22925c9a0180434d5e6fb81030b7c2f6af35323fc8fc3

SHA512
082c147f4cced4f9a2c8d427675ec5a8e54fd1829df69768d8813be869707d3a1abab8eead00bfa9c8be6645b13f4cd63cfb6c69a1a3394e40784f33d0594522

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe

Filesize
16KB

MD5
9bd22429b820778ee07799c564a97eb4

SHA1
3b06c50e9108f9194008e375fab5f34334c193c8

SHA256
0013b77f2edd446ec68188c0a425a23d35fe27e6aabe082adba671a924e90a46

SHA512
8b4587d1c52e7eb3c42d20130c4348cf3631ebead8ad27f6ccffefc2ed0b1e74a0d86b4f36f02905ee56186f7b7af67a70d1c737c572feac94e21a6e444886af

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF27E.exe

Filesize
16KB

MD5
4751c3492b8f4e6a84d4db2fd5ffd96e

SHA1
c7f0a827430fd504a40d0c1a8d39ab312e94dbac

SHA256
174e35ee61e224c781e8d252ab577ae1cf2acf02da15dd6dfe49c19af2501658

SHA512
f5a428c7601ca5b72e435cef624e92c25218e85a4b08721a6c9580195ff6cdd3d2578b26467fe05647e0527398366b43975c5680f825587b581440114a9c14d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF4DB.exe

Filesize
16KB

MD5
4cac5be04d5cc34e21c460d7a51dc473

SHA1
cae69d15102d2792e8e1f1f2dbac02525475de8d

SHA256
20029b097352a40cf307470a922c852dd7d9e61aea04fa163c7b1e45c04d824a

SHA512
429b080287493c0cfe1b157d9954842f527143c2edf82829a46c4125bf63d088ea9900077fa3527d8bdbec69ecf336bbc71e61214fbf88c30507f5df8d3000d2

Download Submit

Analysis

Sharing