33f81a8023d35e9c34ec75309bb750189de376be0bcf3ebf9be70d3b192184da

General

Target

24b845bf7456434741d402e46e3db148_JaffaCakes118.exe
Size

16KB
MD5

24b845bf7456434741d402e46e3db148
SHA1

a80c4fdd9af39b4327c2a3245d9ee15a68603b82
SHA256

33f81a8023d35e9c34ec75309bb750189de376be0bcf3ebf9be70d3b192184da
SHA512

f82a813cfd2153eab8af4f8f6085378f7fb495bfbc3534fb3d3710fb6d9e283badb8956844d42170e7383321bb9301aae7a2f0bc3ac851c08f59adcfcb0cf491
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Ff:hDXWipuE+K3/SSHgxm0N

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM66D3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMBEB7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	24b845bf7456434741d402e46e3db148_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM5DDF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMB71B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMF1E.exe

Executes dropped EXE 6 IoCs

pid	Process
2544	DEM5DDF.exe
2860	DEMB71B.exe
2628	DEMF1E.exe
652	DEM66D3.exe
4744	DEMBEB7.exe
1804	DEM15EF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 2544	4592	24b845bf7456434741d402e46e3db148_JaffaCakes118.exe	97
PID 4592 wrote to memory of 2544	4592	24b845bf7456434741d402e46e3db148_JaffaCakes118.exe	97
PID 4592 wrote to memory of 2544	4592	24b845bf7456434741d402e46e3db148_JaffaCakes118.exe	97
PID 2544 wrote to memory of 2860	2544	DEM5DDF.exe	100
PID 2544 wrote to memory of 2860	2544	DEM5DDF.exe	100
PID 2544 wrote to memory of 2860	2544	DEM5DDF.exe	100
PID 2860 wrote to memory of 2628	2860	DEMB71B.exe	102
PID 2860 wrote to memory of 2628	2860	DEMB71B.exe	102
PID 2860 wrote to memory of 2628	2860	DEMB71B.exe	102
PID 2628 wrote to memory of 652	2628	DEMF1E.exe	104
PID 2628 wrote to memory of 652	2628	DEMF1E.exe	104
PID 2628 wrote to memory of 652	2628	DEMF1E.exe	104
PID 652 wrote to memory of 4744	652	DEM66D3.exe	106
PID 652 wrote to memory of 4744	652	DEM66D3.exe	106
PID 652 wrote to memory of 4744	652	DEM66D3.exe	106
PID 4744 wrote to memory of 1804	4744	DEMBEB7.exe	108
PID 4744 wrote to memory of 1804	4744	DEMBEB7.exe	108
PID 4744 wrote to memory of 1804	4744	DEMBEB7.exe	108

C:\Users\Admin\AppData\Local\Temp\24b845bf7456434741d402e46e3db148_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24b845bf7456434741d402e46e3db148_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\DEM5DDF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5DDF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\DEMB71B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB71B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\DEMF1E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF1E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Users\Admin\AppData\Local\Temp\DEM66D3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM66D3.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:652
      - C:\Users\Admin\AppData\Local\Temp\DEMBEB7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBEB7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\DEM15EF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM15EF.exe"
        7⤵
        Executes dropped EXE
        
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM15EF.exe

Filesize
16KB

MD5
9b352ea8623b42f1e417da001b053a1a

SHA1
52d38bbab024378b57fa32ae61dfd95c7948f97b

SHA256
db55ab7af5cf9beaf88e5c6f267c176b5827015d7a34c4bc276c6ebd59ea7218

SHA512
d146f18c82b5fa0c5fabcf94316255654c84d5db363c185dd674abc9334f8e5ce932d02961e0437ddbe606ddf2425feae2dc3f33109a5c3419e6a492c098df23

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5DDF.exe

Filesize
16KB

MD5
20ec937cd2a9daa2d3aa89b6a4daa565

SHA1
e3bc86386ead303547c880b2c57bfe17740b2ccf

SHA256
f00b5111f06d030ff13786d645929a85a38b1af94f7f3d2d3e5ab6f4c240da49

SHA512
335e311467c79188c2c2a5f307e701b883bbde009ad3cd75e20bca6a98910c41ac907c70b374be2c8df441840353beab0d76deff8ee7ac096689e1d6f265e97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM66D3.exe

Filesize
16KB

MD5
5bd977183fd0a99d2a8bb0a5098f533d

SHA1
3f2251fe6e19642bc278552ffcda6a61786d8871

SHA256
7cfeb36ce35991953ec8e0a1751eb1ea4e68f0721eabd0f21d31ade2907c415f

SHA512
d67dd1d5b3331cb3c092cc106e3cb5bdaa8f8185019678b942cd5170046a3f9edbfb092498725335bac78e31feacdd769ebaf7bcf12861dcb638c434925b1bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB71B.exe

Filesize
16KB

MD5
6a3b3288ab135faaea5956ffd1d4ee5e

SHA1
1c82b4ffe28bb3dfd17921fa96e2a6c74ef9f74e

SHA256
0f61df439e60fb4ed8389862b1286d9568477754bb413a58bcf83803dffd32d9

SHA512
555d8cc1a22486634abeab12f4e926f86cd4dd8fe084b8887f9f25fc8843d8caa481e207426fb8b51a3810fd275eaec65448f06d8066a93e1f05dfabbf41589d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBEB7.exe

Filesize
16KB

MD5
278314e39fbfc9f7d070364da0c7ffd7

SHA1
b24be4f5cac2f55ccd53428f63c7f58d5db14885

SHA256
accca49ed9af951628b3825bb856d7e068eb6f71fc3122a038416185758777e7

SHA512
5de7b9274641b177f42e33120058e7a6758738053324bfdab0cce18c1643d61af0f8ebbf9bcf56064c70b47c24c79c682609a99179bb1cd2206037c7bf181493

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF1E.exe

Filesize
16KB

MD5
02c422c2520ba29ae92ab9d6f0d91ea7

SHA1
41750f01f00e32de5ffa8bcfd2ac71554d68c846

SHA256
919fd81bdb4f1b99b84696318e610edf55a6a0024f4ab05e96bdd6d084ea760d

SHA512
7dd381d37d2109b808a4e5e16c9b1fd6bdd76afbd98e97a793d2bd6093203db5f961919588426e4572a1e900097d65e1dce2cac91e9221d403096f5d23c45bb8

Download Submit

Analysis

Sharing