f6682b2ec99a5827ee0097ed91687abbc384ba28b7da332b08fc55946508cf77

General

Target

24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe
Size

16KB
MD5

24d53bf73cef563e4c063008089ee615
SHA1

f582e0803731bc9bbf6ad184b557496685f65034
SHA256

f6682b2ec99a5827ee0097ed91687abbc384ba28b7da332b08fc55946508cf77
SHA512

b209ea675a5d70a2274ccaed88b40b85ebbcea5d8ac3e414f377503db67e27c0fd99e63cb1c4407edb4a488d25545e06cf39edd3075e93e55de5c014d02073f1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlkm:hDXWipuE+K3/SSHgxmlkm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM5A07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMB3BF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMB84.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM6349.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMBAFE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
2252	DEM5A07.exe
2588	DEMB3BF.exe
4924	DEMB84.exe
4640	DEM6349.exe
1548	DEMBAFE.exe
988	DEM1311.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2252	2648	24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe	95
PID 2648 wrote to memory of 2252	2648	24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe	95
PID 2648 wrote to memory of 2252	2648	24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe	95
PID 2252 wrote to memory of 2588	2252	DEM5A07.exe	98
PID 2252 wrote to memory of 2588	2252	DEM5A07.exe	98
PID 2252 wrote to memory of 2588	2252	DEM5A07.exe	98
PID 2588 wrote to memory of 4924	2588	DEMB3BF.exe	100
PID 2588 wrote to memory of 4924	2588	DEMB3BF.exe	100
PID 2588 wrote to memory of 4924	2588	DEMB3BF.exe	100
PID 4924 wrote to memory of 4640	4924	DEMB84.exe	102
PID 4924 wrote to memory of 4640	4924	DEMB84.exe	102
PID 4924 wrote to memory of 4640	4924	DEMB84.exe	102
PID 4640 wrote to memory of 1548	4640	DEM6349.exe	104
PID 4640 wrote to memory of 1548	4640	DEM6349.exe	104
PID 4640 wrote to memory of 1548	4640	DEM6349.exe	104
PID 1548 wrote to memory of 988	1548	DEMBAFE.exe	106
PID 1548 wrote to memory of 988	1548	DEMBAFE.exe	106
PID 1548 wrote to memory of 988	1548	DEMBAFE.exe	106

C:\Users\Admin\AppData\Local\Temp\24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24d53bf73cef563e4c063008089ee615_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\DEM5A07.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5A07.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\DEMB3BF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB3BF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\DEMB84.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB84.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\DEM6349.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6349.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Users\Admin\AppData\Local\Temp\DEMBAFE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBAFE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\DEM1311.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1311.exe"
        7⤵
        Executes dropped EXE
        
        PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1311.exe

Filesize
16KB

MD5
3b9f38b2d5cda0e7427faaac73026f33

SHA1
6a0a8b7c307a76bc5377ae088e8ff410d094d275

SHA256
880d4f7f554512a4d00e7c610ec08db1e5a949d76522bc139452e912966e0619

SHA512
ba759337722920a4cc5c95c41054eb9f6e1c3bdc01ebd161f69a5f36290b499fadcfade04d959df02409bd01efcfb1ea04461e30124f6535a2c98fd6ab41bac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5A07.exe

Filesize
16KB

MD5
624009d66af76680f52a3efe8bf8c653

SHA1
4956d0c92120f4ffdea0d3165ba45ea5f01c94cb

SHA256
5194ed30288b21c974f25403f5e71d73047a895281468aa5217ff6a6d11c53de

SHA512
f5883299a5990cc5979380c90278dbbffffb2d6f2fbde806cfd0b91596bb8da163e9dbae685567cadca27ab05afcb4c4042b6262f30bb9340c35c3854e4adad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6349.exe

Filesize
16KB

MD5
c6fe91ccb264607b1557914f1c0f81c2

SHA1
0c5c903fd0805e970efa28913f3d703a5f65dd89

SHA256
82c1d83e13ed90b79316f5389f128004b89daecefeff34743c12d8906ed5cd38

SHA512
520354c5e1dcdd989f08ab32f7edec76d85abc39bd058623dcdc3281c5de1db3cc1502c8f7731a938759844ce04ed719daeca5a72982db6b15c01fa69edde06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB3BF.exe

Filesize
16KB

MD5
58841f4be06393a866081fff803b1ced

SHA1
b629577f8f387152ad3c12f62c890a46e4e5b01e

SHA256
1d30ca4b7b26d4c6b3a50b0f30ddba7bb0a06ec4c29e76e07f68271e9e5914e4

SHA512
002c8a95d2e71d5b16e343235424a6a322f3940892af9236a9d048a0e535998d4b911072e58478f1aa20cf26daee39e73ecd9008e79957130997038da8c71781

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB84.exe

Filesize
16KB

MD5
f4792383f8519f34395f4e3ffa84b698

SHA1
90ece461ee14b3174de94dc6ed492597e9b7e62f

SHA256
7a3a52bb368b42236fd209be720aea54e3c6584649bc12f2508579c6c87825b3

SHA512
2b4154b5ecdce8f371eaac7e971459f6d1e03cfca7853f807f50dcef87071e6c21c237d39b2e0d4c35c7677b785e3917d8d86ca2d1b5a89555ee705fea89bb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBAFE.exe

Filesize
16KB

MD5
ee6e917986bba1689a96ecda260b9bab

SHA1
bcd8611f66f0c044b814a5678aa99d6d0c61986b

SHA256
55205e9c7776c1719bdd667a9829039e8394778c2910e77eeb5965c03b8fa62f

SHA512
62dadc2563eebddd3f13d540dfea4bc6f98e3debbd7c7df69c68889d2cbe43ca18a474e60f14f8d21ad8731cc24e49f4eaca965e1e60ec765c6826a7af38156a

Download Submit

Analysis

Sharing