af4e2f360b9e602b41112793b6dcd75e419e3f29a8760e37c407929c482b14c5

General

Target

24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe
Size

16KB
MD5

24ec973b499b410e4e4694c0ab436e18
SHA1

14ac81da47dced90fd8427ad586f70b24c13f78d
SHA256

af4e2f360b9e602b41112793b6dcd75e419e3f29a8760e37c407929c482b14c5
SHA512

b0e30ffb65dacfe90103fa7156820f75237d9db3b39f9b41c276d799ac7e47bdbb25b643c9175219e90398ca2394018eacb4e74cb68c38beea9b54f498d46f87
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh2M:hDXWipuE+K3/SSHgx0M

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEME0AB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM360F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8B72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM33C2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8A7D.exe

Executes dropped EXE 6 IoCs

pid	Process
4816	DEM33C2.exe
1700	DEM8A7D.exe
4532	DEME0AB.exe
3228	DEM360F.exe
860	DEM8B72.exe
4324	DEME124.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 4816	2844	24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe	96
PID 2844 wrote to memory of 4816	2844	24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe	96
PID 2844 wrote to memory of 4816	2844	24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe	96
PID 4816 wrote to memory of 1700	4816	DEM33C2.exe	99
PID 4816 wrote to memory of 1700	4816	DEM33C2.exe	99
PID 4816 wrote to memory of 1700	4816	DEM33C2.exe	99
PID 1700 wrote to memory of 4532	1700	DEM8A7D.exe	101
PID 1700 wrote to memory of 4532	1700	DEM8A7D.exe	101
PID 1700 wrote to memory of 4532	1700	DEM8A7D.exe	101
PID 4532 wrote to memory of 3228	4532	DEME0AB.exe	103
PID 4532 wrote to memory of 3228	4532	DEME0AB.exe	103
PID 4532 wrote to memory of 3228	4532	DEME0AB.exe	103
PID 3228 wrote to memory of 860	3228	DEM360F.exe	105
PID 3228 wrote to memory of 860	3228	DEM360F.exe	105
PID 3228 wrote to memory of 860	3228	DEM360F.exe	105
PID 860 wrote to memory of 4324	860	DEM8B72.exe	107
PID 860 wrote to memory of 4324	860	DEM8B72.exe	107
PID 860 wrote to memory of 4324	860	DEM8B72.exe	107

C:\Users\Admin\AppData\Local\Temp\24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24ec973b499b410e4e4694c0ab436e18_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\DEM33C2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM33C2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\DEM8A7D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8A7D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\DEME0AB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME0AB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\DEM360F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM360F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - C:\Users\Admin\AppData\Local\Temp\DEM8B72.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B72.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\DEME124.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME124.exe"
        7⤵
        Executes dropped EXE
        
        PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM33C2.exe

Filesize
16KB

MD5
05887486774bee4ec6708402cd25c16d

SHA1
6c1d67c17d271168e69fc44db22fdaee228dcedc

SHA256
f0decf9bb3e0c4f589c0460d252ad6b5de109bc3cf8f7ea1e586767646576699

SHA512
885057341482d8dafaccebf6ee81a183c8675f91c6a3327d0e7c38b86a17267bdafff428166540445db808a91044d4b150bea23a0c3fe72f4db44923a5dd2cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM360F.exe

Filesize
16KB

MD5
64b315a2e7205b95cb5b5b0251ad2a8e

SHA1
2e6a8e59dfc05368279fcd661b15aa7afc996cbc

SHA256
e17ed914f70fa9fc8e2e7762dc8b19c8189f4983b90e49449d51b881fd9bd669

SHA512
5cdd8b346d524fd71c8f0bff158e38a99db306bc7b08f794afc955e5b3d400b3bdbcbdbd850932a6da223c41a61ca802cec0f3161e581fed27a027a901c32887

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A7D.exe

Filesize
16KB

MD5
7e0c2eaa974168defd181bf624b69ee6

SHA1
7ddc14bfe2f968f824d26caf49b1aaa6d65f837a

SHA256
23b5a0e78eeedaaee86ff1c314898f08aea2f0c21902e7f2ed76df4b0179bad0

SHA512
8336fb7426b3bcf5b1312143992f9764a680338cb8a904c431410fe49cfe0358ab121841276d0b84f4303d1a184922e19e17251be554182feb8f8d5a5b502951

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B72.exe

Filesize
16KB

MD5
c7fa067c00338f2de8524d6e89372d95

SHA1
a79e1eb5511dc2ddd1347b1a2380882684676abf

SHA256
0af1fbf68aec413f45afa7c203f73b18914fa7dae9df6efa279dc9ccf12820fb

SHA512
d65ee57e2ca3ba21ccda811fdbde579f2ba4d2a8afbed7f1e59e532f7880be55242d44ee58ca87661c48c1d94fcab2614515766834ba4f1d64d02ee74da012d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0AB.exe

Filesize
16KB

MD5
b60028a37fb172b24257caa18708b4df

SHA1
211bf4de5498befdcaf98d0a8577788bdc635c7a

SHA256
2b57e187e2249315aee7905fdda94b8cca5030a3fb23205fe0cef43bc1623116

SHA512
dc6d5a6ee03af0448b807a06871e1f233a506901d11f6ea8cb4b8915be3f0c91d692962e2d6a66c9ec5d99b19de6836ee88d8f045a59b16a007aae93dcb3e8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME124.exe

Filesize
16KB

MD5
d755d2db846eada74dbc64520a2ffa7d

SHA1
4b2691a88a7aef344e89e139bf12c781ef2a0c2b

SHA256
534391886e49c5cb7bf918ce50e723dc6714e710449cb2fdcc34d501b6949786

SHA512
fc2a5d8666fb997de2cf325d5bcc044e8ff387980c42b635cce81cc09303d22569fde0986f32dc3e823bfc7227f4b02fd5ac02bb046f8a07f376084a1d7dadbd

Download Submit

Analysis

Sharing