1f7da0bd7f0a915575c9bc9da281022fc63982644c2dec2f24494864b112b9ed

General

Target

23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe
Size

15KB
MD5

23eb3df84269b7dece78a7777523e300
SHA1

f4ff028d2196d28baefab4c58c266afe25138ce8
SHA256

1f7da0bd7f0a915575c9bc9da281022fc63982644c2dec2f24494864b112b9ed
SHA512

844d0251a35e5a25e1554f505772a4c6713111b81ef91eb46a54ed812c511d2f5ad02b59e150ec6280e4c0fff3f7cff581a1faddb758a9bb7e4c87b24c831bde
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4X:hDXWipuE+K3/SSHgxmW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMA807.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMA7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM57DF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMAFA4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM797.exe

Executes dropped EXE 6 IoCs

pid	Process
3092	DEMA807.exe
3356	DEMA7.exe
4436	DEM57DF.exe
1116	DEMAFA4.exe
3300	DEM797.exe
4192	DEM5EA1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 3092	3764	23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe	98
PID 3764 wrote to memory of 3092	3764	23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe	98
PID 3764 wrote to memory of 3092	3764	23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe	98
PID 3092 wrote to memory of 3356	3092	DEMA807.exe	100
PID 3092 wrote to memory of 3356	3092	DEMA807.exe	100
PID 3092 wrote to memory of 3356	3092	DEMA807.exe	100
PID 3356 wrote to memory of 4436	3356	DEMA7.exe	102
PID 3356 wrote to memory of 4436	3356	DEMA7.exe	102
PID 3356 wrote to memory of 4436	3356	DEMA7.exe	102
PID 4436 wrote to memory of 1116	4436	DEM57DF.exe	104
PID 4436 wrote to memory of 1116	4436	DEM57DF.exe	104
PID 4436 wrote to memory of 1116	4436	DEM57DF.exe	104
PID 1116 wrote to memory of 3300	1116	DEMAFA4.exe	106
PID 1116 wrote to memory of 3300	1116	DEMAFA4.exe	106
PID 1116 wrote to memory of 3300	1116	DEMAFA4.exe	106
PID 3300 wrote to memory of 4192	3300	DEM797.exe	108
PID 3300 wrote to memory of 4192	3300	DEM797.exe	108
PID 3300 wrote to memory of 4192	3300	DEM797.exe	108

C:\Users\Admin\AppData\Local\Temp\23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23eb3df84269b7dece78a7777523e300_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\DEMA807.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA807.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\DEMA7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\DEM57DF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM57DF.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1116
      - C:\Users\Admin\AppData\Local\Temp\DEM797.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM797.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\DEM5EA1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5EA1.exe"
        7⤵
        Executes dropped EXE
        
        PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM57DF.exe

Filesize
15KB

MD5
9db3ffbce7876730ab8872fbeb53ac88

SHA1
9f292d0d886058da632d45ae41225f902a855f70

SHA256
307416b160175299c4a48440bac820f725f1dd52f2a030af613defeeb668e501

SHA512
b5a7db5a7bbaf1c41e95f4cdced1e5758ded61f9187364287ada5d90b670cf3c0328002e38c3b01ed3599521cfbd33cc0826795ea8d3bffa6c03ae08e058f82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5EA1.exe

Filesize
15KB

MD5
071eac8d54b3aa7433893d9bc5efbd0f

SHA1
d8d580243703ca5364d07d8ab842e035be8a0d89

SHA256
eecafe5c1009628dd95ad703c25e502a1eb9a33a333146805abc05d888aa22b7

SHA512
ad43d23c3c4dc2c2b209603808db225be34724ceaa9fbbcfa1a71cb56c5cf1b034e36b48144ee5a36821d12f7e4a41f7673cf69a76ea299ca7fc7bd27fcde7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM797.exe

Filesize
15KB

MD5
2dbe80535d30c8546089ac09a9cb1d53

SHA1
01f4d2d76cd92a3b6a43de2482d73773ebf13607

SHA256
e7da201280dd9b97d1be16507784eb4aaa69cad3e809bc5f31b17ed0b8cf70a9

SHA512
ab3009dbc730716872f1cb1188a5dc9f956aebf87b9581217b9a300dd8b2cd489c8c01619ce457888f924f359ec551dd4cbba02299c20741b11282dc2310926f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA7.exe

Filesize
15KB

MD5
a172fa8b849eac4531180432e629dae7

SHA1
80d4497c2637f2d2ee6909b10ad8f5f5efcfb0d9

SHA256
28ead92a5315fa19591f45730894e4f2f09bfa06fd2e39c92fd7cab082bdcda5

SHA512
ea06213af46f6b8aa485f1a5b8f6164591333df7f4c70d6202ef1d90a82806dabb400a7a92e8e61eb16bf93cffdd6228be968fafc38fc75cd3d243f7654405a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA807.exe

Filesize
15KB

MD5
83ab55e03cf4e5e5a120664b93c682ef

SHA1
8c0a42e839a26f842581ce7b2384a2bf151aab46

SHA256
695d0ac26f5093b5ff09eb871fa20421bac67441c17ef6770fcd5487bc530be8

SHA512
7f0a9ca063080eb71fad79c53831729d9026df44fca54cbb98718d867d3c24a94a0b4d25cb4a020a789df42446f855eac333b4d0de4ec0ff081a123a14fcfae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe

Filesize
15KB

MD5
b2b8fb918c9f4b820496870c3f7bdaac

SHA1
eaa638133e9173dc2f8989c5692efb340c3acb58

SHA256
4e91984f8c3fd4e5d8529201fd8f09131068df28ded5a5cc8fc15ddbaabacf6f

SHA512
27ba83bfce9b988a3cd4197dd3828d132de739f43afaed7ebf90dc84cd38b04dbba917a7742c34a1403025614c864434bab75610b977b38a4d18c07ead4674ad

Download Submit

Analysis

Sharing