32c1bef8e982f91e5a91ba6cad8603148e5d6d2308e14cfc7eae2798dee47dde

General

Target

2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe
Size

15KB
MD5

2594a18b5f5379cf2af07c2071c50b5f
SHA1

24cc16ab3c325f4fbf0598855b39c3bafae932d2
SHA256

32c1bef8e982f91e5a91ba6cad8603148e5d6d2308e14cfc7eae2798dee47dde
SHA512

52d85feb78d8eb84b44549b629ef01c8987d27e61096085112dad6acf61db285cf65b18201da33e3219dcb8df306de07bf6b410ef19d003c0a11d54473a1bd03
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4l+Lv:hDXWipuE+K3/SSHgxmH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4602.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9C7E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMF29D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM48CC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9ECB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3376	DEM4602.exe
5012	DEM9C7E.exe
3756	DEMF29D.exe
1692	DEM48CC.exe
3208	DEM9ECB.exe
1196	DEMF509.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3376	3036	2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe	91
PID 3036 wrote to memory of 3376	3036	2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe	91
PID 3036 wrote to memory of 3376	3036	2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe	91
PID 3376 wrote to memory of 5012	3376	DEM4602.exe	94
PID 3376 wrote to memory of 5012	3376	DEM4602.exe	94
PID 3376 wrote to memory of 5012	3376	DEM4602.exe	94
PID 5012 wrote to memory of 3756	5012	DEM9C7E.exe	96
PID 5012 wrote to memory of 3756	5012	DEM9C7E.exe	96
PID 5012 wrote to memory of 3756	5012	DEM9C7E.exe	96
PID 3756 wrote to memory of 1692	3756	DEMF29D.exe	98
PID 3756 wrote to memory of 1692	3756	DEMF29D.exe	98
PID 3756 wrote to memory of 1692	3756	DEMF29D.exe	98
PID 1692 wrote to memory of 3208	1692	DEM48CC.exe	100
PID 1692 wrote to memory of 3208	1692	DEM48CC.exe	100
PID 1692 wrote to memory of 3208	1692	DEM48CC.exe	100
PID 3208 wrote to memory of 1196	3208	DEM9ECB.exe	102
PID 3208 wrote to memory of 1196	3208	DEM9ECB.exe	102
PID 3208 wrote to memory of 1196	3208	DEM9ECB.exe	102

C:\Users\Admin\AppData\Local\Temp\2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2594a18b5f5379cf2af07c2071c50b5f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\DEM4602.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4602.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\DEMF29D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF29D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\DEM48CC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM48CC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\DEMF509.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF509.exe"
        7⤵
        Executes dropped EXE
        
        PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4602.exe

Filesize
15KB

MD5
6e02c66dddb4965c7898e1a984388c0d

SHA1
22afb21cf5e01ce4e579fd37d5abace5e91a012c

SHA256
6d0a55f03d6fb52089b75de77a521bdaa1c894a6489e09620ffcf91d94a63f6e

SHA512
d42ed48b11bbc13dd44d0d32d15749a5d0e51e7da7317ec36f5436506fe817d7cba00be03636206c4687135a8564268a3afbbff95f82726f97f722a23dc8a04c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM48CC.exe

Filesize
15KB

MD5
bdc74199faa113155c6bf4a4098f33ad

SHA1
d34761e800aae3495c7937544b5c0079b6b5efbf

SHA256
193ad07818016dab4c51855619ae353d0a047b82f1da8f18438448a8afe7a876

SHA512
8b47f608eac5ebcc4eb78b8bf49366e36d1e44cc227486d58622c49010aee2ca734150b89b170e45d0939d7e439a0a5b1e65fe1e645a669a671322d8734301f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe

Filesize
15KB

MD5
a9fa36e59c8526cef9ff11603a34e09e

SHA1
a935b91d93515be3da3236a038a1fd1e0f734f8d

SHA256
14344954ffef3811b61c7fd453334d1299328081a92c059412134fea5d8dace1

SHA512
a808f716aae8823a100b5d03bd0756bc68d12719edbbb1d430a3883e64cc179335ffde7f475d2efe96637385425e2917cd6ad01a6dd9cd83b6df90655027ebec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe

Filesize
15KB

MD5
9bd9ffcb3c28d81efe2343b701dc69e1

SHA1
ee0586b6eee3294da0ce5c7a86e4b1170678d2bc

SHA256
7bb2f30bcbfbc2fdbf080b1310721a57a2b7711cf4d41a290f893edb71fc8352

SHA512
049f36d49c25818b535d1c1aa2129fc27522a20d791253dcc72d7feab50fb3c960ecb08f68baab3812a2baee6bcb018b4080b3e62d7f501e68404f1100545403

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF29D.exe

Filesize
15KB

MD5
8bb12714ca920917b7ef8348293a9336

SHA1
ab2ce3671783a16bfaa57e22a5018b0d450a0240

SHA256
af6d20126c7776c03fa0ad02a316388bfc1c440bc0b6f1601abc00ed8ca28426

SHA512
a5a242f91e414bd2f4c086809bf6b5c04718c380ebff403ce68e59d810cfddab79cbf4598842d42f6bfa14a1e29ccfc08483f83d3271fcf3ae0f20067534e8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF509.exe

Filesize
15KB

MD5
2b8f63f34749476fc9c067967f3b2035

SHA1
fdcc1b9262c268a01808e90514686b2e9f8a9111

SHA256
c751b953f8c6ed7516301ab819cdb2360f8c74955c42006358287e3957eb0a1d

SHA512
80a4023d6e4828724258d50f1f51724b24dc1357f746edd4348f18323804d5f0f55b9be64aab0e07c325eb728aa142292504edd56380c1386eac8bd20bb443c4

Download Submit

Analysis

Sharing