7793c8a9991a96ae8c3ba0d7b4b134c43cafee0c10e19f6071e75066e8f233fe

General

Target

25b795100998c1eb114b6720705c786b_JaffaCakes118.exe
Size

14KB
MD5

25b795100998c1eb114b6720705c786b
SHA1

a91cebd25055d047e5946b7ed8588ef648588b48
SHA256

7793c8a9991a96ae8c3ba0d7b4b134c43cafee0c10e19f6071e75066e8f233fe
SHA512

d8e3649ecc76f1e21ad31460a1e6e8cb6b7751aea991533c3f22c448f84fc3252568575ca28bc4919b059dde0cb35277123a8e36775840d72c60f1f06c61461f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHuw:hDXWipuE+K3/SSHgx3NHHD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	25b795100998c1eb114b6720705c786b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM519A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMAB15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM2E9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM5ACD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMB215.exe

Executes dropped EXE 6 IoCs

pid	Process
4184	DEM519A.exe
3400	DEMAB15.exe
2760	DEM2E9.exe
4484	DEM5ACD.exe
2672	DEMB215.exe
4232	DEM9E9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4184	452	25b795100998c1eb114b6720705c786b_JaffaCakes118.exe	97
PID 452 wrote to memory of 4184	452	25b795100998c1eb114b6720705c786b_JaffaCakes118.exe	97
PID 452 wrote to memory of 4184	452	25b795100998c1eb114b6720705c786b_JaffaCakes118.exe	97
PID 4184 wrote to memory of 3400	4184	DEM519A.exe	100
PID 4184 wrote to memory of 3400	4184	DEM519A.exe	100
PID 4184 wrote to memory of 3400	4184	DEM519A.exe	100
PID 3400 wrote to memory of 2760	3400	DEMAB15.exe	102
PID 3400 wrote to memory of 2760	3400	DEMAB15.exe	102
PID 3400 wrote to memory of 2760	3400	DEMAB15.exe	102
PID 2760 wrote to memory of 4484	2760	DEM2E9.exe	104
PID 2760 wrote to memory of 4484	2760	DEM2E9.exe	104
PID 2760 wrote to memory of 4484	2760	DEM2E9.exe	104
PID 4484 wrote to memory of 2672	4484	DEM5ACD.exe	106
PID 4484 wrote to memory of 2672	4484	DEM5ACD.exe	106
PID 4484 wrote to memory of 2672	4484	DEM5ACD.exe	106
PID 2672 wrote to memory of 4232	2672	DEMB215.exe	108
PID 2672 wrote to memory of 4232	2672	DEMB215.exe	108
PID 2672 wrote to memory of 4232	2672	DEMB215.exe	108

C:\Users\Admin\AppData\Local\Temp\25b795100998c1eb114b6720705c786b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25b795100998c1eb114b6720705c786b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\DEM519A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM519A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\DEMAB15.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAB15.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Users\Admin\AppData\Local\Temp\DEM2E9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2E9.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Users\Admin\AppData\Local\Temp\DEMB215.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB215.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\DEM9E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9E9.exe"
        7⤵
        Executes dropped EXE
        
        PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2E9.exe

Filesize
14KB

MD5
c0d104bfdfd4dee3bab51595c5c3bf72

SHA1
097d47d65cf7834c071ff574f3d21676389c6ff7

SHA256
8a384286c2212fe32ea70326c5f80b2c996fedcb3a0c455f1f09634a350006a6

SHA512
6284110651458da4e729cfae37b0f665f165a2741b45936d36c57ed6abaeb4c6486277f5028eb8fdb33c7db1c6143d61f25d17e34e656503655691d14d32a922

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM519A.exe

Filesize
14KB

MD5
95bd5bc606a8dfbc0077fdc7e3352ee7

SHA1
5dfcb5b3e3ed5409c29446290103e16843930e84

SHA256
c21e0f5ca4812b823996170d3cb454abc25cf426cba1f438d55cb6f7adbd90ba

SHA512
34fc743fc1395a626cc8a698c84b8b91a68d7f89987b46ff07623828fd3d87cd80902595a515b73baa645d7f7fa442b46a874b00465360f6b41a1ea88664e879

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe

Filesize
14KB

MD5
a6795c8ccdde870f42be0064534b95f8

SHA1
b3ea751c7a73137006418357a96a61d1b929a8a2

SHA256
8e1b649449aec1fa48008e700eb5ec3861a532fe5afc5c86391bfd48abad2f9e

SHA512
45b870fbac10676163c2580fb9d9c740092714e75d3253c22c500b7a8f0b88a83daa987475c03a73c711a0846d08d55e588400b8f9faf91f2c2566d6541d0adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9E9.exe

Filesize
14KB

MD5
319db0002f099e8f4121d0e4a137bdb3

SHA1
0692c7a0bddad318123cf58a28ca4dce713391b0

SHA256
dc95bd7c006cab9eb2bdd44f8657de78ac4cdce61e61ff4e6f248334ab67f22d

SHA512
ad603c06c557d91be60b6ad95b476e45265092660e597afde9f38d595dfb56eb76954d2494477290fda1267175f3c48e300dc0d8a6caf950069a5078e194cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAB15.exe

Filesize
14KB

MD5
efc074330650fb73668940c50b4a3101

SHA1
65d28177ea869a0e7b6ffe56eb9f8e9043b424d0

SHA256
5914de41a2530c4d89ca54a6ea943f0061833ae1a75ca97bb4088901987ab145

SHA512
3fa9e72e6385a9cff9aa634d9a18f423135ba78f776cdf70592e6ffdc0fc9e822b5d87d34e883d93b8718813fb534be3dc09fa0f9ad88909d481bd0d0656dc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB215.exe

Filesize
14KB

MD5
99d024d49abff799c386d0ea9355ab09

SHA1
c1cb3b0fd4728d585aa01e61a31718967ac6c541

SHA256
665516962032823ebde74eb2d9da6c87b4a673a880c5f6d5bffafe0c546a814f

SHA512
7f87aab6536f45c1ded265d73322d9325a1bfb59fd9ea03cace5a1a48ac2e14b6ebf2871fa219f53d2819b928a9aaef388050f0b7fd2b00147289118e0522d82

Download Submit

Analysis

Sharing