e5a8755ff69ca519bf9178b5bf5f86a1777724b17e34bc9fbd1be4496d2c28c8

General

Target

267327823a11c335d2ab703be96052a7_JaffaCakes118.exe
Size

15KB
MD5

267327823a11c335d2ab703be96052a7
SHA1

4066079a2f2f2782d95f26c9321e4769060d45f2
SHA256

e5a8755ff69ca519bf9178b5bf5f86a1777724b17e34bc9fbd1be4496d2c28c8
SHA512

1d16bda64d788f848da08986a0a1d218aed8c192154f0707ce4fc0f92c28a75870770aaad0afee116b4cbd6b23d341bd3f54ecce04ef58f56e1324a6a93e3575
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcd:hDXWipuE+K3/SSHgxmkd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMB371.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMB46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM630A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMBB0E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	267327823a11c335d2ab703be96052a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM5331.exe

Executes dropped EXE 6 IoCs

pid	Process
2080	DEM5331.exe
1012	DEMB371.exe
3668	DEMB46.exe
4712	DEM630A.exe
4504	DEMBB0E.exe
5096	DEM12F2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2080	3540	267327823a11c335d2ab703be96052a7_JaffaCakes118.exe	96
PID 3540 wrote to memory of 2080	3540	267327823a11c335d2ab703be96052a7_JaffaCakes118.exe	96
PID 3540 wrote to memory of 2080	3540	267327823a11c335d2ab703be96052a7_JaffaCakes118.exe	96
PID 2080 wrote to memory of 1012	2080	DEM5331.exe	99
PID 2080 wrote to memory of 1012	2080	DEM5331.exe	99
PID 2080 wrote to memory of 1012	2080	DEM5331.exe	99
PID 1012 wrote to memory of 3668	1012	DEMB371.exe	101
PID 1012 wrote to memory of 3668	1012	DEMB371.exe	101
PID 1012 wrote to memory of 3668	1012	DEMB371.exe	101
PID 3668 wrote to memory of 4712	3668	DEMB46.exe	103
PID 3668 wrote to memory of 4712	3668	DEMB46.exe	103
PID 3668 wrote to memory of 4712	3668	DEMB46.exe	103
PID 4712 wrote to memory of 4504	4712	DEM630A.exe	105
PID 4712 wrote to memory of 4504	4712	DEM630A.exe	105
PID 4712 wrote to memory of 4504	4712	DEM630A.exe	105
PID 4504 wrote to memory of 5096	4504	DEMBB0E.exe	107
PID 4504 wrote to memory of 5096	4504	DEMBB0E.exe	107
PID 4504 wrote to memory of 5096	4504	DEMBB0E.exe	107

C:\Users\Admin\AppData\Local\Temp\267327823a11c335d2ab703be96052a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\267327823a11c335d2ab703be96052a7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\DEM5331.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5331.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\DEMB371.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB371.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\DEMB46.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB46.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\DEM630A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM630A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Users\Admin\AppData\Local\Temp\DEMBB0E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB0E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\DEM12F2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM12F2.exe"
        7⤵
        Executes dropped EXE
        
        PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM12F2.exe

Filesize
15KB

MD5
8b019dbf960d815bd90df829959db425

SHA1
aa7fdc2c3a94a5437e1040e39a5f85e40d8328fa

SHA256
829c0695469f8892875ecaf666434c5f486db745e854242a1bbdfe75f75f5024

SHA512
97a2ecad8b4edc1e847f108097f6caf8b22fe02af50ab73b6997119268c9d6d307813f1db02345e0defa9c3cd4863bcd349e7dc61130caff36b1199732e21d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5331.exe

Filesize
15KB

MD5
cef096c443f38bdbb6bf2f7888bc5abd

SHA1
a4fa0cba3d2e3035b72edd0ed8ee6ea1868164ec

SHA256
9a799654aec9c6f52ef29e11ca07d1149448e34ab48b9d47080f208a9cfa5d3e

SHA512
55dd686f1f3d29d8339c8505545c7cc72fe4bc46c3460a18f6bfddea374301dcd51db444f7db01af38ed2158ad444cb47a2aec9b498928e0a40258b0b290949c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM630A.exe

Filesize
15KB

MD5
73101a4469c424f411f2e56abd40f10a

SHA1
717b0c159cdb6c19e5622391da3f3340da9e6f74

SHA256
3f0483b96400ce1861ff4c455d88d604ef1080918a5d876bdf2e30166f028b05

SHA512
f894ed6b9aa15c5f36c13c32e57c3b21b4d799f5adbe225ce40943d4390699f5921cb43fcd35403e4c62491dd2d646fbda3a0e9bf3e4783312f133e360dff3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB371.exe

Filesize
15KB

MD5
97e53c9545614afc474ae82e67e9d101

SHA1
14dc989ab6b4fdcd9f821cd1d5ef04929970f220

SHA256
8e7b9084bca8b6002b413d5d6acb78961c4319f72ddff0c19de7a33d6fe1314e

SHA512
13b348cc1f8dc87955683483b9c4546f4ddde7480e7e5f2d1b589d0206dff7b474346269cbeaad842993b580d14a0ebca781f0c7bd6710ed4f043abb7fafbfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB46.exe

Filesize
15KB

MD5
8771865b3e48d8a94b078d5ab718ceee

SHA1
6a947af6a48860ba90ba021008889ee525ae6180

SHA256
76a708e72715181f0aad7d573e22f8b579ab0d5ad174b90e26ac835c34ea3abb

SHA512
a30046995b525795896874c48e8d0e84ae48c4650f01139a4514919d43eae2d0b2e5221b458b462e4742e672100ffc1b16fc8a55e2810e1b7712716d8df2fa3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB0E.exe

Filesize
15KB

MD5
0df32be40088a36174c217c597a6252e

SHA1
13b6dd1330701a37dd1b14b7888404fb206913d3

SHA256
8246268d519d43b0295c572fd4ce82f6f95fd159d54a40242c25d829de04c4a8

SHA512
aa75e7d23fc5decf4d15987fb81962c04c9f5233df62069d17b5eb0a308964c1fceaf43ba7807a7e6f1251b7a78dbf172f2629d05914bc321f71a4da7a442326

Download Submit

Analysis

Sharing