1c0fb95388f6abdda01a52b238868e4be0716a3fc30e3f32aeb4c0695d3f085f

General

Target

2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
Size

16KB
MD5

2a199d6f1d78544b189a3039a2e5327f
SHA1

aabe548e2279b1d62a0c05f1e9e248dcb8b77300
SHA256

1c0fb95388f6abdda01a52b238868e4be0716a3fc30e3f32aeb4c0695d3f085f
SHA512

b29a416d097fabf1d406107f48dd1f9767450da94a58629c96bf9f2b3b4f474e88eaf71565985b4c8a3a65ff6c897f6f9c527df254f3f9caf14b0e5ad30fe3cd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlY2d:hDXWipuE+K3/SSHgxmlYu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM2F48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8567.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM2CAD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM831A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEMD949.exe

Executes dropped EXE 6 IoCs

pid	Process
4572	DEM2CAD.exe
1368	DEM831A.exe
4968	DEMD949.exe
1508	DEM2F48.exe
228	DEM8567.exe
764	DEMDB57.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4572	4464	2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe	98
PID 4464 wrote to memory of 4572	4464	2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe	98
PID 4464 wrote to memory of 4572	4464	2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe	98
PID 4572 wrote to memory of 1368	4572	DEM2CAD.exe	101
PID 4572 wrote to memory of 1368	4572	DEM2CAD.exe	101
PID 4572 wrote to memory of 1368	4572	DEM2CAD.exe	101
PID 1368 wrote to memory of 4968	1368	DEM831A.exe	103
PID 1368 wrote to memory of 4968	1368	DEM831A.exe	103
PID 1368 wrote to memory of 4968	1368	DEM831A.exe	103
PID 4968 wrote to memory of 1508	4968	DEMD949.exe	105
PID 4968 wrote to memory of 1508	4968	DEMD949.exe	105
PID 4968 wrote to memory of 1508	4968	DEMD949.exe	105
PID 1508 wrote to memory of 228	1508	DEM2F48.exe	107
PID 1508 wrote to memory of 228	1508	DEM2F48.exe	107
PID 1508 wrote to memory of 228	1508	DEM2F48.exe	107
PID 228 wrote to memory of 764	228	DEM8567.exe	109
PID 228 wrote to memory of 764	228	DEM8567.exe	109
PID 228 wrote to memory of 764	228	DEM8567.exe	109

C:\Users\Admin\AppData\Local\Temp\2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\DEM2CAD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2CAD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\DEM831A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM831A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\DEMD949.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD949.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\DEM2F48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2F48.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Users\Admin\AppData\Local\Temp\DEM8567.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8567.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\DEMDB57.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDB57.exe"
        7⤵
        Executes dropped EXE
        
        PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2CAD.exe

Filesize
16KB

MD5
e11bb021eeb805dea2b7d1e3e9042692

SHA1
63a18a1786aae9108fa60446b63a37a67f9c99f2

SHA256
86b53142f656d7ad5368851e754902236f69d9e859647a3a151432d0b9246a9a

SHA512
15ac808a5930b9cada19efede569de21a0559f5b864b20633a82d03c66b357b7a1e4067715271d142bb9f7776c67a5c5c078c159a534596c3b16b3297d76028a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2F48.exe

Filesize
16KB

MD5
4f580111965e4033377e90d736a637be

SHA1
8b1afef6b392dac31bc071144141cb0224ba9ee7

SHA256
87b64c5663657c34009616618a790688af7835ac9f20c2125185174f26114924

SHA512
6c13357fcf34a153660cd4123f06463bcb073a4d56e142768377b2e24eeb360d584fda3c036802997235cb345cf786fc19c789ac55d8f012452ebb209d3ee195

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM831A.exe

Filesize
16KB

MD5
f622aaf0d0bb1221b5e461bc399f5628

SHA1
ec207c017570a17519e336ee6f38d6824315e7e2

SHA256
9bc833fd9d8ea867e2003e14ea8ec0a5c6ce2e629090c7f35dc6b40b3ce84a43

SHA512
5ffdd0515d42ecbae676a7516e39eac31bb311da29c42c9124e62b52f1a24d68ce87dfa9428ba5d706af7eafacb96018ab41d89a43ca06f9416694a6bcfe9813

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8567.exe

Filesize
16KB

MD5
bca8e5a31aef6743fcc260ae2367db9d

SHA1
eb2afcfc173be4d4e9626f04ccada889186b0b79

SHA256
9253c342ad4b8368987c945a63221dc69d7593c8c0f3dee10d33af4394cb9022

SHA512
1e54534ebdc8edd63722c9bfbeec64b24ecf1c9b942f15d4f3605f632e0a77106118b3587370ee6464fc56110fdf623ca7aa070d9d247a95995952d062982b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD949.exe

Filesize
16KB

MD5
69d07ef0a49b819af2f29845ef926eb3

SHA1
c42e288c538238b16422d1101245b804d1c36e55

SHA256
c95e6e4e17f4d9a50ff0f3c75f6e76d1a8a5fd1feb2e957879f47292a843ef82

SHA512
dc768bb226272dbb90126fc3fbe5adc655a5444df64732844b07f304a12b73b383cffbfb16d1480b083ef1362e3801f747893b137775b1d166e7903125db8967

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDB57.exe

Filesize
16KB

MD5
6ae4d762a68dffbb5a26cb721500ccc9

SHA1
a06031472f44e6de9dcff4ee2efa12190c798d2a

SHA256
d1b36c1c9af170081a7898ec9ca21b6eb04c7fe07deb508eadf2ab8c192c37a3

SHA512
f741c25e203f1290e8dd8e967b1160408988253486fbf62c4d94fbdf39844f3fe5e77ad52e8632b0ebd96ae2c48fa0b9556d64569b363c2a1f61b5b820c63bb2

Download Submit

Analysis

Sharing