3e0ee1045ce79cf30eba0919b69f9eaf4152073dbeee4f6971100c31519974d3

General

Target

c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe
Size

16KB
MD5

c3afb352a070c28674b4afa49e946e13
SHA1

4c0a1c2b09f1ade3ada23756acc3311ee269fc8c
SHA256

3e0ee1045ce79cf30eba0919b69f9eaf4152073dbeee4f6971100c31519974d3
SHA512

4617ceadf27fbc63c760fa0dc026198cd17c9d3f9b6952ca642641de65736dc6e8be2d39597e122d666657ab08fc1f00f9e3c65aa8b499020ca50e22f98a3ab7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlj:hDXWipuE+K3/SSHgxmlj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8D37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM344E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8ABB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEME0CB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM3709.exe

Executes dropped EXE 6 IoCs

pid	Process
4892	DEM344E.exe
2736	DEM8ABB.exe
2496	DEME0CB.exe
2572	DEM3709.exe
4548	DEM8D37.exe
5040	DEME337.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4892	4956	c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe	98
PID 4956 wrote to memory of 4892	4956	c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe	98
PID 4956 wrote to memory of 4892	4956	c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe	98
PID 4892 wrote to memory of 2736	4892	DEM344E.exe	101
PID 4892 wrote to memory of 2736	4892	DEM344E.exe	101
PID 4892 wrote to memory of 2736	4892	DEM344E.exe	101
PID 2736 wrote to memory of 2496	2736	DEM8ABB.exe	103
PID 2736 wrote to memory of 2496	2736	DEM8ABB.exe	103
PID 2736 wrote to memory of 2496	2736	DEM8ABB.exe	103
PID 2496 wrote to memory of 2572	2496	DEME0CB.exe	105
PID 2496 wrote to memory of 2572	2496	DEME0CB.exe	105
PID 2496 wrote to memory of 2572	2496	DEME0CB.exe	105
PID 2572 wrote to memory of 4548	2572	DEM3709.exe	107
PID 2572 wrote to memory of 4548	2572	DEM3709.exe	107
PID 2572 wrote to memory of 4548	2572	DEM3709.exe	107
PID 4548 wrote to memory of 5040	4548	DEM8D37.exe	109
PID 4548 wrote to memory of 5040	4548	DEM8D37.exe	109
PID 4548 wrote to memory of 5040	4548	DEM8D37.exe	109

C:\Users\Admin\AppData\Local\Temp\c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3afb352a070c28674b4afa49e946e13_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\DEM344E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM344E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\DEM8ABB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8ABB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\DEME0CB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME0CB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\DEM3709.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3709.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Users\Admin\AppData\Local\Temp\DEM8D37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8D37.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\DEME337.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME337.exe"
        7⤵
        Executes dropped EXE
        
        PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM344E.exe

Filesize
16KB

MD5
1af1ae4f62d454347635d3a904ebda0c

SHA1
3db2597507e7b935e774848707390b74997b7e2f

SHA256
a568d1f79e64c456649aad9e87e36401e8f93b973bb2797c7872f9d1b68b5a3c

SHA512
2e49909c3f50629bf4ead038f8e2d7a026909a86585a71d13fe8d5509cb8a4f40c35ec65468b40748fa776c825b1625d4f8def0cfee42d301dd2ef64ac012fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3709.exe

Filesize
16KB

MD5
59f3c18ee350f97b609bcbd46cf1256d

SHA1
b97d20067f54e743f12b34a166760bd9fd3ea051

SHA256
89b36bc2ea1e1d61853a2b26d3846a828546e231d6fadcc78917e24c15b5af05

SHA512
b65935e3887318745546afa62f5dc657ee4da305dd8bd553451323d9854e061de46839e1ed76b8aaddc7e28f05017c6e74fd6bb8ce9e3a8f78331a2f91da8857

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8ABB.exe

Filesize
16KB

MD5
87351b9bc2c4eb9903f76bab882c113b

SHA1
cda8bf31deb8e4578baad9a8e9c607d4e9f25c72

SHA256
b05ed1cf23ae2996974cdb552af7392368cda616cdc044fa46daa9a45bdba784

SHA512
f735d92c3a7912094dcd09e4f5eb4993bf8a11ca1bbce46ea5bec16b5e4d18c4f6e2f061318d2cb4c44ff616e1717b1bb8e1523db7a1430fc31019f97081b427

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D37.exe

Filesize
16KB

MD5
bb8357fc6252aa53461ef22afe035065

SHA1
86c7351da3286fdc6aa64c66057bc5e4ba1d5c0f

SHA256
18fb60bea234999abf1fac15f2325fc5deb71bbe66620fb2859d0e0ff8707c6e

SHA512
391b78323621790c7f18080766d84c5b331e2685e6efe0be20209d803b3669f3e010ef035c456a1e791e3cf86a22fac20df6069c196db2f3c315838eecb51204

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0CB.exe

Filesize
16KB

MD5
e01cfcdf6cec0e14ab0029044e276ce3

SHA1
65b5b72d90aed513c5c4245fd7555205f5e98a63

SHA256
29883d036c6bfba7c27a0a1c87ff0006465f3b155b4172aa5f13a91bb85bf552

SHA512
fb53664e8f7af58f79043910d45edb9b0b5cbdc7386cc3c3d6866c074bd9c2d62499704f0148fa0bdb421f16250ab4a8b9e44906c5ed8f5e54606448e9247e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME337.exe

Filesize
16KB

MD5
bfd8164218d663afa1cefca33383331d

SHA1
6acf9d9822cf6d98e416d3532ded0411e2b49ea1

SHA256
cd288c6aab8ec53f113aaab3b86a991bd02f3b24eabc72ed2f57394a46cbb16e

SHA512
13142e06116c482a1bce6df2879d6d6de7145d9aca82b0978b7ad5b512f2462591b9f1b9377dc7f24e03db1e0407cc323d9d0a945b279846f65d1893f571ba13

Download Submit

Analysis

Sharing