b8517cf2dc099608e15121df1b279dede1e08b0bce4d8dfd7ca724de2ed8f6af

General

Target

c3fe6d28c5015cd12c125dc5199166c3_JaffaCakes118.exe
Size

14KB
MD5

c3fe6d28c5015cd12c125dc5199166c3
SHA1

0722bb9ae111e64899443f290493dc03ad39461c
SHA256

b8517cf2dc099608e15121df1b279dede1e08b0bce4d8dfd7ca724de2ed8f6af
SHA512

50a8650b37bdc3ee3d1ce85705231203d40a9762b6a68bde7054f7aaada476c1a99d034c7dbb298d233880eb530ffd85bbee3d0c893b8c0aac9b5163f5c0b58b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYso:hDXWipuE+K3/SSHgxmj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM2594.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM7DE5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMD4B0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c3fe6d28c5015cd12c125dc5199166c3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM7445.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMCDA0.exe

Executes dropped EXE 6 IoCs

pid	Process
3424	DEM7445.exe
1888	DEMCDA0.exe
3548	DEM2594.exe
100	DEM7DE5.exe
2328	DEMD4B0.exe
4732	DEM2C17.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 3424	1868	c3fe6d28c5015cd12c125dc5199166c3_JaffaCakes118.exe	97
PID 1868 wrote to memory of 3424	1868	c3fe6d28c5015cd12c125dc5199166c3_JaffaCakes118.exe	97
PID 1868 wrote to memory of 3424	1868	c3fe6d28c5015cd12c125dc5199166c3_JaffaCakes118.exe	97
PID 3424 wrote to memory of 1888	3424	DEM7445.exe	100
PID 3424 wrote to memory of 1888	3424	DEM7445.exe	100
PID 3424 wrote to memory of 1888	3424	DEM7445.exe	100
PID 1888 wrote to memory of 3548	1888	DEMCDA0.exe	102
PID 1888 wrote to memory of 3548	1888	DEMCDA0.exe	102
PID 1888 wrote to memory of 3548	1888	DEMCDA0.exe	102
PID 3548 wrote to memory of 100	3548	DEM2594.exe	104
PID 3548 wrote to memory of 100	3548	DEM2594.exe	104
PID 3548 wrote to memory of 100	3548	DEM2594.exe	104
PID 100 wrote to memory of 2328	100	DEM7DE5.exe	106
PID 100 wrote to memory of 2328	100	DEM7DE5.exe	106
PID 100 wrote to memory of 2328	100	DEM7DE5.exe	106
PID 2328 wrote to memory of 4732	2328	DEMD4B0.exe	108
PID 2328 wrote to memory of 4732	2328	DEMD4B0.exe	108
PID 2328 wrote to memory of 4732	2328	DEMD4B0.exe	108

C:\Users\Admin\AppData\Local\Temp\c3fe6d28c5015cd12c125dc5199166c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3fe6d28c5015cd12c125dc5199166c3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\DEM7445.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7445.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\DEMCDA0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCDA0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\DEM2594.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2594.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Users\Admin\AppData\Local\Temp\DEM7DE5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7DE5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:100
      - C:\Users\Admin\AppData\Local\Temp\DEMD4B0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD4B0.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\DEM2C17.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C17.exe"
        7⤵
        Executes dropped EXE
        
        PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2594.exe

Filesize
15KB

MD5
21c99c53fa97f669fe9a73079b4ecc9f

SHA1
5dd3f7c3f345c3e143dcc5700bfa9750955f0ed6

SHA256
105eba747e3a263e33816abe575da6acf8f5475c9ca338f95e4aee2a0936e634

SHA512
c4dceefa763fd7b33bf0e50aefdfe7da8cf6010c93539cb9b5c7c760b947e32cee07e679fecc35fbe3440ab019cf299b924571bca5541ec2891274c47debe21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2C17.exe

Filesize
15KB

MD5
b60786e1310e05bd7265ff88f4a1ba17

SHA1
15b9a712fefbefe558b4b91e4252f4eb458b730f

SHA256
3630435e0dd66c9d98b2486bd922a6b590e2e151c30c5c9cb7176e75bd4b1f5b

SHA512
6818deb48da0027626648fd9facce939c84a0505c1f855c1cde0f3df8af3ad1f6098488cb7fbee7ba0dc607753580d25b686ca120b0d4c8e6d7b98f58d29c498

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7445.exe

Filesize
15KB

MD5
37905eb2727c34177488c8cbdf4e03cd

SHA1
40e0bdda7fc6afdc6f8a56eb4568d0085a631ad3

SHA256
d5b8c52a2b1430b71d117d05c5ea3da96bf43b4ae49685557fc77b09a3634404

SHA512
845a1c9de652b43b411eff57cf728ead24eaf0de99dee3324a1a028862a38db1ceb8b8fb4f5ec3d111fc0b6e3f51cbe72bf47b191ecb97068e0e172614122135

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7DE5.exe

Filesize
15KB

MD5
57153470549a6c2cba645c327e695422

SHA1
f904d484e53de3d5987708f165ec075a739fc07d

SHA256
803ca4d7033e163ea22f31cdd36e0136dbd00428acc4ae525bae47da157e3d13

SHA512
51bb8ac745497c7d151212b40659f071972edde1ec80aa2ab77ae6c0cadbd2945556402f6b3daf45d12fb14caeb3fcb2d8c32ce8d11a271d9993fbb90ceed758

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCDA0.exe

Filesize
15KB

MD5
086c3d96019c2a77e5107703076da29f

SHA1
ce34e2cbe4de44bde42e1f08acddb9949109b28d

SHA256
212df6a1d1d848dbee915873f72134eaf361271ad7adfb73ec54e40c14d6328e

SHA512
ef2527d69fca8540c921482fbb70d93a3828a87632ecb7be69054551e70611ba527f60eede68a48b2db46e1b08f6893c61e31ebb66ca7efedc952793f6933aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD4B0.exe

Filesize
15KB

MD5
f0f517f731f8317ebe3fa03f31316fd5

SHA1
432fc749831615b6e0d4f9053c2bb322e0783740

SHA256
d96d0672be51e1e52bdac6efb7e543600b5b8244773eb5d940839a27fe533d46

SHA512
8671368b3fcc10de6ce6a05a85ffb0cb806f51d61b19a6f7799e0f920d4136962a6100b6754a50b6f6fd5d9bb909e791fa640491270e8b86acba2a6fe43ee14b

Download Submit

Analysis

Sharing