9d358b5c6fac7643fda635cf31d2a627a1225c122a6e10c5df6252135168b436

General

Target

c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe
Size

15KB
MD5

c04d5d196885ede724a09302c3c24199
SHA1

6f1e43fecc44e77c23f0e94bf14c0af7512c373e
SHA256

9d358b5c6fac7643fda635cf31d2a627a1225c122a6e10c5df6252135168b436
SHA512

f1758b93a3b8b6d38d128fcde88807c86be69808ac6e4a439fa56dc43fe2239f8012ddb231e04165292bab8b6abea9d5e64b1e7501c4f65208acd7b6871e9d38
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwO:hDXWipuE+K3/SSHgx/wO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM349D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8B19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEME177.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM37B5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8D95.exe

Executes dropped EXE 6 IoCs

pid	Process
5060	DEM349D.exe
3420	DEM8B19.exe
2840	DEME177.exe
1876	DEM37B5.exe
3024	DEM8D95.exe
2776	DEME395.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 5060	1584	c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe	98
PID 1584 wrote to memory of 5060	1584	c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe	98
PID 1584 wrote to memory of 5060	1584	c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe	98
PID 5060 wrote to memory of 3420	5060	DEM349D.exe	101
PID 5060 wrote to memory of 3420	5060	DEM349D.exe	101
PID 5060 wrote to memory of 3420	5060	DEM349D.exe	101
PID 3420 wrote to memory of 2840	3420	DEM8B19.exe	103
PID 3420 wrote to memory of 2840	3420	DEM8B19.exe	103
PID 3420 wrote to memory of 2840	3420	DEM8B19.exe	103
PID 2840 wrote to memory of 1876	2840	DEME177.exe	105
PID 2840 wrote to memory of 1876	2840	DEME177.exe	105
PID 2840 wrote to memory of 1876	2840	DEME177.exe	105
PID 1876 wrote to memory of 3024	1876	DEM37B5.exe	107
PID 1876 wrote to memory of 3024	1876	DEM37B5.exe	107
PID 1876 wrote to memory of 3024	1876	DEM37B5.exe	107
PID 3024 wrote to memory of 2776	3024	DEM8D95.exe	109
PID 3024 wrote to memory of 2776	3024	DEM8D95.exe	109
PID 3024 wrote to memory of 2776	3024	DEM8D95.exe	109

C:\Users\Admin\AppData\Local\Temp\c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c04d5d196885ede724a09302c3c24199_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\DEM349D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM349D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\DEM8B19.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8B19.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\DEME177.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME177.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Users\Admin\AppData\Local\Temp\DEM8D95.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8D95.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\DEME395.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME395.exe"
        7⤵
        Executes dropped EXE
        
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM349D.exe

Filesize
15KB

MD5
a5f4f1e435aa48d2f01ccbe420481702

SHA1
44ed5073af737c84580256d7e8636afdd9f70da2

SHA256
e126ed5946568c3501b05605268110e213b484d8887c88e1d8d0b57d10a8abe9

SHA512
d8cd3127721a71e6d3b630c74c8bfa164170eebb72b3a4e190630875e07e763e214d000a9653eef7c3d539d12be708100aa0346293197363ee0a4167bda64c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe

Filesize
15KB

MD5
0bf10923a3c1b7042620680d90868424

SHA1
bfb809cc5f6ecddb89fcddc6574e5edb742be305

SHA256
fe49053fade04e54fb6ca6e426b00024b2ab47af08d11c34557ba85776488485

SHA512
244d8dd89e67e391bb41a5a3ebeb6bce06289dcc791e269ed87d650d40042b70f860252a693e7345610ff7e99f20aae439326a04e102f8a026fbe9f89d2fa11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B19.exe

Filesize
15KB

MD5
159de1c81269a50cf6f6f29caaab763c

SHA1
2431bb92fe2653e67b9806a96d0858371fde3b0e

SHA256
9af8a4ba34ec951ec4ee717aef00d1762e642584c7dea10581519a3df1a435f5

SHA512
df92f1d57719507d83aaf573a687bba8fed62ed39488547a0087bf3ee3c1a48f14a7b6e847487ef2322a230c3c4c954002d6239b28c4eb0f738349f29164878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D95.exe

Filesize
15KB

MD5
45ea3ff927b3e416bc5f319442179428

SHA1
2ba89d25174af0f4094fac6b38c0d5fb00649cba

SHA256
464ed293a3653b6ea1e611f423a514733ef4efc0e4ade3447bc60d2262c78377

SHA512
73783be8d4bc13d16b98ef8841dc5a921e5d856b86e3dd87fb7edbfa33c84eee415e5c12a92fbbb455c9274040adc81145dd7d6e6fa898f29da2beea3cf671c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME177.exe

Filesize
15KB

MD5
06686d0e1f73cee5018d778ce88693c5

SHA1
f8bb23198ba1144af573db9a9feb1ccc006d3564

SHA256
1490b934958222b367b080238802e54e7cf8281c13f77b3ad2d59c5f449626e1

SHA512
5eb33c746b3928188ff9116397efadc19ce51eae65dccb40498a3faffb77ed6ee307d04dae3d36e5c221bc550db428a58857ea85e19b717c030fabd2130dcadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME395.exe

Filesize
15KB

MD5
baa57236c7ef002f18e9040c8da6cafc

SHA1
c9e44e4e225752af8f12fe3b7e5e40aeabfcc970

SHA256
3125101c76a2a05b5a38e20bd8089bec70e3b39caff3fc6fac2bcc57cb2b3618

SHA512
2ca2476ced8f81df30a6ce9d691fa34c769ccc09d49accd3a17197fcc1bd8aa0f7e1aeec915bf88283e934b2cbb1ebf7bb4988e8bc60a46ab2dcc11b58a00ff2

Download Submit

Analysis

Sharing