fee33fcfaaa255888cbe28f6ac09b85c6ebeef0c1d43e4749fdf37c3ae9b69a2

General

Target

c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe
Size

15KB
MD5

c1d267e024733c74ec6c9da774e67c0a
SHA1

bbfb8a4e40b011013102a34af25a0b47aa777d1a
SHA256

fee33fcfaaa255888cbe28f6ac09b85c6ebeef0c1d43e4749fdf37c3ae9b69a2
SHA512

b48f70726f2af1e4e3b0219952c7a28fa1ba37fe815884705ef8b83bd75ce678c7a9bbb4b5206f822ab2b08fd094f2e4685eb4cad2beb56f88a3389292453593
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5WS:hDXWipuE+K3/SSHgxl5WS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEMDF25.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM3553.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8B53.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM327A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8916.exe

Executes dropped EXE 6 IoCs

pid	Process
3752	DEM327A.exe
3916	DEM8916.exe
412	DEMDF25.exe
5060	DEM3553.exe
1076	DEM8B53.exe
3988	DEME162.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 3752	4592	c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe	96
PID 4592 wrote to memory of 3752	4592	c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe	96
PID 4592 wrote to memory of 3752	4592	c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe	96
PID 3752 wrote to memory of 3916	3752	DEM327A.exe	99
PID 3752 wrote to memory of 3916	3752	DEM327A.exe	99
PID 3752 wrote to memory of 3916	3752	DEM327A.exe	99
PID 3916 wrote to memory of 412	3916	DEM8916.exe	101
PID 3916 wrote to memory of 412	3916	DEM8916.exe	101
PID 3916 wrote to memory of 412	3916	DEM8916.exe	101
PID 412 wrote to memory of 5060	412	DEMDF25.exe	103
PID 412 wrote to memory of 5060	412	DEMDF25.exe	103
PID 412 wrote to memory of 5060	412	DEMDF25.exe	103
PID 5060 wrote to memory of 1076	5060	DEM3553.exe	105
PID 5060 wrote to memory of 1076	5060	DEM3553.exe	105
PID 5060 wrote to memory of 1076	5060	DEM3553.exe	105
PID 1076 wrote to memory of 3988	1076	DEM8B53.exe	107
PID 1076 wrote to memory of 3988	1076	DEM8B53.exe	107
PID 1076 wrote to memory of 3988	1076	DEM8B53.exe	107

C:\Users\Admin\AppData\Local\Temp\c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1d267e024733c74ec6c9da774e67c0a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\DEM327A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM327A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Users\Admin\AppData\Local\Temp\DEM8916.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8916.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\DEMDF25.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDF25.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\Users\Admin\AppData\Local\Temp\DEM3553.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3553.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - C:\Users\Admin\AppData\Local\Temp\DEM8B53.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B53.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\DEME162.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME162.exe"
        7⤵
        Executes dropped EXE
        
        PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM327A.exe

Filesize
15KB

MD5
f3595345da2d56c8304a1e75dcbba5e2

SHA1
97cf1f8179fa868b1663cc1d9fb0d2391c65d61b

SHA256
7017c6a03538ead6c57a0369b21d8d53f77107a2d3f247e480f83bbbf70f4695

SHA512
4d4ffac67e1d51a5fab26ca7099fb75fd2f83e30ccac4906ed93f93ba82780fe790cb12d9004997478c52d84a9297442cef3aaefc5ae646484fe1698674c2e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3553.exe

Filesize
15KB

MD5
d488490dcf20167b63a7e3337d1bcebc

SHA1
806c56817bc0f9e9f812be34da86e71baeb3c09f

SHA256
cd37665c61f7ddb90d9f596da6bcef9b033f1f0f92f713e18996f9a4236a8630

SHA512
28afe8f70adb7507dddbb6029d4fde0175c1841c122600f3787bf20890f3ea33e580ec5a744640e21ab0a3ddca73da0b8a76efeb079e7668367efbb418e1b035

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8916.exe

Filesize
15KB

MD5
90c587068c57c08b5ef5ff5d88c722a4

SHA1
e92151980358a6359691fdd0dc549e25769a9c1b

SHA256
7c3ad40f4e60f025a9fc5e44e9fae8b35d1fc85f89d5b4a6afda385ac4e914e6

SHA512
e43b3ccc1eccee9096ca25112242bdd450dae851224b1382e2504d0c3b85e7132db489aae307da4cbb5c8f868d3dd708cd26b877d3536edf70edd6eec1d93547

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B53.exe

Filesize
15KB

MD5
4c05f78cb2d35fe06368a08c233ac1c9

SHA1
52bfc3769ac4ec94ef60bb653785c642bbf64403

SHA256
f9dff27518d1716c497734a33d3682d83945d8836c64498524e1124d7d0f834b

SHA512
76b3c571057f4c8f3269bfe9406e0972daf9b92635d83985dd86ee5927cab9f1498d4af51b21c48b16ec9fa8ffebce9ee1b27bbf9552025860fbb8ce5bc60e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF25.exe

Filesize
15KB

MD5
ac0243deddddcec0818422d03b0bc1d1

SHA1
369b97e2cabbed4757176b08f0515dba39e82320

SHA256
94d316d066d5fe27a9f28454cfbbbdf8c9934027e5dcd4d8b283bd67dcb46fb8

SHA512
c7597e479276cb914b7c576020b41edebfe946cbfbba94fa9d9e8eced23df8d009be21891208dc4e996cad704f6acce98f7a1632f3749dad3f011544db1a1327

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME162.exe

Filesize
15KB

MD5
d088353fc32f73bd940adaed641d5c70

SHA1
4c72866cd3a163953e966d8f8904a7e08266a21d

SHA256
59c4365253ddba31b1fe69c676ac8b94e1a57061b7646c97d3e417188a903a1f

SHA512
5300895731616b7ea723f2e602e083c427b01d53d59162fd953a093c6c42d1b5ec70bdd060290cf86dcb633b655f6ac3aeeadb9fec929450abf23724d47859a4

Download Submit

Analysis

Sharing