2f25286a82d3df38025c5c4d37279064c50662a04e7f2f2d860571be55ef854a

General

Target

c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe
Size

14KB
MD5

c1ec9ea6984f021046382f79f55efdb4
SHA1

c4e8aeeae10b9b8e2eab05ebeb6f508033681e61
SHA256

2f25286a82d3df38025c5c4d37279064c50662a04e7f2f2d860571be55ef854a
SHA512

e5f36c58fc6b84df776ba812af84974b9b9bd02477891f742ace659d188693b158bf760d349d3940959f70649cc42f25cc2b0c4f755dc9543c178178cd477b15
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHuE:hDXWipuE+K3/SSHgx3NHHb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM2BC3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM8240.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMD7F1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM2E00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM83E1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3552	DEM2BC3.exe
2984	DEM8240.exe
804	DEMD7F1.exe
376	DEM2E00.exe
4480	DEM83E1.exe
2492	DEMDA0F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 3552	4012	c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe	97
PID 4012 wrote to memory of 3552	4012	c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe	97
PID 4012 wrote to memory of 3552	4012	c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe	97
PID 3552 wrote to memory of 2984	3552	DEM2BC3.exe	100
PID 3552 wrote to memory of 2984	3552	DEM2BC3.exe	100
PID 3552 wrote to memory of 2984	3552	DEM2BC3.exe	100
PID 2984 wrote to memory of 804	2984	DEM8240.exe	102
PID 2984 wrote to memory of 804	2984	DEM8240.exe	102
PID 2984 wrote to memory of 804	2984	DEM8240.exe	102
PID 804 wrote to memory of 376	804	DEMD7F1.exe	104
PID 804 wrote to memory of 376	804	DEMD7F1.exe	104
PID 804 wrote to memory of 376	804	DEMD7F1.exe	104
PID 376 wrote to memory of 4480	376	DEM2E00.exe	106
PID 376 wrote to memory of 4480	376	DEM2E00.exe	106
PID 376 wrote to memory of 4480	376	DEM2E00.exe	106
PID 4480 wrote to memory of 2492	4480	DEM83E1.exe	108
PID 4480 wrote to memory of 2492	4480	DEM83E1.exe	108
PID 4480 wrote to memory of 2492	4480	DEM83E1.exe	108

C:\Users\Admin\AppData\Local\Temp\c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1ec9ea6984f021046382f79f55efdb4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Users\Admin\AppData\Local\Temp\DEM2BC3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2BC3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\DEM8240.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8240.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\DEMD7F1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD7F1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Users\Admin\AppData\Local\Temp\DEM2E00.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2E00.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Users\Admin\AppData\Local\Temp\DEM83E1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM83E1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\DEMDA0F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDA0F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2BC3.exe

Filesize
14KB

MD5
bc65c3a030202dd3a294f1694b6d7de2

SHA1
c54446ee5d20fd67c19d4fbf21654e040e479d69

SHA256
e4a263d46cf54d98613ac6a5a187b7d28896b3a664e4e6bfbb59529ac1327bc8

SHA512
3bf32a9e8f59feaa1ded0e96f7c3bb9fa48591f9c570b877c827d8764ea71ef23b681a1edde34f6137cfed646ee9af789d5b7a832562e4b6cf0a51c35e9a0be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2E00.exe

Filesize
14KB

MD5
213c9e8e54144393831bdc276c56e2b6

SHA1
9da44b3eec37e0a8f6dc09d94bfcbe0c9bea70b1

SHA256
8993686e1d0297d189d58dd4683da265efe5d70ba03a1c844ee226d9143fd5bc

SHA512
28e685aaba751aa0b240798422f69194feff2044aecdd25e9970e48b84163db75a2c4d7ac22e1548438483f99802ee8611a22eca221f7c1aba2b06421c45e5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8240.exe

Filesize
14KB

MD5
1b9f96fe5cf0ee9aafaf378de3382c31

SHA1
7762f15e0f358430c65dc8f3ef66c8c5f4d532d6

SHA256
b9e797f00e75b72f9d39fde2d964d07caf01dbda8920307178c44d068e77a7cd

SHA512
bb09481222a47c5823461cff6b5542c2645608f04964fba47ba521e705d15fa47dcffbdb8f50914a66239c86e6e599f68e6f32891c8d41dc8746581016c64312

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM83E1.exe

Filesize
14KB

MD5
dc57b13905aac317192283812ef70f87

SHA1
5c2b3f50039cf5d5a08b705586fde4e861fb0976

SHA256
aa48184c683239b4e4667aa8b299a8530c6d89bca27c2b6f1c3febc8bc9576c7

SHA512
af6e265b1be3bf82f86766821484c7397ac4daa5a96fda5f4aca28172ed51e5069dfe1a50afe15317fc16f9275ea0fbf7e9081db53b18b7c341ed544ffd14664

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD7F1.exe

Filesize
14KB

MD5
b0f780da8b18eec1579315336334c567

SHA1
ac7feea0654df059b88a0a94b608fd0d21d46664

SHA256
9941d2b75159b52d09a00d74f9c7cfce1ecc5c7ce428e8da3fdeedf2bf6c5cc8

SHA512
ac43ca7d07cf1fbb3477bf74dff4426b0f66dcc49cb18670a2e246913a460b0e2a991e2cbb859d737c1739ecca150b124222ff025fd5877cd4318317f8e47a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDA0F.exe

Filesize
14KB

MD5
c727ca70e4c94627506bc8e177d37fa6

SHA1
74618cc89b2c904de3a8daab6f3a3372378e1986

SHA256
19fe2e673f23772f026e0ce642ee8d7fafd2a4b59b6482aa5c512d38f2aa5788

SHA512
346a06c21912788367d1a24e4daeb9f846fd10f04365d1e2ff541d3983da0f45cd75380c9128b9f9ad0ba838523627fb4a9b864a195cfda3d46efeff439c648f

Download Submit

Analysis

Sharing