f74cf3063220d8ff8754ea7a749c3f90cba4ef1db01e065f263f60050792b120

General

Target

c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe
Size

14KB
MD5

c3205ba22e31f513db9f555cf4fd7f23
SHA1

799ded4daa2f278d7c8a9b1e63bcc4b676e00733
SHA256

f74cf3063220d8ff8754ea7a749c3f90cba4ef1db01e065f263f60050792b120
SHA512

5cc0a4972fdbe433bebe6d757ffcfc9114d02b3c08dae92b31ff2bcd00237a2ff2253315bfa046a3b44160eb82e72aa6c89edaefc2d1cbaae5f6b15beb9f2acc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5Hj:hDXWipuE+K3/SSHgxmdj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEMDACF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM30EE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM873C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM2DE6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	DEM8472.exe

Executes dropped EXE 6 IoCs

pid	Process
4048	DEM2DE6.exe
1580	DEM8472.exe
4568	DEMDACF.exe
5068	DEM30EE.exe
4836	DEM873C.exe
2668	DEMDD4B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4048	4672	c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe	96
PID 4672 wrote to memory of 4048	4672	c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe	96
PID 4672 wrote to memory of 4048	4672	c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe	96
PID 4048 wrote to memory of 1580	4048	DEM2DE6.exe	99
PID 4048 wrote to memory of 1580	4048	DEM2DE6.exe	99
PID 4048 wrote to memory of 1580	4048	DEM2DE6.exe	99
PID 1580 wrote to memory of 4568	1580	DEM8472.exe	101
PID 1580 wrote to memory of 4568	1580	DEM8472.exe	101
PID 1580 wrote to memory of 4568	1580	DEM8472.exe	101
PID 4568 wrote to memory of 5068	4568	DEMDACF.exe	103
PID 4568 wrote to memory of 5068	4568	DEMDACF.exe	103
PID 4568 wrote to memory of 5068	4568	DEMDACF.exe	103
PID 5068 wrote to memory of 4836	5068	DEM30EE.exe	105
PID 5068 wrote to memory of 4836	5068	DEM30EE.exe	105
PID 5068 wrote to memory of 4836	5068	DEM30EE.exe	105
PID 4836 wrote to memory of 2668	4836	DEM873C.exe	107
PID 4836 wrote to memory of 2668	4836	DEM873C.exe	107
PID 4836 wrote to memory of 2668	4836	DEM873C.exe	107

C:\Users\Admin\AppData\Local\Temp\c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3205ba22e31f513db9f555cf4fd7f23_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\DEM2DE6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2DE6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\DEM8472.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8472.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\DEMDACF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDACF.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Users\Admin\AppData\Local\Temp\DEM30EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM30EE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\DEM873C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM873C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\DEMDD4B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD4B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2DE6.exe

Filesize
14KB

MD5
1d85130b6337a16500b707900dc9bcfb

SHA1
b7f10c121173cf3e9d253e21ed28836410fd1b28

SHA256
aacdd433300ed3cb970ed9a1d6b3cf00d3928b5671c53fbf2945ebd318838e51

SHA512
bf4ab368a9b4865a5259bee514c3369ce16c60a08caa66075c05cc22b4294afcad43b25adffb4ab03c0fe93862a58a90cdde4f1138efdc72fb8b834c403c4cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM30EE.exe

Filesize
14KB

MD5
f7674e8affd1f511cd2f628270c42d3d

SHA1
bc7c26db49657eeefd5cb7613bc307ec08979976

SHA256
cf8f480c9b5b3b3e4307b14cf440cc1bcc15876aa02e64772612667e7672fc0c

SHA512
49cc6b5380d07a08563b360ca66e10110a90b42341c9c35574ae7657cb32e837c90bc8668c342e7a3503aaf7436269df5886bef937f9da23cd051ebbc1b47eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8472.exe

Filesize
14KB

MD5
04152c304a8171573dc1375ab39c5c44

SHA1
8f706e1921cb57b8da9393af35c55687362d3fab

SHA256
b88364539dc53378df462b5a1b47d588ef6e42008f4dd1dec31e25c133f8666c

SHA512
4e1417773b3ae0ca95e997618659b56ad8450c0f813b7782e43d01c13672d1a1ad4f7ce9be3c873f8270d2a58d984fa81819d20d3fd2969628c48291b3d3a34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM873C.exe

Filesize
14KB

MD5
e4774931694520b3d1db0e99bd1b94dc

SHA1
fa1ffca23d4aff8d4dbe957a1402479cb9a3cc63

SHA256
f762048d7a8264e68f30a660d96b8ee650334ff5ab634163b9927e63529066e5

SHA512
6c82b2dcbfed4cc6317a32dde86fd4549ec414de7d25409cf418e1ca96e2a9da555d19c1eab0ee34c6c0cd2af33efc62fded03d9e121ab38095df6457fc1f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDACF.exe

Filesize
14KB

MD5
b1ca8db4064809f410b2ae6b3be2c6eb

SHA1
67f5805aa3fb0b87d8e916bb789b014e67d1957b

SHA256
e14d17015a7cbe28bc093aa4e59b0bbc105358c4a3aed62668fe9647a1abe9a2

SHA512
d81a667b9c80355e27e29f567050f338972cf01c12f1776f717c452d74dfb8576be54bb55a1892ad727e0f0b616ec7ca64f5bb578e65ff415ce149edf3454ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD4B.exe

Filesize
14KB

MD5
129ddf45fa43dc61950696d49230b3b7

SHA1
acc22625c1058531e40566804d55cfcf74332eae

SHA256
0c28062bbce94840a8ab8254810af3c0f01dc92ba91c1d6f82c7ede55122300c

SHA512
f791b6f94ab2bfd0141a71138197760d7b8592a2a47f63d99f272400c54cf3549e6426885b316ed84e04f33cffd7b3e3f7a62d6467f81dad14b8cbb6ff4f3a51

Download Submit

Analysis

Sharing