1c3f1ad869e7cacfedc2db9f638102a4b2f41edb6af7697e3f0486d44d17eb13

General

Target

c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe
Size

14KB
MD5

c2ccb64b7cc6f8bd3f7438058e056498
SHA1

a26d6b59a4d2b20d660ad42ebdd26f9279ba8db9
SHA256

1c3f1ad869e7cacfedc2db9f638102a4b2f41edb6af7697e3f0486d44d17eb13
SHA512

8511dc556e05848b3b19650780cec7a99652539f200a49bc6456bd9923f4197b9b2f7e4c3d77b7986b699848798ad41553469fbd483dcbf15c76c89de8d9c7eb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5W:hDXWipuE+K3/SSHgxmI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM624F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMB820.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM5FC3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMB621.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMC30.exe

Executes dropped EXE 6 IoCs

pid	Process
5068	DEM5FC3.exe
2812	DEMB621.exe
2524	DEMC30.exe
3916	DEM624F.exe
1108	DEMB820.exe
4548	DEME3F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 5068	628	c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe	96
PID 628 wrote to memory of 5068	628	c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe	96
PID 628 wrote to memory of 5068	628	c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe	96
PID 5068 wrote to memory of 2812	5068	DEM5FC3.exe	99
PID 5068 wrote to memory of 2812	5068	DEM5FC3.exe	99
PID 5068 wrote to memory of 2812	5068	DEM5FC3.exe	99
PID 2812 wrote to memory of 2524	2812	DEMB621.exe	101
PID 2812 wrote to memory of 2524	2812	DEMB621.exe	101
PID 2812 wrote to memory of 2524	2812	DEMB621.exe	101
PID 2524 wrote to memory of 3916	2524	DEMC30.exe	103
PID 2524 wrote to memory of 3916	2524	DEMC30.exe	103
PID 2524 wrote to memory of 3916	2524	DEMC30.exe	103
PID 3916 wrote to memory of 1108	3916	DEM624F.exe	105
PID 3916 wrote to memory of 1108	3916	DEM624F.exe	105
PID 3916 wrote to memory of 1108	3916	DEM624F.exe	105
PID 1108 wrote to memory of 4548	1108	DEMB820.exe	107
PID 1108 wrote to memory of 4548	1108	DEMB820.exe	107
PID 1108 wrote to memory of 4548	1108	DEMB820.exe	107

C:\Users\Admin\AppData\Local\Temp\c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2ccb64b7cc6f8bd3f7438058e056498_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\DEM5FC3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5FC3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\DEMB621.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB621.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\DEMC30.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC30.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Users\Admin\AppData\Local\Temp\DEM624F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM624F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Users\Admin\AppData\Local\Temp\DEMB820.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB820.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\DEME3F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME3F.exe"
        7⤵
        Executes dropped EXE
        
        PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5FC3.exe

Filesize
14KB

MD5
3cedbfa1c9580c96a21eecb2a188fc83

SHA1
f5df44e30dda6ccafa0d52fffb49d7b38c9045c9

SHA256
691cef7729ea04b15954d2144c9b80ab9b16e60ca2494dcae506e6b99cf47940

SHA512
35a9f4397f85311442ea28308a9fff070beec0cc7e07f04d455919aa89939398f2170b88377d3568517c6a1d0b2053366f98de094e19b51a6f801b83bb0a5348

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM624F.exe

Filesize
14KB

MD5
3d705e8158ecfd96189a004b5f3580aa

SHA1
bd30ac62094ca923517891fa9bd16d5b49850986

SHA256
425b01c92c2b90b6b17e60aeafb4a10bc76dcdc50ae6147fdb2af4897a896637

SHA512
ada03ebd357df51cf601cf89ecc5b51a172b4bc72bfb844315199c4ac60e2389f933d6e1b849dae2250663828676abad498624a1e31fa5d9b220c598079669b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB621.exe

Filesize
14KB

MD5
19ca97163a1698465741266f09cb30e9

SHA1
7e5fda57a807f048fbace9da8906bb11aa093497

SHA256
7d6a5b7620381af041b2281af45fe56467a86da53cd47f38c2225f3dbd74984c

SHA512
4489e5e12e8e4cfebd6042270d7a6fedc7a5c24a6cd8377e9e302f87b4d96cb5b0e198f6a022bd60eba377d7047a4b1a78743d850da2398a0be1bc013436d948

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB820.exe

Filesize
14KB

MD5
8c957bb5d2822ac3f064829eaea178bf

SHA1
faf24ab1ec07a287e242206e29ae337ee434b056

SHA256
189f3f624321abd0136aa1c5a8fa010254eb8645beedef0ecf407d19b1a4a899

SHA512
b811889b1245167552f8573d5e8e328652048acda1c98b3f05d1fb0e622120e97e6b39c6b97cf25f9a3a94cc929341b6dc7dc8613475b93260e125ceefe1577b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC30.exe

Filesize
14KB

MD5
24caa96c7140564d21ff2b0342f50505

SHA1
bd840f25078586351743aaa539a7aaf7cb0fd3e3

SHA256
94016a5046098829ff9d19605f26e38eee57bb80f360436c0ef3bf5b4fbe3e7b

SHA512
5fef28cb87266b814d6c29d7e17c5810f5577e36ef67b0b6099183c5a07aa9ed9d6684030093bec7e27ec18456ad3ff3bedd2ab494fe6c0820b209802b216300

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME3F.exe

Filesize
14KB

MD5
922d0bb06fcee5bb4e57ac24f697852f

SHA1
12d770bc25bd2874e1ddab937fe31f9d7ffa2792

SHA256
b20a652553b74e99dc4526f2ed0e77e134712ec3a7a5b210367efca67b1c0d9f

SHA512
d7ccadbfe5b8b3072fe5aa8cfa05a489a4591e060efcb707ffc70cca7be0144b8b72ee19b685bbed1687911ca546e79d99947d32b764babd160d490651d234b7

Download Submit

Analysis

Sharing