31dacb0e4b58b7d12e82ca3991afe7462ec64359a4f7ef9f51f4a47123a99cda

General

Target

c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe
Size

14KB
MD5

c7914dbe9884a7e18ac279033e5020fc
SHA1

0d8d0bb22079b88f253ec28e32153f8da50b36df
SHA256

31dacb0e4b58b7d12e82ca3991afe7462ec64359a4f7ef9f51f4a47123a99cda
SHA512

a501d9ae505f64199165da4541b48ca2d14cfa52ff9528a716fc761397c299963a3daf627340ed9a3ae8631052d7fd0b57e797cd947bb253faa15b7123633706
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5RAnCg:hDXWipuE+K3/SSHgxfg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEMD4F3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM2B22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM8131.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM2887.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM7F03.exe

Executes dropped EXE 6 IoCs

pid	Process
3552	DEM2887.exe
4576	DEM7F03.exe
4692	DEMD4F3.exe
5796	DEM2B22.exe
5680	DEM8131.exe
3976	DEMD750.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3552	3064	c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe	97
PID 3064 wrote to memory of 3552	3064	c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe	97
PID 3064 wrote to memory of 3552	3064	c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe	97
PID 3552 wrote to memory of 4576	3552	DEM2887.exe	100
PID 3552 wrote to memory of 4576	3552	DEM2887.exe	100
PID 3552 wrote to memory of 4576	3552	DEM2887.exe	100
PID 4576 wrote to memory of 4692	4576	DEM7F03.exe	102
PID 4576 wrote to memory of 4692	4576	DEM7F03.exe	102
PID 4576 wrote to memory of 4692	4576	DEM7F03.exe	102
PID 4692 wrote to memory of 5796	4692	DEMD4F3.exe	104
PID 4692 wrote to memory of 5796	4692	DEMD4F3.exe	104
PID 4692 wrote to memory of 5796	4692	DEMD4F3.exe	104
PID 5796 wrote to memory of 5680	5796	DEM2B22.exe	106
PID 5796 wrote to memory of 5680	5796	DEM2B22.exe	106
PID 5796 wrote to memory of 5680	5796	DEM2B22.exe	106
PID 5680 wrote to memory of 3976	5680	DEM8131.exe	108
PID 5680 wrote to memory of 3976	5680	DEM8131.exe	108
PID 5680 wrote to memory of 3976	5680	DEM8131.exe	108

C:\Users\Admin\AppData\Local\Temp\c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\DEM2887.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2887.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\DEM7F03.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7F03.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\DEMD4F3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD4F3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\DEM2B22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2B22.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5796
      - C:\Users\Admin\AppData\Local\Temp\DEM8131.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8131.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\DEMD750.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD750.exe"
        7⤵
        Executes dropped EXE
        
        PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2887.exe

Filesize
14KB

MD5
3038f0247fb693f1d159c85fabc7c06a

SHA1
a11829148510033e6a11f28d227ad05df543c8f5

SHA256
96f16fb8d2b1eb6a4a3ea063894a08e9c127ef039e44e5a95ab644f947e59d21

SHA512
9e2f0205ba5b5de1143abd1c4f59cf7970767d37f946df8421d1ef06b8600dcb80ee9942a4ba274d730cd59bb4da211d56df199124ca4d8ac2ab92d20b818dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2B22.exe

Filesize
14KB

MD5
69142c224f12ba030a6ee3c22dd80a56

SHA1
1acdbeeae726fdaeaac659ccb2496f18ccf91b0b

SHA256
2593ee2aa678b99b32bf0f687ec608ca71e9e1a7a694456ff1a851712b10e521

SHA512
eba93a3d19395b165db74473622550593829df5279f1b29ffc1d65e8b41c200431800abb44b0b2d058c51ec11b4951b0d710ac0f2ecf6e78c70f2851ca92777c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F03.exe

Filesize
14KB

MD5
34939c39b123dd3f94b6b00575c9da35

SHA1
8bd3e9a2a6ec553bf77562e167d966315d7edac1

SHA256
b86886e3d887f5760786ea4f3da864d1071b771d71f399608302a57e3c3099f8

SHA512
3429ba697a5374ba7e869702ef7341e6c11a6aee8f36a6d1c57427dffd8cb0bfc4ca4d7b6abdb09f56398a300d5eb5c60b9b7986896d792cc4d5db7683f1cb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8131.exe

Filesize
14KB

MD5
1485610e119c5b27ab6b69ebbfbe3ad6

SHA1
2d52aab2d7e0ff2e7ec6c459a0db0e3b8cd3b048

SHA256
bb450fb1a8171c9fa5eed546f0d09d3569117c98c50efccdff40aaa331104b04

SHA512
1115984f5e6f50817e3fe07ba5294429e374b2dcd30ea1be3d68dc4b7eb3cf414a94493027c57930b1676509ecbd956f5b8c855f3d2dce12d008a89e2480d3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD4F3.exe

Filesize
14KB

MD5
2f7d9758885b7bb92c0ff66a3adc57b1

SHA1
2c3343194b86bf71b1a1c771356ee1514a608343

SHA256
8c1198a4985ae2b180bedc3a468f0d798700aaba4179230c8e5622e5200148bb

SHA512
413c92ee1d70c012d311e76015520e114466d14f48c4ea90e307ff496f09baa2bfd7babcec7ae6391dbc8684dc0ed52ccef035e75f86a474538e88b909e521a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD750.exe

Filesize
14KB

MD5
51ba2f32ee41d38ce629a57762129372

SHA1
9903c55a0fb7c11d37f11ad7214db3270e9ffa53

SHA256
2904b37e7de8d5556626ee2bcf59f378d37f3494e5fdef9a7f0b55946313276b

SHA512
0c5dae2673976759b239b423523b352ebaddfaa05a87529347740128d536a7ec0f026ec84bb201a216459778984c868c564d6470ac8ef74ee88135d61d354d70

Download Submit

Analysis

Sharing