4cc21f549bd06784c262a150b7338bc4257f088c0efcbe41fcb42ec4f575c2f5

General

Target

c958909869d41fe70e6474ebb22d78af_JaffaCakes118.exe
Size

16KB
MD5

c958909869d41fe70e6474ebb22d78af
SHA1

c493e88ae3e5d46ff8d6076d2831aa13ebdcc9c2
SHA256

4cc21f549bd06784c262a150b7338bc4257f088c0efcbe41fcb42ec4f575c2f5
SHA512

c08b8dac76c44421529e0c4a3914c4d04e92bd8e31ff2a4ae7d70ca2f6c55dac62102f35ed57505f0acc42eb95e53f223a2a7ff1e6df5ffdbb0ee9b110f02d1d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh3+:hDXWipuE+K3/SSHgxw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM5F13.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMB61C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	c958909869d41fe70e6474ebb22d78af_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM55FF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMAF4B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM710.exe

Executes dropped EXE 6 IoCs

pid	Process
1972	DEM55FF.exe
1556	DEMAF4B.exe
1804	DEM710.exe
224	DEM5F13.exe
2236	DEMB61C.exe
1776	DEMDA2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1972	3464	c958909869d41fe70e6474ebb22d78af_JaffaCakes118.exe	96
PID 3464 wrote to memory of 1972	3464	c958909869d41fe70e6474ebb22d78af_JaffaCakes118.exe	96
PID 3464 wrote to memory of 1972	3464	c958909869d41fe70e6474ebb22d78af_JaffaCakes118.exe	96
PID 1972 wrote to memory of 1556	1972	DEM55FF.exe	99
PID 1972 wrote to memory of 1556	1972	DEM55FF.exe	99
PID 1972 wrote to memory of 1556	1972	DEM55FF.exe	99
PID 1556 wrote to memory of 1804	1556	DEMAF4B.exe	101
PID 1556 wrote to memory of 1804	1556	DEMAF4B.exe	101
PID 1556 wrote to memory of 1804	1556	DEMAF4B.exe	101
PID 1804 wrote to memory of 224	1804	DEM710.exe	103
PID 1804 wrote to memory of 224	1804	DEM710.exe	103
PID 1804 wrote to memory of 224	1804	DEM710.exe	103
PID 224 wrote to memory of 2236	224	DEM5F13.exe	105
PID 224 wrote to memory of 2236	224	DEM5F13.exe	105
PID 224 wrote to memory of 2236	224	DEM5F13.exe	105
PID 2236 wrote to memory of 1776	2236	DEMB61C.exe	107
PID 2236 wrote to memory of 1776	2236	DEMB61C.exe	107
PID 2236 wrote to memory of 1776	2236	DEMB61C.exe	107

C:\Users\Admin\AppData\Local\Temp\c958909869d41fe70e6474ebb22d78af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c958909869d41fe70e6474ebb22d78af_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\DEM55FF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM55FF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\DEMAF4B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAF4B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\DEM710.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM710.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\DEM5F13.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5F13.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Users\Admin\AppData\Local\Temp\DEMB61C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB61C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\DEMDA2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDA2.exe"
        7⤵
        Executes dropped EXE
        
        PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM55FF.exe

Filesize
16KB

MD5
5d583bfec871e7ca67dcc272e3f7714c

SHA1
889cc5cfc8e4beeb7eeb76d5ff2bbd5d04cfaf42

SHA256
beca63f58bf96e17f2cee8bf297227429bea2fcda84fbc181a42c79a4e7aa83f

SHA512
fa5b238c49aada478694dd9627294eba9f50b613f99a2346078c131bae3f62ad93780a73717989e8c55171c1da302a4851da59f464dc7c7cbbc7b2ed3fad637f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5F13.exe

Filesize
16KB

MD5
921aff6c83c3cef682c549bc2b434ee1

SHA1
bd83c2d4781ad0e8a43e9d16f069b93464b61f41

SHA256
cb7d75792d5cb167d150c90aae86580c81b993c3c4ae8e806cfc5b3de3f286f8

SHA512
0017cf69ef9eabc34aed0448d6c3873cfed910e56e412611078d57d6d01b790058c23c16d7a1c63b8308637c100cb8652751d51217f5fa036b0fc57b57339756

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM710.exe

Filesize
16KB

MD5
73d31026a107b22e676eaf88758e0b7b

SHA1
803905cd17a1743c5f70b7ae8ac389c588a3ec2d

SHA256
5090c9aeaa5b5a411d810187255b8dd5450a13d50160dcd39db97c405ea9f3c7

SHA512
792e85d543d484179554cff4b3af9d9e6f0c546887641cd8b2763c100aaa90dcdd8ffd91780ce393b65af9072a797ed0fb76f31ef46cd6ac3eafe62b4c3d6786

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAF4B.exe

Filesize
16KB

MD5
9c63448911ea08a7be4ebb88850841d4

SHA1
239159e79cef554071c38027ffa4c250707c9829

SHA256
aeda5b2d16855827eb3cf1a0da63da4e18a13309246040948d97a6cf22f64f8d

SHA512
225fcf536670fc6fbe952af9b8314576471fe2c357789b3138fdb8d28b9bd4c12527d66786b09c478671ee4d75b9fb4c770b36e5ece9bdb2b18829b60a6ec6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB61C.exe

Filesize
16KB

MD5
80ebd46cc8686672015d6b0118c6cc1d

SHA1
fff62f4ee76f5d1e5aff95d03935bac812f08daa

SHA256
c27f09ec3cd914ffb32bc71d62e4ef8ad1effcedc9e832017fb828f15ddeff39

SHA512
0a221100a4264f0548688c8e396bd7fc77543f06bc5515ac4fbf1b8fe09f746b16bf84b8e56f4e4e2e41578f9a251b3e2b0e4dda9730e20a9a89dc9131a3a9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDA2.exe

Filesize
16KB

MD5
1be73e1748a131d22a9994ab0780d371

SHA1
cabd87bef6a906eadbe5dc64bbed43418af5241f

SHA256
8447556a3d107d42f7da291e2cd8c69aceeb76b3f3d211b600432ca48c53da45

SHA512
e13fa376165b00d7b9da2a855e358615dae8f184193f17dc9d48bcf1f7ac05790e7daa5498ae92344ba0d7775bdcb80483efcd7e6bef636e5777a9bae1ec5802

Download Submit

Analysis

Sharing