b5a3bc1ccfb072c5f73967f0c507b7d66594912bb002e28df0efa2143a53fde9

General

Target

d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe
Size

15KB
MD5

d24d403152e422b4ec7bcd4f8ce37e59
SHA1

18dfd2cdb03de3c2aa4944e6e80342abad2ffd7c
SHA256

b5a3bc1ccfb072c5f73967f0c507b7d66594912bb002e28df0efa2143a53fde9
SHA512

8836c260981a5ebeaa764a57c1574513859e79c0d80d9cf0d1a124dd2f0dad4623ba7731266f3a9195c1bead37a08b2adab6bff0a6402a9199b7a1b6c2c926e4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4lCj:hDXWipuE+K3/SSHgxmF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEME966.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM4002.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM9601.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM3BF0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM9357.exe

Executes dropped EXE 6 IoCs

pid	Process
732	DEM3BF0.exe
4528	DEM9357.exe
3256	DEME966.exe
532	DEM4002.exe
4136	DEM9601.exe
2452	DEMEC4F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 732	4936	d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe	97
PID 4936 wrote to memory of 732	4936	d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe	97
PID 4936 wrote to memory of 732	4936	d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe	97
PID 732 wrote to memory of 4528	732	DEM3BF0.exe	100
PID 732 wrote to memory of 4528	732	DEM3BF0.exe	100
PID 732 wrote to memory of 4528	732	DEM3BF0.exe	100
PID 4528 wrote to memory of 3256	4528	DEM9357.exe	102
PID 4528 wrote to memory of 3256	4528	DEM9357.exe	102
PID 4528 wrote to memory of 3256	4528	DEM9357.exe	102
PID 3256 wrote to memory of 532	3256	DEME966.exe	104
PID 3256 wrote to memory of 532	3256	DEME966.exe	104
PID 3256 wrote to memory of 532	3256	DEME966.exe	104
PID 532 wrote to memory of 4136	532	DEM4002.exe	106
PID 532 wrote to memory of 4136	532	DEM4002.exe	106
PID 532 wrote to memory of 4136	532	DEM4002.exe	106
PID 4136 wrote to memory of 2452	4136	DEM9601.exe	108
PID 4136 wrote to memory of 2452	4136	DEM9601.exe	108
PID 4136 wrote to memory of 2452	4136	DEM9601.exe	108

C:\Users\Admin\AppData\Local\Temp\d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d24d403152e422b4ec7bcd4f8ce37e59_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\DEM3BF0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3BF0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Users\Admin\AppData\Local\Temp\DEM9357.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9357.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\DEME966.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME966.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\DEM4002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4002.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Users\Admin\AppData\Local\Temp\DEM9601.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9601.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\DEMEC4F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEC4F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3BF0.exe

Filesize
15KB

MD5
e3d711ca24a76588c8c9470dcc3d32ae

SHA1
6d03f7966683c0aff823e25f5d2745482e2f0f2b

SHA256
344c007c902857ef8de8561f6977362bdee02414162d495bd4fff739622e8676

SHA512
64aacff4d4dda4eee0dba08bf46e0c8ef9050ffc705e8ee91fa1df30291c6e9a8d10ee63d478bef8f299c885188c4daad524d488efa6c08a21efc652b799aec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4002.exe

Filesize
15KB

MD5
b6234f956c662323484ed6047f0e67b0

SHA1
532a74aaec75a55f5e8fa9a17f95745fbd5e4a9a

SHA256
e2a9aca0428d8789e69021e224ca71675af1224d442d12681629c83275a9cc1d

SHA512
1a653024f0663ba54193feb721a3b9a948910dbcaf206aeae3cb999660eff9b1e5e9d292a20022a8ce35164f6aba56a53160aaed72f231a07c7c71cbfe065f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9357.exe

Filesize
15KB

MD5
2ef167fc16e641dedd82c98a12d9ad3f

SHA1
8cf444ce3d8736a852b35d06204c29abba5c00ac

SHA256
b3c15c7f0d2acf84a8049f50311528c72597c5db475ea0d5e5796221f3be088e

SHA512
c33d260ace29fcae96b4f783a011518dc1ffd276c9a7885ef5153348dd1f33a1156e9d83342b2eb02b8372992ed671016394f799cc607f28ab3ddb2471692e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9601.exe

Filesize
15KB

MD5
e3cf25138bb173acb466f90424204b4e

SHA1
42b20b142644b6a18af57ebbdd7ed9e402031f7d

SHA256
aa6cfa4b8209ee325d71d604db03c47e755b830ff7838c0c3efb9eafe00c3a4a

SHA512
fd37ff44402a2775fcb4bbf67ee91cf8738b606e27bf0e4dd46309fdb7c599097fc00ed6937fa6cd2df432dfeede91b7fd506fb3d67a8b5d3e46c2379f460697

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME966.exe

Filesize
15KB

MD5
a68166f59a4cb649bdf52b4d6bbdcdcd

SHA1
d909e04157077c0455ad70c282cc366db96554b0

SHA256
3f93be7b4a6e8a635ed2cccecee692f95b08c49b58bdadd7c689bcfe5ef8fe64

SHA512
aff50e3ddb3a1ace83c4443afb9fed8020b2b3026b781f01bfde6dcbac257579ce8b55fb41e94426f99ed81f59822e7baacf7b54757feb11e7d8d3b1488afaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEC4F.exe

Filesize
15KB

MD5
eef2f0099899a7f134d9633d087560f5

SHA1
4d9f726ac0fe8a02f3fd6426fa25228f979025f2

SHA256
7933bf9c17a59346809fb872dc1b3db4cfcb6de2d8e2c64db00d99ffff58e1e0

SHA512
c45db4a2a4d22c5b336055796ec5af1fb41c1b828db231d3d8eeddb5c54c303e98576f89216dfe7769117640e1e4617c44a7087faba890fbb3e40db59799375c

Download Submit

Analysis

Sharing