040b42eb5d1380125a95f0230c00070343a977feef111be712474a81b8eb423b

General

Target

d5f57e7fc7748e61f22f6a3a5c8a5312_JaffaCakes118.exe
Size

14KB
MD5

d5f57e7fc7748e61f22f6a3a5c8a5312
SHA1

3bf15c4f2ea2c7d00b439b0aba5dd314a95906b2
SHA256

040b42eb5d1380125a95f0230c00070343a977feef111be712474a81b8eb423b
SHA512

27feed31d35e3da097cd5f99770602ab228ed1af31ebfd7c0b3620f338439a15e6eb65fef6ffc19276df28b50f9f810191459e06793bd1f914dbd572541020af
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHd:hDXWipuE+K3/SSHgx3NHd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMF1DD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	d5f57e7fc7748e61f22f6a3a5c8a5312_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM8F30.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEME9C4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM4215.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM99CA.exe

Executes dropped EXE 6 IoCs

pid	Process
2252	DEM8F30.exe
1084	DEME9C4.exe
2876	DEM4215.exe
4324	DEM99CA.exe
3928	DEMF1DD.exe
3236	DEM4A2E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2252	2864	d5f57e7fc7748e61f22f6a3a5c8a5312_JaffaCakes118.exe	94
PID 2864 wrote to memory of 2252	2864	d5f57e7fc7748e61f22f6a3a5c8a5312_JaffaCakes118.exe	94
PID 2864 wrote to memory of 2252	2864	d5f57e7fc7748e61f22f6a3a5c8a5312_JaffaCakes118.exe	94
PID 2252 wrote to memory of 1084	2252	DEM8F30.exe	99
PID 2252 wrote to memory of 1084	2252	DEM8F30.exe	99
PID 2252 wrote to memory of 1084	2252	DEM8F30.exe	99
PID 1084 wrote to memory of 2876	1084	DEME9C4.exe	101
PID 1084 wrote to memory of 2876	1084	DEME9C4.exe	101
PID 1084 wrote to memory of 2876	1084	DEME9C4.exe	101
PID 2876 wrote to memory of 4324	2876	DEM4215.exe	103
PID 2876 wrote to memory of 4324	2876	DEM4215.exe	103
PID 2876 wrote to memory of 4324	2876	DEM4215.exe	103
PID 4324 wrote to memory of 3928	4324	DEM99CA.exe	105
PID 4324 wrote to memory of 3928	4324	DEM99CA.exe	105
PID 4324 wrote to memory of 3928	4324	DEM99CA.exe	105
PID 3928 wrote to memory of 3236	3928	DEMF1DD.exe	107
PID 3928 wrote to memory of 3236	3928	DEMF1DD.exe	107
PID 3928 wrote to memory of 3236	3928	DEMF1DD.exe	107

C:\Users\Admin\AppData\Local\Temp\d5f57e7fc7748e61f22f6a3a5c8a5312_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5f57e7fc7748e61f22f6a3a5c8a5312_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\DEM8F30.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8F30.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\DEME9C4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME9C4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\DEM4215.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4215.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\DEM99CA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM99CA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4324
      - C:\Users\Admin\AppData\Local\Temp\DEMF1DD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF1DD.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\DEM4A2E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4A2E.exe"
        7⤵
        Executes dropped EXE
        
        PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4215.exe

Filesize
14KB

MD5
84bcd6e911eac76382f24c65d05c3049

SHA1
37c7c63ed95e03b4a6ef2e41700006ce3c76bfb3

SHA256
e539eb73b60dabaac41544c31727bda95412f70265e7bcc671273e112d5c8112

SHA512
4ce854ad416407619492b8da3a01a3f399818ad98825600eb6e3f599b01b0cbe8203470013e1a27f52515525dc7b238ae332d9c16b9b786a4238aafb147334a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4A2E.exe

Filesize
14KB

MD5
f35596baf8842802e7d80d9a692529cd

SHA1
0c514110215d8897b6e2eb5943bc8c8e02051d4d

SHA256
377e19726b413caad4340eac35f8020c5d3cfdb47bc5ad48dac1ecaf264927ee

SHA512
f84a1eef49dbce08028121cf561b348980e029808743dc90a0118428a90c868c8d3bb95138b1539293137738f68757dc4241e5f8a5b8d5d7691cdf49b5a5aa3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8F30.exe

Filesize
14KB

MD5
8f9cd42766cc89d1b7839f932804b01d

SHA1
3a1c0b64017f1f0d647d7ce5560a5ceffe558494

SHA256
86a79495e492fefe5b4b42ca667eec231a3a273ba701db2724fd4428ada19d5c

SHA512
54e72db061b3df6dc438684c8b984103bd38413fab090b368bd94d82aa096e3a11b2e38b33a44caa1dce0562f6a00600a7ebac6dc6d89e18789549dae2482e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM99CA.exe

Filesize
14KB

MD5
969ee93ee750d16d17ded02da7bc5d82

SHA1
371bbaefc2a1b05b170bd93fcb16a2b6ec582f01

SHA256
f34b74c8e91784887589035f5800e2e3ceb6e454d4857c47f9b2d8ac8c58d232

SHA512
e830e7c8c54a3dd347392c6926262b46156c4b9272b3fa097ba0610f711699938f37a1246a61fb87d0d02464aa2067d905ee7e3ddcd2e6b5e9a152ca9977303e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME9C4.exe

Filesize
14KB

MD5
7893da0b044bda011087fd12b73076e4

SHA1
234d3cefa633cd080208aae8e3939dc4fd0d2935

SHA256
350e2a5208de522fdd091eb5639057374f3dcc246fe322ba3b60b0ea75a221df

SHA512
53dd3f48ba22e5da7bb66b50b287ee33281cecb07a2cdfc4886e0d2a7b8db8683fd24c7550cd8a345ad7a9b09690faa1fb4c64f58c239024f3a64cadae410595

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF1DD.exe

Filesize
14KB

MD5
a23eb49c442b2ad631d6b0e63b6fd3b0

SHA1
fbf988323aed0e4078a456eba227a8a612636bb4

SHA256
b7add69c41cdd656cd388bb7ebd02a670098e6be0c3fa12cf9adee1d3892a501

SHA512
3504b7918f2fa06e023ddf80acd5c6504ed85daaed4fe30d9bcc5a1327b59ea46852a412b6120256edfc86b03f99d2e6e10ba51955e233d17add2b3a71e916f9

Download Submit

Analysis

Sharing