a56235728ba2871b53b27ea41139b183c4a5d11a76f3187beaca63730df5b560

General

Target

d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe
Size

15KB
MD5

d68c702351756d970a4f81c64823fd4b
SHA1

f42d712a0a5e05209462fc7ce0f4eb8e250d8f6e
SHA256

a56235728ba2871b53b27ea41139b183c4a5d11a76f3187beaca63730df5b560
SHA512

cdae8b5720d96b1d2c3f7f0146f06c97cca1bc18f3d53aabd4ba4260727071a24016f9dc9d2badd9fe7c67e175ac666f165b2b12561386dd33baf6abc1f02f7c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJdS:hDXWipuE+K3/SSHgxhS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMB8E0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM10E3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM68A8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMC00F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM5FC3.exe

Executes dropped EXE 6 IoCs

pid	Process
4244	DEM5FC3.exe
3596	DEMB8E0.exe
4144	DEM10E3.exe
4316	DEM68A8.exe
1212	DEMC00F.exe
4892	DEM1718.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 4244	1716	d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe	96
PID 1716 wrote to memory of 4244	1716	d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe	96
PID 1716 wrote to memory of 4244	1716	d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe	96
PID 4244 wrote to memory of 3596	4244	DEM5FC3.exe	99
PID 4244 wrote to memory of 3596	4244	DEM5FC3.exe	99
PID 4244 wrote to memory of 3596	4244	DEM5FC3.exe	99
PID 3596 wrote to memory of 4144	3596	DEMB8E0.exe	101
PID 3596 wrote to memory of 4144	3596	DEMB8E0.exe	101
PID 3596 wrote to memory of 4144	3596	DEMB8E0.exe	101
PID 4144 wrote to memory of 4316	4144	DEM10E3.exe	103
PID 4144 wrote to memory of 4316	4144	DEM10E3.exe	103
PID 4144 wrote to memory of 4316	4144	DEM10E3.exe	103
PID 4316 wrote to memory of 1212	4316	DEM68A8.exe	105
PID 4316 wrote to memory of 1212	4316	DEM68A8.exe	105
PID 4316 wrote to memory of 1212	4316	DEM68A8.exe	105
PID 1212 wrote to memory of 4892	1212	DEMC00F.exe	107
PID 1212 wrote to memory of 4892	1212	DEMC00F.exe	107
PID 1212 wrote to memory of 4892	1212	DEMC00F.exe	107

C:\Users\Admin\AppData\Local\Temp\d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\DEM5FC3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5FC3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\DEM10E3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM10E3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\DEM68A8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM68A8.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Users\Admin\AppData\Local\Temp\DEMC00F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC00F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\DEM1718.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1718.exe"
        7⤵
        Executes dropped EXE
        
        PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM10E3.exe

Filesize
15KB

MD5
07f24eb9df0697e0c10b35f94062d681

SHA1
d5024782e135a0b0ebd9d99b8fa83a137016b44a

SHA256
18c4c8aca3801909da44b775fb92a79a4c35e485b8cde1efdbfd19c8dac5140c

SHA512
990ced637df80319ae92cc16a0528f0f43a3640d5cc15d60ff4e4ced0acb6946179ed0efb50acfe7af7bc37838c21ff9b3cabb25c5194f869bf0d21e9409e858

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1718.exe

Filesize
15KB

MD5
2ac0c4754b6a5dbdccd62285c0dbf4b3

SHA1
32ca2c909574078ec949b5686d539e254d7d3e64

SHA256
473cb4b5a9e71c26989757effdd0deda4cc122368ca24985093c5520e01f42c6

SHA512
b72a16bf54b78e09d6ad9a5fcc08f8e5a8f4975b1fd55d20f2e19a2e3636bf57394e9ee1c91461689cf50e564d33043ba5381a17e36dfb2b3fb22a615f5d2e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5FC3.exe

Filesize
15KB

MD5
287e728c5b2dac38e0af0ea0831a7908

SHA1
169cb9cab0e07f0b955bebd631b09da2822c25f0

SHA256
559888fc7b3bd75deb082e6b18ac022d1e8d1f3dd5ff53750ffb5f04485e44cf

SHA512
edfe3b41466d3900c185c3c4eb38179db7b80a0064e686e51887e10a5f8c40b9dcdd860903497d02c6197504f4488df36fb7fcf9cd596732278caca92b3a34dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM68A8.exe

Filesize
15KB

MD5
9b0e247f35f0387b246e61155d3e8f0e

SHA1
91c2244f83798717d3ebc0d7400bbbf0e77ad0eb

SHA256
83cbec7ae88821bf234cabae71625e7dacafd19b0b473b40e22cb653fdcb60c3

SHA512
072494a8560c2b24852adf19814209b13b2b16e7f34d334b1b42d2cbdd02de0e3f3b2f5edda0116e8a82611f362221d9eea874a4dd289ce3edc2180e8c0b808d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe

Filesize
15KB

MD5
67646e47cdc19841445d87599bd2749b

SHA1
a250cadb16111814b9a6ce19bc55ff4d7ab6f17a

SHA256
74d6b9382b8a91dc70f88e83a36fc6984c83e588c3dd005e9f58cda69dfed7a2

SHA512
30008dc2712aa500d9ac0fa82efa9e697fb73a2bb72c036e6d6ad9917aa766799190f88d6aeea5c82a147aa459c6b3642afab9867cde6ec1d744621d05da1eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC00F.exe

Filesize
15KB

MD5
d58a1364cd4b4e73511f312e2911dbb1

SHA1
a79ecd73eb3a7fbbeb217aa25461a471f12753a3

SHA256
87903ec8e2c059fbd192014b1fa4fe135181e48ee3cc24b92b1f3c07e571e47c

SHA512
2b85f57f46082b15e9fcd5cebd1c16979750bbc523243f3459b3beb59831348133d20ef16a5c62eddfe3a5500311297bad1923530b928d28b1b8b68bc555b3a7

Download Submit

Analysis

Sharing