21b659bbc59593ae8e08f0192a657bb2028d5efff1453080c878c894461656d2

General

Target

d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe
Size

15KB
MD5

d7edc031b01cd05e9e9e2ec5bb2a653d
SHA1

c3bc79316add683361103d4662ea6c3c903e6d2f
SHA256

21b659bbc59593ae8e08f0192a657bb2028d5efff1453080c878c894461656d2
SHA512

a4324105c1e48ca9a6d9cb903235555d5bb41475b93a3ec2d54c9cbb3195a752ede30d81c930dcd84f946140b0753176d60784c396d2c115ca879869db3dbdd6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/wrW:hDXWipuE+K3/SSHgxm/F

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM3902.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM8FAD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEME5AD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM3BFA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9248.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
940	DEM3902.exe
5112	DEM8FAD.exe
2908	DEME5AD.exe
1292	DEM3BFA.exe
1204	DEM9248.exe
2224	DEME896.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 940	3308	d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe	90
PID 3308 wrote to memory of 940	3308	d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe	90
PID 3308 wrote to memory of 940	3308	d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe	90
PID 940 wrote to memory of 5112	940	DEM3902.exe	96
PID 940 wrote to memory of 5112	940	DEM3902.exe	96
PID 940 wrote to memory of 5112	940	DEM3902.exe	96
PID 5112 wrote to memory of 2908	5112	DEM8FAD.exe	98
PID 5112 wrote to memory of 2908	5112	DEM8FAD.exe	98
PID 5112 wrote to memory of 2908	5112	DEM8FAD.exe	98
PID 2908 wrote to memory of 1292	2908	DEME5AD.exe	100
PID 2908 wrote to memory of 1292	2908	DEME5AD.exe	100
PID 2908 wrote to memory of 1292	2908	DEME5AD.exe	100
PID 1292 wrote to memory of 1204	1292	DEM3BFA.exe	102
PID 1292 wrote to memory of 1204	1292	DEM3BFA.exe	102
PID 1292 wrote to memory of 1204	1292	DEM3BFA.exe	102
PID 1204 wrote to memory of 2224	1204	DEM9248.exe	104
PID 1204 wrote to memory of 2224	1204	DEM9248.exe	104
PID 1204 wrote to memory of 2224	1204	DEM9248.exe	104

C:\Users\Admin\AppData\Local\Temp\d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\DEM3902.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3902.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\DEM8FAD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8FAD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\DEME5AD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME5AD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\DEM3BFA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3BFA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Users\Admin\AppData\Local\Temp\DEM9248.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9248.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\DEME896.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME896.exe"
        7⤵
        Executes dropped EXE
        
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3902.exe

Filesize
15KB

MD5
f1dac36516aa61541401ab96e0cad66c

SHA1
736f1fe8740b2493eb7512ffcfc0f39874bdbfaa

SHA256
eb1578dfcd5178c64128ff7d891980bc99f0e5aa6a168cab60265af90dcb846b

SHA512
3182ca8572bb69359c4cc41b5fd1cf11ea52a73eccf3cf5adcb4fb8342c9f8c028ce02267405443df72127530cdba99fd59988fa96549d8ae99ce9d0f6d0a7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3BFA.exe

Filesize
15KB

MD5
5eea17b1f4913e79ddab23cbab48f3f9

SHA1
f3be15fd4bc7f846aac11dcb2d848f22c6a4f22d

SHA256
eecce69cadf0c0b388105d9e03d9cb4d1883e20b36792a33cee1054c2eec8014

SHA512
8890bdd307cea7a93bcfd2715f3a6d7c92a2fb55f1d6a16efcfb101e355b3783e44af6fc25b34f36ea316a279087bb881fefa9de3e374c22733654ff529e68b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8FAD.exe

Filesize
15KB

MD5
e580bb98d4e7ff8a840a735b540da08a

SHA1
5e9c122fe20cc103ee6118fa445e0f6be0ab23b6

SHA256
68525942a9481101578acbc397af7d3025fc679556676d73185fcfe883cd9228

SHA512
a003599aefa812f4279b874b11592141acbe00e0b6800f37dc3d419d63c1faf17418cbad7265831a441b1828111933813d1781cf974d7f25b0b919f577e2090b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9248.exe

Filesize
15KB

MD5
a6fc98900e8d97d9a852e754dc08d1c1

SHA1
6bdf86dce03889464d0e7ce86a8b432fad708adb

SHA256
f75430914cc7c10a6de4e949b174e003d07549f300dcd598cfd7280e59440f7e

SHA512
14de6f83d3b8faadcf99fd4e669ccb33b7e0b23c62c9d556b211f595d4302544276004035dabb1b2c48c510650dd6ad89c5144a43aa0bc77d502161e44a70f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME5AD.exe

Filesize
15KB

MD5
fbe495effeb4873695023ecc5111c2e2

SHA1
a72d918e6d0ee3992f9390f3e6c162bb5601b77d

SHA256
41a573fc92a7fa47f56d9f70603ea5e2fc9f35f64b83371f803abecdb1c76f93

SHA512
a9e4830a36e528cc032f5f731857c62122ea0262ca22883a9453872ccabdbcafe739066b74bfece2c14ac49b8aaa54860582cedd61e04767471b01bf25a44055

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME896.exe

Filesize
15KB

MD5
e1bcb73c7e6ec8f2985780e4fbfb3feb

SHA1
c4451eb9d9c01d9158b848e80bf7f31fdabd028c

SHA256
eb8bb719e6d31e8bdfed129c66dc237cd089f1d5e718ffb7dbc3c4b40ad39f6a

SHA512
a1dc37b1861463d7a9db6577840510348d390351b49fb0dd8c7ed1e6a053cbfb583edaa795a373c13dfb9dafbcf0b4740e625f9f230e3c432bac9669eb7fdde8

Download Submit

Analysis

Sharing