503c792e8a1045b0b522e7eb53c4453f89577e54b5dcd591ffc6e8fc9d463d53

General

Target

d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe
Size

14KB
MD5

d860e55a2586cd2b8659dfa853d4aa03
SHA1

cc37f985718e35c3c61e395030b1505136c84470
SHA256

503c792e8a1045b0b522e7eb53c4453f89577e54b5dcd591ffc6e8fc9d463d53
SHA512

3a91a791c30ac7d45af1fc9dde0263d787533522381633366b1ae799199b232fbe59584df1a70392083a585c6ec1907d678059532d275bf2a61b8ab1ab3a2846
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRl5T:hDXWipuE+K3/SSHgxXT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM854D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEMDB0E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM30B0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM8681.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	DEM2EC1.exe

Executes dropped EXE 6 IoCs

pid	Process
2580	DEM2EC1.exe
3752	DEM854D.exe
4280	DEMDB0E.exe
1372	DEM30B0.exe
4800	DEM8681.exe
3972	DEMDCBF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 2580	3096	d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe	98
PID 3096 wrote to memory of 2580	3096	d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe	98
PID 3096 wrote to memory of 2580	3096	d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe	98
PID 2580 wrote to memory of 3752	2580	DEM2EC1.exe	101
PID 2580 wrote to memory of 3752	2580	DEM2EC1.exe	101
PID 2580 wrote to memory of 3752	2580	DEM2EC1.exe	101
PID 3752 wrote to memory of 4280	3752	DEM854D.exe	103
PID 3752 wrote to memory of 4280	3752	DEM854D.exe	103
PID 3752 wrote to memory of 4280	3752	DEM854D.exe	103
PID 4280 wrote to memory of 1372	4280	DEMDB0E.exe	105
PID 4280 wrote to memory of 1372	4280	DEMDB0E.exe	105
PID 4280 wrote to memory of 1372	4280	DEMDB0E.exe	105
PID 1372 wrote to memory of 4800	1372	DEM30B0.exe	107
PID 1372 wrote to memory of 4800	1372	DEM30B0.exe	107
PID 1372 wrote to memory of 4800	1372	DEM30B0.exe	107
PID 4800 wrote to memory of 3972	4800	DEM8681.exe	109
PID 4800 wrote to memory of 3972	4800	DEM8681.exe	109
PID 4800 wrote to memory of 3972	4800	DEM8681.exe	109

C:\Users\Admin\AppData\Local\Temp\d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d860e55a2586cd2b8659dfa853d4aa03_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\DEM2EC1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2EC1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\DEM854D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM854D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\DEMDB0E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDB0E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Users\Admin\AppData\Local\Temp\DEM30B0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM30B0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\DEM8681.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8681.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\DEMDCBF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDCBF.exe"
        7⤵
        Executes dropped EXE
        
        PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2EC1.exe

Filesize
14KB

MD5
0a3b6bbfb499610f1f272d463d419e8b

SHA1
7b4f5029a4b07d1ded5df007269e064568a83862

SHA256
ba5c911257d644b36a9872f5eba73405c036d9c9972d0632711a22ea483d12df

SHA512
246d222a0ac2be4e7b56689866378c04797eb719a7340eaf2ea2355da70b783cf11df29db22613fe4098ed41d666bfe46aa07907fabc6a0de099cad139eb08a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM30B0.exe

Filesize
14KB

MD5
3a932674be92db55d3dde5165cec4ee3

SHA1
9d01e89fce7d7b2fa94a7db43290458e72892b8e

SHA256
2bfcf06fcf5fa68d00c327eda94e3972e1162c2a8e56cf8a4a979e85ed468e88

SHA512
cd2e3d0ff1dffd778b4ad1ce6861cc0092e4e5e09c499cf816a939144dbcb5687fd2d646a4d08b6215577c089618d07f88308d47eab571308a2e28b7952f9232

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM854D.exe

Filesize
14KB

MD5
ad33c031b0995ba6c0a21434bbbaec43

SHA1
a10c28ea82781eca456693b7755b773d6d3c1c82

SHA256
a919bc19d77eb17c927501a27aed3e9ae424f8e2a9340203bd5d4799b5b97714

SHA512
8bb07d5eca3675cfc1e80366bbf0083a8e6a357ab9cd8b5d3e0765dbe1107bceabdf6ecfd1086acfabf8dc4334c0190d19ab82bc69089208cbb5bfcea80be500

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8681.exe

Filesize
14KB

MD5
6bcd85f2544d1d3fc32f89510f1200eb

SHA1
10ed27349595bff22bc9d183d88a1726ac6e9e4c

SHA256
3d0f7cee4498059b8e75f3f4098b69ba088c490af3cfd0fe994dc2a7cece5186

SHA512
8903cd9869756128d030948fdaaad89373f01396b72a0c794f7cd66dca9e27f2b90e60bfb51846435d6b66f42a3acdbf3dd9cd3ca9b2c205c771ba3dcad6ae52

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDB0E.exe

Filesize
14KB

MD5
14dadea4a80d04ac0f3409e462a825b7

SHA1
eb20f0d94654553f0661ffd289a786512b14798d

SHA256
8946ac43e366b6015dae1427e515c99356e4637dbbd7a60d85c7fa84c0cc6b54

SHA512
507419b153221d313034d129d6b17bb6a0d21506816c8bf38d389aa633b160548344d802baa030a252d37b52a820f3668de9f2e42feb83761d2d1d93385088f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDCBF.exe

Filesize
14KB

MD5
324146d9714f3d850f476dfb09976f90

SHA1
eb10c0d47b45b07aa489bcb96e204dc800359e68

SHA256
0daf6160bd6e989e0f9f625323577e12a78c566012b93eb0b567c26ae5339792

SHA512
dea4e3916b9cfb7a688719220d675983a3d3850a7ebe363b281c68bfe100a8d6bb2947152b4fc1dff620765a06dec0ec69514a7e4225939748885c68b77004df

Download Submit

Analysis

Sharing