81b20134ef8bbd42de4d5f0a584c8ef719fd5bd44929444a3b3a04aa4ffeafab

General

Target

d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe
Size

14KB
MD5

d862237b3256fdf5f89d0ce6a1d706f9
SHA1

86d3a6f746747807e69f1556a66d87f008850a29
SHA256

81b20134ef8bbd42de4d5f0a584c8ef719fd5bd44929444a3b3a04aa4ffeafab
SHA512

1df8575972617c074fcad80b2b3a5df876664ba4e541ef990d8b8388824de6eb795a8c8752a441e230a0d2cd5eb45acf09926a9f8d54a34e30545a9eb69cc5d4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq5:hDXWipuE+K3/SSHgxmq5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMFA8C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM50AB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA6BB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4DE1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA47D.exe

Executes dropped EXE 6 IoCs

pid	Process
4980	DEM4DE1.exe
3020	DEMA47D.exe
3744	DEMFA8C.exe
4400	DEM50AB.exe
4420	DEMA6BB.exe
64	DEMFCD9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 4980	3760	d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe	92
PID 3760 wrote to memory of 4980	3760	d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe	92
PID 3760 wrote to memory of 4980	3760	d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe	92
PID 4980 wrote to memory of 3020	4980	DEM4DE1.exe	95
PID 4980 wrote to memory of 3020	4980	DEM4DE1.exe	95
PID 4980 wrote to memory of 3020	4980	DEM4DE1.exe	95
PID 3020 wrote to memory of 3744	3020	DEMA47D.exe	97
PID 3020 wrote to memory of 3744	3020	DEMA47D.exe	97
PID 3020 wrote to memory of 3744	3020	DEMA47D.exe	97
PID 3744 wrote to memory of 4400	3744	DEMFA8C.exe	99
PID 3744 wrote to memory of 4400	3744	DEMFA8C.exe	99
PID 3744 wrote to memory of 4400	3744	DEMFA8C.exe	99
PID 4400 wrote to memory of 4420	4400	DEM50AB.exe	101
PID 4400 wrote to memory of 4420	4400	DEM50AB.exe	101
PID 4400 wrote to memory of 4420	4400	DEM50AB.exe	101
PID 4420 wrote to memory of 64	4420	DEMA6BB.exe	103
PID 4420 wrote to memory of 64	4420	DEMA6BB.exe	103
PID 4420 wrote to memory of 64	4420	DEMA6BB.exe	103

C:\Users\Admin\AppData\Local\Temp\d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d862237b3256fdf5f89d0ce6a1d706f9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Users\Admin\AppData\Local\Temp\DEM4DE1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4DE1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\DEMA47D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA47D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\DEMFA8C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFA8C.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\DEM50AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM50AB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Users\Admin\AppData\Local\Temp\DEMA6BB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA6BB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\DEMFCD9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFCD9.exe"
        7⤵
        Executes dropped EXE
        
        PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4DE1.exe

Filesize
14KB

MD5
cacd2bb8259d4452fcd1048a19224879

SHA1
1c7784419adb3fe6345705d0aea87d03e7d3f537

SHA256
df82d65b51e925c635051f1de3ee899d9a43e0d4fa226f9b2b6add5adbab08cc

SHA512
ce2ba93bb2d49d196efea47e942bf7107a9246ac25ea43fad15e7b10df46ae66f56b2f68cbe8f0b56822974beed4c869b7f7e96fb363329eea82261289e6f518

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM50AB.exe

Filesize
14KB

MD5
a21e197ab4b4fb615394f70f6e240287

SHA1
7861b90d8cce2c4ecf12e23d80a521816a3e92e6

SHA256
2b62d4efbd12c2bc1c40339c90e7b5840e9d9386e6e8372e580f60732b77e77a

SHA512
714b1eac2c73d277202cf02b186694114ac8218cf6db79858553f6b0473bc585b2bb90bd67266877a13dc3a9b9baee173888796e4e263caa5917072b97ba0685

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA47D.exe

Filesize
14KB

MD5
beebac13a4440a3352de305e9f3400b4

SHA1
1eea249e6436ba51c91bf09c20a73ae6805de4e9

SHA256
bf3456da532c81c09580cb39a2d86baafaa7d514d771f30ac19129fe2ba3ec65

SHA512
8a4ccaa402461ba0f9843e8981550a66ddfbb6a07e81cef20cce654176661b2095acc65f0d2343e3b9b38e517d6e8153f8346b2d356141cdf3094c1387fc1b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA6BB.exe

Filesize
14KB

MD5
116ea6cd9c5a58584a4a7fcaeee84eae

SHA1
2e59bd4d957cf4e524199d194f232783f36cadcd

SHA256
1fd5fc50b0409dcff50e2233069a5e6ae349ee7dfe7a79068a16c980adfaa8e1

SHA512
7bfe4c90e975541ba24d422d42275acd820076989b9b095285172cd55714fd7d729446197937c99400ddaac5d6bd93593790b5abc1daf0c198c0fe020bbe78ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA8C.exe

Filesize
14KB

MD5
62e9d2af0196f281c0795dc6c8f8578e

SHA1
81eb6557ddda2501324b1455cd41b653e45e3bbd

SHA256
8a619f29ed36c42fc34019c094e2c7e95fb552c1b98db1c474299f29186093c6

SHA512
c78c7f663829907ef194241e5237e5870eb189c5715a06988370a0619adb2960ce023cad94c41b93b4ff1699032c8f1017d29d2e7b10d81335496c327ef893f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFCD9.exe

Filesize
14KB

MD5
c6486b60740a02daa824824c04400a47

SHA1
6c31ec406a17826c17faeb0172f7b2c197845d70

SHA256
c2d6183401da8cedf7d4d7e90660a4a465252ca833b614cf184e34366a127249

SHA512
1fa4739868c9043dbaa462fee86ef2b3086acf6be88702f227594bbbf61dbd6ad3857c11ad42eae115373a831983f649ddfd6c68855ccc8f1dfb8a54259d85f5

Download Submit

Analysis

Sharing