ff5fc2a202ed5204db9f1a7a6740a2ea9f51e98ca77991d0f5c6f0e51a1c3a20

General

Target

d9a2ed6b5d3bc29e632f51776be1f8f5_JaffaCakes118.exe
Size

20KB
MD5

d9a2ed6b5d3bc29e632f51776be1f8f5
SHA1

ca7776a7173681dd8476eb8cc11a935c69d9c256
SHA256

ff5fc2a202ed5204db9f1a7a6740a2ea9f51e98ca77991d0f5c6f0e51a1c3a20
SHA512

0cd64d4df52a642414f62818a17032340e5c8f961743162f344f1ecdaf616aa0da4616634de0d23d1bacb40845809a3d4763b26544416d1b0f971bc0ee9f8027
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4phd:hDXWipuE+K3/SSHgxmHZphd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM6CEE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMC4F1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	d9a2ed6b5d3bc29e632f51776be1f8f5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM63FA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEMBD16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DEM14DB.exe

Executes dropped EXE 6 IoCs

pid	Process
1460	DEM63FA.exe
1860	DEMBD16.exe
1528	DEM14DB.exe
4840	DEM6CEE.exe
1228	DEMC4F1.exe
4152	DEM1CB6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1460	5044	d9a2ed6b5d3bc29e632f51776be1f8f5_JaffaCakes118.exe	98
PID 5044 wrote to memory of 1460	5044	d9a2ed6b5d3bc29e632f51776be1f8f5_JaffaCakes118.exe	98
PID 5044 wrote to memory of 1460	5044	d9a2ed6b5d3bc29e632f51776be1f8f5_JaffaCakes118.exe	98
PID 1460 wrote to memory of 1860	1460	DEM63FA.exe	101
PID 1460 wrote to memory of 1860	1460	DEM63FA.exe	101
PID 1460 wrote to memory of 1860	1460	DEM63FA.exe	101
PID 1860 wrote to memory of 1528	1860	DEMBD16.exe	103
PID 1860 wrote to memory of 1528	1860	DEMBD16.exe	103
PID 1860 wrote to memory of 1528	1860	DEMBD16.exe	103
PID 1528 wrote to memory of 4840	1528	DEM14DB.exe	105
PID 1528 wrote to memory of 4840	1528	DEM14DB.exe	105
PID 1528 wrote to memory of 4840	1528	DEM14DB.exe	105
PID 4840 wrote to memory of 1228	4840	DEM6CEE.exe	107
PID 4840 wrote to memory of 1228	4840	DEM6CEE.exe	107
PID 4840 wrote to memory of 1228	4840	DEM6CEE.exe	107
PID 1228 wrote to memory of 4152	1228	DEMC4F1.exe	109
PID 1228 wrote to memory of 4152	1228	DEMC4F1.exe	109
PID 1228 wrote to memory of 4152	1228	DEMC4F1.exe	109

C:\Users\Admin\AppData\Local\Temp\d9a2ed6b5d3bc29e632f51776be1f8f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9a2ed6b5d3bc29e632f51776be1f8f5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\DEM63FA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM63FA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\DEMBD16.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBD16.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\DEM14DB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM14DB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Users\Admin\AppData\Local\Temp\DEM6CEE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6CEE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Users\Admin\AppData\Local\Temp\DEMC4F1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC4F1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\DEM1CB6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1CB6.exe"
        7⤵
        Executes dropped EXE
        
        PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM14DB.exe

Filesize
20KB

MD5
e1cd5a3b88816a546bc63db71edcdf59

SHA1
d5821448e49a416f95e2cd94ead3ed955e248112

SHA256
7a5892a04aec5f577a92bb83268fd98abaa642b90430a562ca99f5361c7c60aa

SHA512
4f8ae8f497358e2231ef2031278838db70bce10818c68622313fb3b82c8e86f9ae74ec83b627a19cb82e0de0e1d8d0b580c4952a1012689963326ab456cf802a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1CB6.exe

Filesize
20KB

MD5
171b1206d0227c7784adb694ee9d8aca

SHA1
24ceb4945c639f161dd3776fc8e58b1213e0bf02

SHA256
3b5a61d168769af69b56c4c1f2f2b7d8a6bd99b38d2a42a79127c0ba75869d57

SHA512
b01a0500cce24ef26b3adf5e424aca0b50bb3c642052b8a4febc3d9d97cdf1e29748f27e84a38ce26c4d7bd87d99cf0efce363f69bcf1249cdfd747843d1a386

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM63FA.exe

Filesize
20KB

MD5
f7a811e0b1bdfaa21aba5c2783a9b4fb

SHA1
a3b5e9d6112b271822f793ec502c865b6d114e04

SHA256
ed820375206c59ce560f95336fb27108a745b445ee019f6e6f954b820084d0de

SHA512
5c131169a902ad3568077d4fc5acbf22fbfc4a59b06e5d4ba0085bafc5da4b57783cf46ab9b64a322b31cd49c682693ae0a5bab18668d4344bad45b64705bb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6CEE.exe

Filesize
20KB

MD5
f3fac0f16e3d92237b05a51735298fd9

SHA1
8bd57f03b6eb908751bb2d3b2b4ea1bcc06c0650

SHA256
def8b6aec9e77e564474de1f022b55b443e642ec5c876f478fb77fad2b6cbc1f

SHA512
d1320b583b0851dbb065729be3d0107e710adcb20027de05745c1f81ff6eefd41c3ee0a17afd7a5730fed0b98b3ac712c44232bf31799e31fb37516e06d7ab09

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD16.exe

Filesize
20KB

MD5
188b78124712e8d5337c28913f89128f

SHA1
b0b9ee781950681b514e2c20a8b843bf167f64e5

SHA256
21826cf8ef0093d36fa6e4d7693c56775ec4088d0c318555994cfff6954a74c0

SHA512
2ebbe9eec8a75dfb0fc558d5ce4d671fd735aa17ab64f746de44ad4078b317a370b67fe4329359bf01593d9f35effade004dee358cbdf3a68bfc0f1ccdbba1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC4F1.exe

Filesize
20KB

MD5
0fec68b18e2c0c82d2ac85f8cdc36e19

SHA1
8639c93c6c38d127d24e6132bbc8c40452881cca

SHA256
a3d6983717fcaa3a2f8ac09b778fb308b0e291da5de8fb45e1c26c8de859f846

SHA512
096fce132f223a14c5b869407ff9737d091e0cb1297ad5b589efd6edfb27c67e516b7f6da71b35d7db556849f3908de96bbb7b7530789518b63876e3c703baf1

Download Submit

Analysis

Sharing