5820ab1637c7a68693e24b710f84dfe2b4e575fccd67a0f04ee8a43fb150bcc4

General

Target

dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe
Size

16KB
MD5

dc87015f80636a6cd7259697680e2b38
SHA1

d58507c85d7c6c8ef94412342b4cdcf24fddceab
SHA256

5820ab1637c7a68693e24b710f84dfe2b4e575fccd67a0f04ee8a43fb150bcc4
SHA512

e85d2ca09b646b17bc15785a1ca1a404f26e6601272b9751192c53daeb4b7ab1e926bec6d7d7f1c92214779d7f864ffcaee8c469a794babeffd5de8a3b14eb98
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYHzd6L:hDXWipuE+K3/SSHgxmHZ2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM22E5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM7AD8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMD201.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM71D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMCB4F.exe

Executes dropped EXE 6 IoCs

pid	Process
4504	DEM71D4.exe
644	DEMCB4F.exe
2524	DEM22E5.exe
1912	DEM7AD8.exe
4776	DEMD201.exe
2784	DEM29E5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 4504	936	dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe	96
PID 936 wrote to memory of 4504	936	dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe	96
PID 936 wrote to memory of 4504	936	dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe	96
PID 4504 wrote to memory of 644	4504	DEM71D4.exe	99
PID 4504 wrote to memory of 644	4504	DEM71D4.exe	99
PID 4504 wrote to memory of 644	4504	DEM71D4.exe	99
PID 644 wrote to memory of 2524	644	DEMCB4F.exe	101
PID 644 wrote to memory of 2524	644	DEMCB4F.exe	101
PID 644 wrote to memory of 2524	644	DEMCB4F.exe	101
PID 2524 wrote to memory of 1912	2524	DEM22E5.exe	103
PID 2524 wrote to memory of 1912	2524	DEM22E5.exe	103
PID 2524 wrote to memory of 1912	2524	DEM22E5.exe	103
PID 1912 wrote to memory of 4776	1912	DEM7AD8.exe	105
PID 1912 wrote to memory of 4776	1912	DEM7AD8.exe	105
PID 1912 wrote to memory of 4776	1912	DEM7AD8.exe	105
PID 4776 wrote to memory of 2784	4776	DEMD201.exe	107
PID 4776 wrote to memory of 2784	4776	DEMD201.exe	107
PID 4776 wrote to memory of 2784	4776	DEMD201.exe	107

C:\Users\Admin\AppData\Local\Temp\dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc87015f80636a6cd7259697680e2b38_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\DEM71D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM71D4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\DEMCB4F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCB4F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Users\Admin\AppData\Local\Temp\DEM22E5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM22E5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Users\Admin\AppData\Local\Temp\DEM7AD8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7AD8.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Users\Admin\AppData\Local\Temp\DEMD201.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD201.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\DEM29E5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM29E5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM22E5.exe

Filesize
16KB

MD5
7237effaec9fde0fbdc8be967fbdbbde

SHA1
2ac17520e74fcd2994b2a93cf63fd05237dce0d5

SHA256
6fc21c87ca8029cfd36cc1cb2f43577f1c28f54f6f058f01f30d085f17915d48

SHA512
4d5573bd3f49b95a37ec852b5440ab1b82b0b73f04fb079a321aa26b754659fda0d91d36fcd96d685222a9d51bd01090383898c9b93334287fef16250eeecf61

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM29E5.exe

Filesize
16KB

MD5
4ae3c334761905b405876841e252c003

SHA1
ff37b715af594cbff28e0e7b87940f9e944ed87f

SHA256
31c2029467a472f57f37ae1758d8b1875fa9a788ca115142e92ff56081807b7d

SHA512
bd8d944ce781025bdb5738c7a25cf139eda37bea72d24623517cb701f4af32a9e8de62e793ba51e068c1bacd00884bd6449cbdfefc575576245317bd323e629e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM71D4.exe

Filesize
16KB

MD5
ac8faac747d33e40526954804f12e61b

SHA1
3b55890ad33d3ca9488a1fa7d30bb0f959aa8e7c

SHA256
887b972d8def0d2b018fe3fb0a8db6f8461b6330e36fed952ab8caf584cc469e

SHA512
77ce8de84c13a20aaeeb30860b9f7e919473fc7ce746ecd2e6a1e545f0a87c7c8847af6a1f4cb51427185daf563c16697d0925ea52860898b6d5115bcb40ece3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7AD8.exe

Filesize
16KB

MD5
22dc2c4482474e3a3b646c4008d7878f

SHA1
b5d52b4ff760a85c53bb8bd850184baa90791e8a

SHA256
5ea4cddb3c5f0a6691d97ccbadce5b2b4943ddfde4700408de8d2fba3b5a2893

SHA512
cdeed5333b46a61d598fca03499c9a8f78453dd042172913be5ba36b8a663f81b08bd6d8992fc7716007352af82e1a5c6133c85199ede312f6f2a73367ddbd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB4F.exe

Filesize
16KB

MD5
1bf81e65650ce8bc7acf8d7ed039fa5f

SHA1
58206da4545a865335dfb0518d22aa3c7dcefb0d

SHA256
810f0b5e9940e0b542dabfe5b39a873aded9b4992b8f0640d1645d66f560aa29

SHA512
77569976a777e1b96e43e8202bdc4fef7cead9c60ad9758975ccf17abe98ee029fbc386c9d8279a6769984274e5c0b1b9281974699ff1ac6d1f70d11e5cf453a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD201.exe

Filesize
16KB

MD5
53af855af6e70f5de3bb58803194839a

SHA1
4aaa7e3448703e62181f0f1b64c52b0700712996

SHA256
e9c49f8512318dba31efc4ad504c22f5c55963d135d9e352b598d6f7eff584f2

SHA512
18520cb52d3d0fdc8135826e3a32b9d6c276e2df1899fb49bb51c146332b100793a5a7457aa27be205d25b2ef9c732cb4564376baf4d588501eb3fed48c0e950

Download Submit

Analysis

Sharing