5a542e621f1fa3e219cb70bacaf3e376dc592344b97bda3fe1e82a3a9c59e52e

General

Target

dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe
Size

14KB
MD5

dbf4a2b38996ff3b5aded7751ccfc887
SHA1

3f5a55079cccde72029dcb5fdd6650afe08dd1e8
SHA256

5a542e621f1fa3e219cb70bacaf3e376dc592344b97bda3fe1e82a3a9c59e52e
SHA512

40b3cd581b94eaf0c464f1134f18a323632333f8781e3a1d22382438e172bae2cf2a698a2853fbeadb3ce0ca26409e5342b32411f95c3190c1949fef7ac401ed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhDv:hDXWipuE+K3/SSHgx9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM60DD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMBA28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM1170.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM6992.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMC167.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
4552	DEM60DD.exe
3776	DEMBA28.exe
2252	DEM1170.exe
1424	DEM6992.exe
1276	DEMC167.exe
4560	DEM193B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4552	4932	dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe	97
PID 4932 wrote to memory of 4552	4932	dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe	97
PID 4932 wrote to memory of 4552	4932	dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe	97
PID 4552 wrote to memory of 3776	4552	DEM60DD.exe	100
PID 4552 wrote to memory of 3776	4552	DEM60DD.exe	100
PID 4552 wrote to memory of 3776	4552	DEM60DD.exe	100
PID 3776 wrote to memory of 2252	3776	DEMBA28.exe	102
PID 3776 wrote to memory of 2252	3776	DEMBA28.exe	102
PID 3776 wrote to memory of 2252	3776	DEMBA28.exe	102
PID 2252 wrote to memory of 1424	2252	DEM1170.exe	104
PID 2252 wrote to memory of 1424	2252	DEM1170.exe	104
PID 2252 wrote to memory of 1424	2252	DEM1170.exe	104
PID 1424 wrote to memory of 1276	1424	DEM6992.exe	106
PID 1424 wrote to memory of 1276	1424	DEM6992.exe	106
PID 1424 wrote to memory of 1276	1424	DEM6992.exe	106
PID 1276 wrote to memory of 4560	1276	DEMC167.exe	108
PID 1276 wrote to memory of 4560	1276	DEMC167.exe	108
PID 1276 wrote to memory of 4560	1276	DEMC167.exe	108

C:\Users\Admin\AppData\Local\Temp\dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\DEM60DD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM60DD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\DEMBA28.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBA28.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\DEM1170.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1170.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\DEM6992.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6992.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Users\Admin\AppData\Local\Temp\DEMC167.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC167.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\DEM193B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM193B.exe"
        7⤵
        Executes dropped EXE
        
        PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1170.exe

Filesize
14KB

MD5
dbf4e769968bc906fb3c819d22a74104

SHA1
1e9d78e84f56c5a919a99dfb587910afaaaacd34

SHA256
1dcceacd17f629093f10edf68ea3caf530f4820e4c2930378cb7bba29c01e320

SHA512
6d81170b2be67e24315cd35465c0d82ae32be3607d02f7e35e759851cdfb31cee86bff243cbc5c5ba64dd407ed909609bccad66a2c3a8dd3156040ac15dd11e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM193B.exe

Filesize
14KB

MD5
23548f55e390373289cfbb91cdda7f79

SHA1
0f0dce1184e408cae8b6139c62c9f74a1fb714ad

SHA256
306138dd45cafcc96789f151bff3e33d33c1eca6a234decc526c9d15469e7411

SHA512
be24f5edc24ee0c2e28e424664d3886ab3d18f3c738d70e38c218d70d06e81a2cdb6871381dfa4f48e5b9011cbe7001a25b8a1fb007b8aa54e2f484b19cd1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM60DD.exe

Filesize
14KB

MD5
45a21b155210347bf189005c16b7c42d

SHA1
51ffe0c25024814c0160572a02fc1e2b7668d088

SHA256
2b8ef1e4cb9953e0a5c871bd3930131857872cfed9411a823caf2681d6e4f4d1

SHA512
b646434fd635cb5f18f4f8105c036df2d227f643100adf597d861b9009713c7cd584e7ea2f6796fc053a3d0d695285551fd2c0293271400bed64cfce75fd5acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6992.exe

Filesize
14KB

MD5
ce9bc97f481a6e8544deb465c46ce386

SHA1
2e0783cfd7d4e56085b507b7630ab64f5c4d68fe

SHA256
c7824796d8e463b7c55b36296b672864a68cdd2fe816f282a92c50e2b6bab7a9

SHA512
f98e7dcae1184b09b44e0c5193a2ce0697824d668d9906049c26367e430333a7a10b5581d04ec0c7e05a4e5dc73b7db7d7d8133a98c188d750cf06f65e01ee9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA28.exe

Filesize
14KB

MD5
e144f141dbf689a2bacc46edc945fc1f

SHA1
9a6dc79ee61465a785f7f08a01afb3eb85c21281

SHA256
8644041fc71ba6d558b334ac2ed304c55f37fec5f3ff260dea0b4328a6020fa8

SHA512
bb07f0b10441eb45898d53e3c748479bdb48962eeec3ff8894af4da31ea3203ca218993c65cf8c2da4948a3f2a1757e2c365fae9e3be4aa635b7cc90deeacaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC167.exe

Filesize
14KB

MD5
158815f752b214e5f1fac4d8e010cadb

SHA1
9b4e4f5de55b3a8329750a06d1301797a280ac1f

SHA256
7bcd76d7ccc347118b2d408c6adaf44f4b1a9a338446f1d98c8db8dd952b3768

SHA512
fb6d0962f2de846c0e976d6cb57065a6941ced3f8c768765312c078758406a88de94d3d4089f9d6abefd3dbae2acd124315b5543816366e3cc708b04322d3af2

Download Submit

Analysis

Sharing