9065b0349f793250a77145d20553fb794265aac51342e99544bf45d268ef8da9

General

Target

dc20422a3298f3bf2a307f0112ada110_JaffaCakes118.exe
Size

16KB
MD5

dc20422a3298f3bf2a307f0112ada110
SHA1

3c304be863372b425e64443dad365ede9e1b1275
SHA256

9065b0349f793250a77145d20553fb794265aac51342e99544bf45d268ef8da9
SHA512

e7207a832ca2380d3c8d672adbf4ea3d4a7ccf2654920290cead9191dce10d59fcc568641ae16c88a0ba0fa93561de8e1fb0399bea0817d4eaace14419f447c3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZlHfj:hDXWipuE+K3/SSHgx3l/j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM4CE7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEMA354.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEMF973.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEM4F54.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DEMA544.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	dc20422a3298f3bf2a307f0112ada110_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
1336	DEM4CE7.exe
3980	DEMA354.exe
4736	DEMF973.exe
3812	DEM4F54.exe
4756	DEMA544.exe
4496	DEMFB43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1336	2420	dc20422a3298f3bf2a307f0112ada110_JaffaCakes118.exe	96
PID 2420 wrote to memory of 1336	2420	dc20422a3298f3bf2a307f0112ada110_JaffaCakes118.exe	96
PID 2420 wrote to memory of 1336	2420	dc20422a3298f3bf2a307f0112ada110_JaffaCakes118.exe	96
PID 1336 wrote to memory of 3980	1336	DEM4CE7.exe	99
PID 1336 wrote to memory of 3980	1336	DEM4CE7.exe	99
PID 1336 wrote to memory of 3980	1336	DEM4CE7.exe	99
PID 3980 wrote to memory of 4736	3980	DEMA354.exe	101
PID 3980 wrote to memory of 4736	3980	DEMA354.exe	101
PID 3980 wrote to memory of 4736	3980	DEMA354.exe	101
PID 4736 wrote to memory of 3812	4736	DEMF973.exe	103
PID 4736 wrote to memory of 3812	4736	DEMF973.exe	103
PID 4736 wrote to memory of 3812	4736	DEMF973.exe	103
PID 3812 wrote to memory of 4756	3812	DEM4F54.exe	105
PID 3812 wrote to memory of 4756	3812	DEM4F54.exe	105
PID 3812 wrote to memory of 4756	3812	DEM4F54.exe	105
PID 4756 wrote to memory of 4496	4756	DEMA544.exe	107
PID 4756 wrote to memory of 4496	4756	DEMA544.exe	107
PID 4756 wrote to memory of 4496	4756	DEMA544.exe	107

C:\Users\Admin\AppData\Local\Temp\dc20422a3298f3bf2a307f0112ada110_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc20422a3298f3bf2a307f0112ada110_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\DEM4CE7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4CE7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\DEMA354.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA354.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\DEMF973.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF973.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Users\Admin\AppData\Local\Temp\DEM4F54.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4F54.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Users\Admin\AppData\Local\Temp\DEMA544.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA544.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\DEMFB43.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFB43.exe"
        7⤵
        Executes dropped EXE
        
        PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4CE7.exe

Filesize
16KB

MD5
0ced7239b46c41cc35f4c5d5f35c9c96

SHA1
08f9b5955993f9ae4dd3993cc643654a59918a2a

SHA256
12f37917f6d147b34cbd842dbfad4c9d6b6d6a08c1abfde6ef22946ad5294e97

SHA512
e42daa5c8dd91790c865d5a8c3fb2d675ca217f083283edb3a673949e0a75855c23d346fba3345b2d78e55e7464a0c4963814340baf6ffaa7b319525ba7d7ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4F54.exe

Filesize
16KB

MD5
46c6b309adcb945d25c4e43583a9a8e3

SHA1
3e1f236135423a0f705245997c12a47e8a909741

SHA256
5ad0c2e758c091995bebf1ce30354179fa04533478a87b795c4e8541740a0497

SHA512
52e6534a93edc82e498c9f7e0d75e2f33d85cad100957fbfcd4df25d7f3aa9ec78f533615216a66e9a207f69c6221411e864db66ee53bbca55ef1a4ff6dd5ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA354.exe

Filesize
16KB

MD5
0353c9aafb48d3ae0bbf367fe12205c1

SHA1
0dc073b84f8992716886f80ae9c2a5b41858e32d

SHA256
18a23e41f09ef2f03d4c29504bb24d6099cc0d1890267c5a1a2c18d08577379d

SHA512
e5e81550720c39d66bec1cf02546c0352473bdc0d52c2babd39a0c25ab5638e160f1dc702c2bad33f49601c6f842343705bfb4f2a66b9df732cef52a12d21d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA544.exe

Filesize
16KB

MD5
70f535dc279cbb2c1dded279bedfd7e0

SHA1
9673f2d0932e07f89684d2bf1462419e4d8c6f7e

SHA256
7f954078006198fc7d8c359ef0aec9499ea2869579ce65a8768cc1d1cf2fdc69

SHA512
52d3912f96221062ab8751b479b636ac5bb9879a14a69067387dd3bd05d6589eb7080ec7bc4338e498b00d82194805c077da92e9cd924acbc887a457f05e84bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF973.exe

Filesize
16KB

MD5
64a2b1ccf00461769c71760400a66c96

SHA1
a803e2c4a76ed20d209d56373bbd041c4c4152ec

SHA256
1508c50f60261a3460d53b511a83a7d98224fa537a6f05b44116e69b21c7a138

SHA512
72da5f91a93546fe2073f81e2543aafe6b4b8bce83c8a99777bcd0f3340d73a88397291dd8b89f3ebc01b3b412108192467ce6d8a4fdb9bfb60ab5c963c7abe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFB43.exe

Filesize
16KB

MD5
9d847e78a5288addf248a48a6e4334ad

SHA1
85d5a973a7c96dfc61007b780000852d2060fe08

SHA256
1de050e5b9d60ffa293253ec2d1a884cee6799e08b8bfd6d6f4a0be53ac2d102

SHA512
c8cd9b30371cee42b10eab2ad232041a7899b837c575de8ef85f3361593c9019a2121a69e9cea744dcc1964c8656ebbfd638ded80b92e8da45f3075536fc1ffc

Download Submit

Analysis

Sharing