1d11d2ce13f507d927522309e4e618a46c7708cbfbe10f6f3a9fe38b2902aeb3

General

Target

dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe
Size

14KB
MD5

dd2f062d812c42e8a40619000f228f44
SHA1

2bd8b306cf27e98a97e32a5d8409f1ea552b999c
SHA256

1d11d2ce13f507d927522309e4e618a46c7708cbfbe10f6f3a9fe38b2902aeb3
SHA512

771eda2cbb5d019c146645c831e01e1a23fe1bf3301c06f0a0bc685601f962a8adbcfd5903ee722f20cd63ceca607fe211463b9acce2ab13be1f47008f59a365
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRl5l:hDXWipuE+K3/SSHgxXl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMAC3E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM2AB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM5918.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMAFA4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM5544.exe

Executes dropped EXE 6 IoCs

pid	Process
3320	DEM5544.exe
2116	DEMAC3E.exe
988	DEM2AB.exe
2288	DEM5918.exe
4032	DEMAFA4.exe
4620	DEM6CC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3320	2180	dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe	97
PID 2180 wrote to memory of 3320	2180	dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe	97
PID 2180 wrote to memory of 3320	2180	dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe	97
PID 3320 wrote to memory of 2116	3320	DEM5544.exe	100
PID 3320 wrote to memory of 2116	3320	DEM5544.exe	100
PID 3320 wrote to memory of 2116	3320	DEM5544.exe	100
PID 2116 wrote to memory of 988	2116	DEMAC3E.exe	102
PID 2116 wrote to memory of 988	2116	DEMAC3E.exe	102
PID 2116 wrote to memory of 988	2116	DEMAC3E.exe	102
PID 988 wrote to memory of 2288	988	DEM2AB.exe	104
PID 988 wrote to memory of 2288	988	DEM2AB.exe	104
PID 988 wrote to memory of 2288	988	DEM2AB.exe	104
PID 2288 wrote to memory of 4032	2288	DEM5918.exe	106
PID 2288 wrote to memory of 4032	2288	DEM5918.exe	106
PID 2288 wrote to memory of 4032	2288	DEM5918.exe	106
PID 4032 wrote to memory of 4620	4032	DEMAFA4.exe	108
PID 4032 wrote to memory of 4620	4032	DEMAFA4.exe	108
PID 4032 wrote to memory of 4620	4032	DEMAFA4.exe	108

C:\Users\Admin\AppData\Local\Temp\dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\DEM5544.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5544.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\DEMAC3E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAC3E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\DEM2AB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2AB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Users\Admin\AppData\Local\Temp\DEM5918.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5918.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\DEM6CC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6CC.exe"
        7⤵
        Executes dropped EXE
        
        PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2AB.exe

Filesize
14KB

MD5
f40e99397607384871637ed58a630b03

SHA1
74c52f3b17834bc2569df0299400e71de5ad9f1e

SHA256
a478ad8dc8895a8aded8cb691badabbb0bdd2c87cddd21d90286fefdecf2d076

SHA512
c09f9a7e5bfbbeec9a079749e328d16d69a6127e737de810d0a3242daebb47d70c7e89f79d805624372e7b7dec4a0c8394184cd5c5c10cb49474b4c6d7a7b69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5544.exe

Filesize
14KB

MD5
95d588eacb04e97fb885cd33a91fd8d0

SHA1
9749ef8b214da35fae398bfab5f074a76207c73e

SHA256
3bfbb9d5980b2eaa6f1e9ecf0793c52278189fd068c6b3fe0994a757eebc773b

SHA512
4fe2ef207de8bb26b7484f74d91ad866d5d89f835a1e1775958d09e37a153005429765e4c43335bef3cc4761cb408767ca72603e3e4ba598bd3999b04c518082

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5918.exe

Filesize
14KB

MD5
de10cbe94f4ab006f82516374ba3ee41

SHA1
7924a9b22c1aa63ddaf2b9d79b9d2c707ab89d23

SHA256
5305b682858363d3fa25de511bd4387285bd58b596db326655848a709fbc0a3d

SHA512
39cabaed19d96246ebdcc168823304aef708b19c7fa223d0a6a8f85322f0dea361832c59dedcb186649bcb0dc2e4a8f2ffae5d1fad102949ef4b80e57671ee0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6CC.exe

Filesize
14KB

MD5
d801508ebf4d24e78905ff51c26a9808

SHA1
9e6f90945121e66b27241f034802b18233400eea

SHA256
60226f79ae001cc8f43379b6bb8d2a9eee91c44daebd3525cf022b230592a990

SHA512
7cbeec7b846aeaa1b8f662df2f51dd73364966fa759238c80f9ca315840d37f70f75b15b76df8e243003f029a1483a041bf977c185acc705abd3764d145a9cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAC3E.exe

Filesize
14KB

MD5
68818dc48e9ca6f77ea4c29c4885970d

SHA1
5a4db2ef924c5e58fd6bd53b464e0d1d65e19da7

SHA256
370fc2400c1735facace84902a13a968883d0339d0d87c4e750370b8e7cf035b

SHA512
8004b81a0016f3c5b789cd9b43f0191b9e3795a763e18b092d6bb0e77fe456fb32a104cab4e05ed27c097365866e7e860acfd0be79c1578d13d0551b0d1b45df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe

Filesize
14KB

MD5
1860fc442fde7f783cb0028c1456e48e

SHA1
f36c73c8859a86de0612bdfd87f4cc602a28ad83

SHA256
88aa9a0f3a94d3c10cb585495b79c43e953014322e118b07836d3b5bfcbd2078

SHA512
9e0aef2e29553e093c748490dcdb916ba8ee23270fc86fbac24df33936c314fc588768c89686bbd6ac9f2b2e51d04bbcc698e149d5bf88db23d90f555d31c457

Download Submit

Analysis

Sharing