d02469d459044ac1b11f27ba6052dd3464a73c96313e1513e2d951123ec94541

General

Target

dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe
Size

15KB
MD5

dfd9a24bc15c97238ce726c079d10e0c
SHA1

419408db9f27d9a071f62a02909167cad4150889
SHA256

d02469d459044ac1b11f27ba6052dd3464a73c96313e1513e2d951123ec94541
SHA512

e2ae7089e42fb177b88ea321bedebef98f6e4fd9301b614b1b0cc45a603acde1db74c25b371bac4f0b4ee5094e3915a33ad4a0ade75cdc3e7ee3b0d5048dac40
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhQ:hDXWipuE+K3/SSHgxzQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM3FF2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM97C6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEMF066.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEM8E36.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	DEME88B.exe

Executes dropped EXE 6 IoCs

pid	Process
3024	DEM8E36.exe
4432	DEME88B.exe
2492	DEM3FF2.exe
1364	DEM97C6.exe
4608	DEMF066.exe
3896	DEM48F6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 3024	4668	dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe	97
PID 4668 wrote to memory of 3024	4668	dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe	97
PID 4668 wrote to memory of 3024	4668	dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe	97
PID 3024 wrote to memory of 4432	3024	DEM8E36.exe	100
PID 3024 wrote to memory of 4432	3024	DEM8E36.exe	100
PID 3024 wrote to memory of 4432	3024	DEM8E36.exe	100
PID 4432 wrote to memory of 2492	4432	DEME88B.exe	102
PID 4432 wrote to memory of 2492	4432	DEME88B.exe	102
PID 4432 wrote to memory of 2492	4432	DEME88B.exe	102
PID 2492 wrote to memory of 1364	2492	DEM3FF2.exe	104
PID 2492 wrote to memory of 1364	2492	DEM3FF2.exe	104
PID 2492 wrote to memory of 1364	2492	DEM3FF2.exe	104
PID 1364 wrote to memory of 4608	1364	DEM97C6.exe	106
PID 1364 wrote to memory of 4608	1364	DEM97C6.exe	106
PID 1364 wrote to memory of 4608	1364	DEM97C6.exe	106
PID 4608 wrote to memory of 3896	4608	DEMF066.exe	108
PID 4608 wrote to memory of 3896	4608	DEMF066.exe	108
PID 4608 wrote to memory of 3896	4608	DEMF066.exe	108

C:\Users\Admin\AppData\Local\Temp\dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfd9a24bc15c97238ce726c079d10e0c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\DEM8E36.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8E36.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\DEME88B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME88B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\DEM3FF2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3FF2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\DEM97C6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM97C6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Users\Admin\AppData\Local\Temp\DEMF066.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF066.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\DEM48F6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM48F6.exe"
        7⤵
        Executes dropped EXE
        
        PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3FF2.exe

Filesize
15KB

MD5
e3be5bff7cc457e297fbc632eb640d31

SHA1
654600f091d4946b3fffc8cd59a4666072db0eae

SHA256
3dd0fbf5b2768a6334ef1fc7831ee1a06410586ca80448f35bc28c11ad8f3218

SHA512
62508957089926d11a39368c316ecacb0a061a0acc87bb67d799334cb3325831defdffa25dc622db38cf388bfd5ebe776d1d5ee9687247e06ee02181d9afee7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM48F6.exe

Filesize
15KB

MD5
03566ba886bd28e8b016b08482f4d518

SHA1
76d1b458c777acd21e7a0ddcf013582211c89b33

SHA256
22d32a52a15f48e44b422ae377bdf08a5d7e9f0c00c49c670c979218a9c470e8

SHA512
a8abf737a77a5afcdd4fab8b020de0f7893a2927bc3780fa103fc78674e257dd0504467550a5a305651e334d6909e5bd8a60ce1eefbe686b27756373aae38040

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E36.exe

Filesize
15KB

MD5
982bf8b73095e6e57912e32d3f8b658c

SHA1
0599c17485df4bcdd075ab5d8466531e324d30a7

SHA256
2b17f31ee68eb53216f3acb3cf4f2f164e51ede60a1655a43ac39f161dcc1047

SHA512
2f3862985df284ec9be0daa0febe1c104b213c3e9ae4b94a68bd622fd345c8b31dade5574e20a99b26a1837abf25a70340420ab7eea038ab20ef1bdf8ed84bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM97C6.exe

Filesize
15KB

MD5
e85183f6a83518019366d1826d1975e3

SHA1
27573445aca79bb0ecab2b512cc159afe1226adf

SHA256
048c163739be9af973d2c913f3d728053ca73af8b8525f00d487a3b00acd0566

SHA512
0c330dd3f56f025a2df03678bf581574e56d8ae18afa6a572c1e9efcc82195b86bf7618a12730207e967078fdca3a24ce7a35e8593ae4e28ab3eb169ab5365ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME88B.exe

Filesize
15KB

MD5
f7a53117be6853bcfca5ae8ecee29416

SHA1
0bd401e2a9369fca45337870ec7d483e2025f95b

SHA256
e2d027bc513c8845cb05e9cdfd98bbab1030be0aed8e5a1ac325dc8e338e55f2

SHA512
57d88c13bb919be060f537bec6933ef37188b791c8da1d610aa9d172362a1d0cc43969ca80f2a225c3c841ff18ffdf73c925b22066f30098da984675f3d1a2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF066.exe

Filesize
15KB

MD5
58fecb87f495b056d53b7f1e2162c6a6

SHA1
82e02434f558dd242776922b3b2dc9f9ff96dd1b

SHA256
59fb32b27dd7d93dcc0bcafca2fc618b16dcaff606442b15e103be979bbec441

SHA512
69f5b8c53ce63da17055abb0f414e1d375fe792e345f594a8c218a630a338c1a7f7eb5c8a0aaf7e17377fbbca7c1239cc1f05a7e24b19020b9f089da20558f28

Download Submit

Analysis

Sharing