e81ab0feef80d542aa5836783ae52c8b4046512ce3416c6c9c9dcae20711725c

General

Target

e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe
Size

20KB
MD5

e137a9ce875a6a56260643975a9c1838
SHA1

c617d7226fb3d6b97f47508a1f256ce2589ce170
SHA256

e81ab0feef80d542aa5836783ae52c8b4046512ce3416c6c9c9dcae20711725c
SHA512

61b1a3c20493e456eefba64e4a7ebb1a10992e3bacce7b98ac619b27a60cba24908a2d74085fe141a09c1d5e5724ecb0385a11d71c3184c27d95225752930da8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4D:hDXWipuE+K3/SSHgxmHZD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4E6E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMFB77.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM51D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA832.exe

Executes dropped EXE 6 IoCs

pid	Process
3204	DEM4E6E.exe
1980	DEMA539.exe
4332	DEMFB77.exe
4944	DEM51D4.exe
4872	DEMA832.exe
4104	DEMFE8F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3204	1720	e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe	89
PID 1720 wrote to memory of 3204	1720	e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe	89
PID 1720 wrote to memory of 3204	1720	e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe	89
PID 3204 wrote to memory of 1980	3204	DEM4E6E.exe	95
PID 3204 wrote to memory of 1980	3204	DEM4E6E.exe	95
PID 3204 wrote to memory of 1980	3204	DEM4E6E.exe	95
PID 1980 wrote to memory of 4332	1980	DEMA539.exe	97
PID 1980 wrote to memory of 4332	1980	DEMA539.exe	97
PID 1980 wrote to memory of 4332	1980	DEMA539.exe	97
PID 4332 wrote to memory of 4944	4332	DEMFB77.exe	99
PID 4332 wrote to memory of 4944	4332	DEMFB77.exe	99
PID 4332 wrote to memory of 4944	4332	DEMFB77.exe	99
PID 4944 wrote to memory of 4872	4944	DEM51D4.exe	101
PID 4944 wrote to memory of 4872	4944	DEM51D4.exe	101
PID 4944 wrote to memory of 4872	4944	DEM51D4.exe	101
PID 4872 wrote to memory of 4104	4872	DEMA832.exe	103
PID 4872 wrote to memory of 4104	4872	DEMA832.exe	103
PID 4872 wrote to memory of 4104	4872	DEMA832.exe	103

C:\Users\Admin\AppData\Local\Temp\e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e137a9ce875a6a56260643975a9c1838_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\DEM4E6E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4E6E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\DEMA539.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA539.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\DEMFB77.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFB77.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\DEM51D4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM51D4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\DEMA832.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA832.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\DEMFE8F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE8F.exe"
        7⤵
        Executes dropped EXE
        
        PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4E6E.exe

Filesize
20KB

MD5
80502bcfadd102e81ef568c3197e4de8

SHA1
1e29eff5747d2d435d36abd5ce78f558dd603468

SHA256
57f7d1b0369f325cb8083c95c83b5281d120ef41cba29edf3cde7509f97392ed

SHA512
f58fc153b7f61d0da43ca184d0819a509cc596eb5decfd61cc6a3e3b60a044d43d51f6ef72d9e796e83c694ee94739b591e0a8fcd37f17f0960135666816e96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM51D4.exe

Filesize
20KB

MD5
921be9d8326e18ca2ca9e39f36b38599

SHA1
efc8c6786c871765ca1a3d7c19e331b9f26cffc1

SHA256
ef077907dc5c65a60bf10af62d4c01baa483c6687fe7a948c525a106a803c582

SHA512
a213c2ce7a475ecc55e19bba274c8c34bad326388e186b7efa8a67aeeb55342f40ac5247afcdf4cd883649f88edc769cb8ab195e648ba689ac8c0bac36d58d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA539.exe

Filesize
20KB

MD5
728ca94f66555023787d52d4a3b13077

SHA1
9ad4a26746d02f0ddd1fc51e80670fa08a9cc2d4

SHA256
b0cc5ea2d5f1798cd7a04c8dcd96fcc810513bb1a7d9a3db0453cd20a21b5134

SHA512
4e8d5045973f609f4d86ffcb06a9ce4d5cc6b18bd08ac54dac778c0a0d94e6ab5c1c96dced296e714e3c2439c8e17bee7f48926f242f73ea57c88bfddc7093bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA832.exe

Filesize
20KB

MD5
c67dabf3eb5ef3695404e24d92ecfeab

SHA1
68ae2f4b23162de38fecfc9e709e422db2f58034

SHA256
9d4173897508f38d31b01a01fe0218ae56585d37032da778e3c7358504d2a971

SHA512
cea35e1dd036725a5c89b76f1205b294678b5c6cde145325c563e077fd3edffbb6d3299a33875234b5e28d38fc4c560e273c7d47bad23b9fe6d04f1c30febe6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFB77.exe

Filesize
20KB

MD5
abd6f7b3d7b9d0bdd3ad2d83e422d835

SHA1
e0df1e405ca8bda2d62bc3c3ee5ddbb7d6a7ce8e

SHA256
f8742358e7b853a4a9c30bd61715a29c124d7a4692932491a1acf7afdc617b2c

SHA512
bb2e60fd65e531641371a7cac8150c1c9235495d50a96547ea3131b7bc9b54a26c6eb70d1b78a5cdb207ac3842ddfb2d549a9b230fda1128fdb15c9339f7d7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE8F.exe

Filesize
20KB

MD5
fe8aa2f475a20c4bcddf36893e87edc5

SHA1
0a01d0b36946187472c9b6d38df2a452e0393341

SHA256
7ef3dbeb05eb688b6b03e080417f3fb45be1606bae839c9b13f16f74d6c8b9c8

SHA512
1a3eb799742d2d9191acae07c2a389393e695fb4421161b047753c8d03cb6fb702a3d41e2a74c6ffb04d9e77766b0665df84313f16bcbbd55cc667a037dd40ae

Download Submit

Analysis

Sharing