ade850aee028fb296ae3327224cf7fe36c54c5ade9e0c341d4bb4bd49b7ddc3e

General

Target

e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe
Size

15KB
MD5

e154affc048bd0bbb3b15680d9e93201
SHA1

09613df556f4e1bd2dba542ea3643babe429fa04
SHA256

ade850aee028fb296ae3327224cf7fe36c54c5ade9e0c341d4bb4bd49b7ddc3e
SHA512

c11f324f797a9702eec4a2a290b09e2529d04ee84b6408f27bf800dd92d396d8f09fedf3d86bc429585e52f17696050994aab84291323246d455124df6b28071
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6V:hDXWipuE+K3/SSHgxmyh6V

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM5DCB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMB580.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM5554.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMAE22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM606.exe

Executes dropped EXE 6 IoCs

pid	Process
4572	DEM5554.exe
1604	DEMAE22.exe
3556	DEM606.exe
2432	DEM5DCB.exe
4980	DEMB580.exe
1084	DEMC5A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4572	5100	e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe	97
PID 5100 wrote to memory of 4572	5100	e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe	97
PID 5100 wrote to memory of 4572	5100	e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe	97
PID 4572 wrote to memory of 1604	4572	DEM5554.exe	100
PID 4572 wrote to memory of 1604	4572	DEM5554.exe	100
PID 4572 wrote to memory of 1604	4572	DEM5554.exe	100
PID 1604 wrote to memory of 3556	1604	DEMAE22.exe	102
PID 1604 wrote to memory of 3556	1604	DEMAE22.exe	102
PID 1604 wrote to memory of 3556	1604	DEMAE22.exe	102
PID 3556 wrote to memory of 2432	3556	DEM606.exe	104
PID 3556 wrote to memory of 2432	3556	DEM606.exe	104
PID 3556 wrote to memory of 2432	3556	DEM606.exe	104
PID 2432 wrote to memory of 4980	2432	DEM5DCB.exe	106
PID 2432 wrote to memory of 4980	2432	DEM5DCB.exe	106
PID 2432 wrote to memory of 4980	2432	DEM5DCB.exe	106
PID 4980 wrote to memory of 1084	4980	DEMB580.exe	108
PID 4980 wrote to memory of 1084	4980	DEMB580.exe	108
PID 4980 wrote to memory of 1084	4980	DEMB580.exe	108

C:\Users\Admin\AppData\Local\Temp\e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e154affc048bd0bbb3b15680d9e93201_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\DEM5554.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5554.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\DEMAE22.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAE22.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\DEM606.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM606.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Users\Admin\AppData\Local\Temp\DEM5DCB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5DCB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Users\Admin\AppData\Local\Temp\DEMB580.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB580.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\DEMC5A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC5A.exe"
        7⤵
        Executes dropped EXE
        
        PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5554.exe

Filesize
15KB

MD5
b4865ec246eb234e34b207aa6ea93bd5

SHA1
5c9e6dbd73dbd198323ee2f8a123c2ab7b308399

SHA256
fc306ae7c5a98563a6fb7b7df11cdf2f72b5c3cdc728e6ed583914523994d98a

SHA512
6c60cfcdc808c5f53c8ab6b2f6ec7ab26773a28b480f834ee631855114c4df95b9ace41b88281656266656faedd92f6d9a02fe4aef5c5ada38506111270bdc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5DCB.exe

Filesize
15KB

MD5
0d4324c126debb0a492d9e2999d85891

SHA1
90f8bf6a8ea3f89269ed6af5eca9fadb50f22029

SHA256
6aea68fc2dc469545fb5357cb9638a375da3f95fc32179250313a32bdf497215

SHA512
6a070e263f3a3def9943185278bed004cddbb6ac485967ab9887cd3a9d90e41af0f07824b810efa5978f337a634c1c02e1d3a40776bd38537d5ee17f6f4b8164

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM606.exe

Filesize
15KB

MD5
bbe8613983ab20348208da92854a8b63

SHA1
d8d4922dcd69d62e7cee29c94b90019556bbcc31

SHA256
118142bbdbc4c0115dbb494b4dac949782f9502e4d9cfa3c31f8fd8b66bae6f9

SHA512
e11f64a80b5e1fd15aa3c1a45ea650bf648efa47ff514bfc2635f225dd46ac6e76f18ab459c0b8a0c5493c196a8d27fadc7677a8d65688760855c908c747b825

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAE22.exe

Filesize
15KB

MD5
96c0204a7386a4538cb43205c73c7711

SHA1
5f3e339fd4d1ea900e82baaace4b536a4bad3792

SHA256
b26d8eb2f154b8ccee4c61e7aaa7334991f8bb0560478c604632200b051c351a

SHA512
aa7a3eb89edb88cd410c8c469b1754bbc6080f8c12b2512b37899d9b061346082a95c94dd0a6811a7f2db3f8a7867d8e2a42ec3cf31a1abf6891b524c5bb9ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB580.exe

Filesize
15KB

MD5
59ee1e7f62e1b8cbd678b443f5373b3a

SHA1
a5eeca35961fcc72ef0b7521646745d2ddde4b2c

SHA256
73b305ca97388f104a24da272983aa7d955e586190c16cc0877ba7410294f602

SHA512
d29f61a3251220966778f938b51b7c462c907e964ea7bed814db90519567e813204e08053593385897219910b267047e5280ea342049c6105030f086dfba7dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC5A.exe

Filesize
15KB

MD5
8815f1539d1c3aa176a7095743845b87

SHA1
71eaa1216fd096291d7bb6b734e2c55a765a2d44

SHA256
fd3994f6f8e81fa819f68fbf4ba8baf86c990e13956370db99fce639126885b4

SHA512
2a57a377c772ed177ba64b0f6f54a7ad17bcd2b4bdd2d23fe97af1c09c0a6c8704907d4ab105c4fe782bb82b1ededfdac3995782b19bf27c9587ce62f547d1ae

Download Submit

Analysis

Sharing