8d2244e78774ea22c4f94fa1bf0f47cce548947bf679384fadd125688285795d

General

Target

e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe
Size

14KB
MD5

e1f8c135af66e974e07ab3f188301325
SHA1

058b12a9072d88b20358e9a8efc8c3ad82e11b22
SHA256

8d2244e78774ea22c4f94fa1bf0f47cce548947bf679384fadd125688285795d
SHA512

4c6d875ac16ce0f025cb080bebfec1248d6d23affcf71e3365cdc59d13e050614f94a3637b14836891b91610117cabda93a92d4f12bd1b5d034adda828986b13
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhIFidPc:hDXWipuE+K3/SSHgxyFWc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMD424.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM71E4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMCB8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM23A0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM7C11.exe

Executes dropped EXE 6 IoCs

pid	Process
4836	DEM71E4.exe
5088	DEMCB8D.exe
5068	DEM23A0.exe
2884	DEM7C11.exe
1912	DEMD424.exe
3960	DEM2C65.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 4836	3612	e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe	97
PID 3612 wrote to memory of 4836	3612	e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe	97
PID 3612 wrote to memory of 4836	3612	e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe	97
PID 4836 wrote to memory of 5088	4836	DEM71E4.exe	100
PID 4836 wrote to memory of 5088	4836	DEM71E4.exe	100
PID 4836 wrote to memory of 5088	4836	DEM71E4.exe	100
PID 5088 wrote to memory of 5068	5088	DEMCB8D.exe	102
PID 5088 wrote to memory of 5068	5088	DEMCB8D.exe	102
PID 5088 wrote to memory of 5068	5088	DEMCB8D.exe	102
PID 5068 wrote to memory of 2884	5068	DEM23A0.exe	104
PID 5068 wrote to memory of 2884	5068	DEM23A0.exe	104
PID 5068 wrote to memory of 2884	5068	DEM23A0.exe	104
PID 2884 wrote to memory of 1912	2884	DEM7C11.exe	106
PID 2884 wrote to memory of 1912	2884	DEM7C11.exe	106
PID 2884 wrote to memory of 1912	2884	DEM7C11.exe	106
PID 1912 wrote to memory of 3960	1912	DEMD424.exe	108
PID 1912 wrote to memory of 3960	1912	DEMD424.exe	108
PID 1912 wrote to memory of 3960	1912	DEMD424.exe	108

C:\Users\Admin\AppData\Local\Temp\e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1f8c135af66e974e07ab3f188301325_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\DEM71E4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM71E4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\DEMCB8D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCB8D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\DEM23A0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM23A0.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\DEM7C11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7C11.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\DEMD424.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD424.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\DEM2C65.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C65.exe"
        7⤵
        Executes dropped EXE
        
        PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM23A0.exe

Filesize
14KB

MD5
c6195c7cd73a694cd4efaeb78a52e5a4

SHA1
7d6552a453e82dabd91c9b54e60902cb5f7fb4d6

SHA256
d5ab5fa7b69b175c54dafea2c4773f35653f1e785e34ebdc2fa8c11d0366c0b6

SHA512
029d1bca3a2d42082d4179a1c86c33f933023c45f72647345e86117fbe66e921e96d2dfdd678b67f68086af7dd4c9fcea06ed3fe336cc1bddb785cf440c7e999

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2C65.exe

Filesize
14KB

MD5
4fc69278b7f43c02addbc9a2c1ae54d4

SHA1
73675d6be3bc205fda9ef45ed0f36f117cb8c28c

SHA256
8eb76c6f5a09f683b511a7aed61907bbf5ee182512715d6961a99ebe7749ea07

SHA512
7e62ba0f6c2bc2317ad718bf1020ed2521d6e84efd7eedf484dd40e25053a51d90bce18e5a829ab70afa2d655b729049b8012d9c232562a7818062b3c2790904

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM71E4.exe

Filesize
14KB

MD5
bef532b662fe7f659f8b87141d61007d

SHA1
ad59dcb98d323f3f4719648652b6bf2c9fbf4429

SHA256
fa6d06745bea2da61661bbfe563ae13c0344fd5d5c3b46910f0a0621e0a7e9b0

SHA512
806451f6d80288052e3227a3967325de02a582c9a138b59b76a347c9baf9035240e505cbdcf74f36885868a392d710a94eec5cb978d0bbe2c3589dec36aa8ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7C11.exe

Filesize
14KB

MD5
243096e85a7fff7769e8aa318dcf7885

SHA1
b1875acf1eb5ed826fd90972ee2e86b3a8433100

SHA256
91775e78e3ba1c5de160a3036f607a2f0620af3669bfc8eedb399a5211f4fe50

SHA512
6acad4c3b9dd4fcce361fcd168c49655a5f3aa07613820d6d3705538d4970dcf07b49a5c5f99e093634011fbbe5702ab4daab6759475265b164fb35d73051d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB8D.exe

Filesize
14KB

MD5
8f2ad151812442233ab42b65281a2480

SHA1
0b1940b8b78e265b086a0797836df5093600fd63

SHA256
100b1388cac24f610f5a712ebe49b84cc1c955eca7b11ef30267dd7cdca7c18c

SHA512
27523deba16476b843df91935ddfae2d48938ee8dbbfba61dfb1bde94c73cb7877131bd33b9351ace16e880b393deaf8f223d4c8b0cad609a46d3aa24a427b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD424.exe

Filesize
14KB

MD5
1f6be061eb9513ba433fae020753b324

SHA1
9aa3a8abdb121b0934715e5d44507fe4147a56b2

SHA256
1919f5699ceb14790745340671eb3f35e95d656813aeb771cfd7b5c2ef3f2090

SHA512
1de3ccb03808c81c548e3f01d67732e09e90c926b9a4010c999a4e8cac5f802a40a642c260cda3a132a5725bbc5b840829f8f4ff40950008097b9ce723d3da55

Download Submit

Analysis

Sharing