1b36548e39db4548625a5360504a72ee779321fd10eaa2afa69d1ea06db4c2a0

General

Target

e29656504c686e77393f0891f81a5f1f_JaffaCakes118.exe
Size

14KB
MD5

e29656504c686e77393f0891f81a5f1f
SHA1

e9318eac208a9dd698cac05530553d5a59f5bf76
SHA256

1b36548e39db4548625a5360504a72ee779321fd10eaa2afa69d1ea06db4c2a0
SHA512

69ca8ff6da188511da27f2d137566e9a7a8d32805c187b7cf8e17ce73ad4ce0ae419b03459b01a1336f17d73f2338f477f3246366e10ace323b13bbad2cc520f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhj7:hDXWipuE+K3/SSHgxh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMC1A5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	e29656504c686e77393f0891f81a5f1f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM613A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEMBA67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM122B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEM6954.exe

Executes dropped EXE 6 IoCs

pid	Process
4408	DEM613A.exe
1944	DEMBA67.exe
1140	DEM122B.exe
1376	DEM6954.exe
3660	DEMC1A5.exe
3996	DEM197A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4408	1428	e29656504c686e77393f0891f81a5f1f_JaffaCakes118.exe	97
PID 1428 wrote to memory of 4408	1428	e29656504c686e77393f0891f81a5f1f_JaffaCakes118.exe	97
PID 1428 wrote to memory of 4408	1428	e29656504c686e77393f0891f81a5f1f_JaffaCakes118.exe	97
PID 4408 wrote to memory of 1944	4408	DEM613A.exe	100
PID 4408 wrote to memory of 1944	4408	DEM613A.exe	100
PID 4408 wrote to memory of 1944	4408	DEM613A.exe	100
PID 1944 wrote to memory of 1140	1944	DEMBA67.exe	102
PID 1944 wrote to memory of 1140	1944	DEMBA67.exe	102
PID 1944 wrote to memory of 1140	1944	DEMBA67.exe	102
PID 1140 wrote to memory of 1376	1140	DEM122B.exe	104
PID 1140 wrote to memory of 1376	1140	DEM122B.exe	104
PID 1140 wrote to memory of 1376	1140	DEM122B.exe	104
PID 1376 wrote to memory of 3660	1376	DEM6954.exe	106
PID 1376 wrote to memory of 3660	1376	DEM6954.exe	106
PID 1376 wrote to memory of 3660	1376	DEM6954.exe	106
PID 3660 wrote to memory of 3996	3660	DEMC1A5.exe	108
PID 3660 wrote to memory of 3996	3660	DEMC1A5.exe	108
PID 3660 wrote to memory of 3996	3660	DEMC1A5.exe	108

C:\Users\Admin\AppData\Local\Temp\e29656504c686e77393f0891f81a5f1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e29656504c686e77393f0891f81a5f1f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\DEM613A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM613A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\DEMBA67.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBA67.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\DEM122B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM122B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Users\Admin\AppData\Local\Temp\DEM6954.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6954.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Users\Admin\AppData\Local\Temp\DEMC1A5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC1A5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\DEM197A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM197A.exe"
        7⤵
        Executes dropped EXE
        
        PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM122B.exe

Filesize
14KB

MD5
d53da9b382d66476a3d236141cc708fb

SHA1
d0ceec6ab3e2a793a28acb226b09b1a129179896

SHA256
e54e5baeab71ec3d1eaa049cb5bfa716e82acc4f56995f7e609002148d5a13d9

SHA512
b6a3a066124e1eb440f0b218eb1004940d65f0ad1edea48705d8c3d1dcc90551e31e93fde0d1e8fd03eb8c83229c5df9ab5d677547f1849c0bde5cd28b0da583

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM197A.exe

Filesize
14KB

MD5
7ef4c778d80502d9a80139addf8982c8

SHA1
803970463897d1cd1ef8d96aadd34a1b6c99a165

SHA256
a247b0ef5d4d206196f3cf88db1181b408e811f95d6ac88ac89845f1a86351a7

SHA512
482a9b6ddef8999e8963265275091607ed9886e62d74cc4812e4ba4e65bd6ae7ce21d8974e6a3b5ce6f9cee4219e7375a7a253a147388155dff4e56e805bbe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM613A.exe

Filesize
14KB

MD5
85c94e92962427673443387dd2a75244

SHA1
19d88cb0f1f7d77a74fc26b412d44e9450918f21

SHA256
f191cc19628c94457c44219d4c0fb2ed012452ec4cf9fc24fca5e71efdd35bcd

SHA512
7803b0f0d1c696a766c835cc465f81f13427218db6856fdd246528475924a918d497bf362d33e8ef490419100ea16b3725006efebfe28bfe517d488c73fe6dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6954.exe

Filesize
14KB

MD5
e76f03be007f4988efb924db88d18f3b

SHA1
e4c01c3933c34e236d322d0ffcfe916829daf7d1

SHA256
90cac6fb02301161e436e0dc441d95bfa7ea52f49ba376f344626df81b1d221f

SHA512
e4daac7b9307eb2fcdf2098ab30702ab772e63db6ae8f706bc35819d8f0ec6be7ca3d4bf8d3ef04435f2896f2d9b075225d988c96b0c0ed70755a519097d8804

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA67.exe

Filesize
14KB

MD5
54f9180a81a3a3797173cfe24d507d56

SHA1
3421ec1796c8062d312c1ba50c8813c7cd05e2be

SHA256
d0707bce4bd59a8f3c3864b37b6aca44f2f2b420088f1ed53ab366e8b88dd0c7

SHA512
117cdb11e24db74b2972788a5db92e1bc78ba5ed5100a3c5e4dcd67508e890179f20c7e41b140fdc34a6b2b9460851dfc7ab46e8952c1866ceb12ff1daf7156a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1A5.exe

Filesize
14KB

MD5
4a5e0601b0e5d20d690472dc778e68c9

SHA1
24a1b01ec949d5650976f040c5d79fc8f58f346c

SHA256
8fe3e6f6ea8bee51a219178145b2928e13ee5df111f1fcb454bbcde6d95966b7

SHA512
b9e9435058c9c8670509a5d1fde9f764498717ad15628c6d72227c5e1a5a4cad19f08be8f58ec1d907dfe4b55d812b96a1a7fc1de6030171b7a53a3d67f6d92e

Download Submit

Analysis

Sharing