c93d5e4c25a82b6054b2bcdf4a75e13b469e2daa1c2a89b67a1c626e3d5b778a

General

Target

e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe
Size

14KB
MD5

e7ab7dd100c12428964355f4328351ac
SHA1

6c25d81500c8a6660a5dd43dff8a12fee92d095b
SHA256

c93d5e4c25a82b6054b2bcdf4a75e13b469e2daa1c2a89b67a1c626e3d5b778a
SHA512

f95de35e76242146b860f385badf15c1b7b4871f7fb22355f1a7e3f8f7d1cd8f1b15d019099f8a7fe8f977c1217f731e0ce7971987e768238e8e49543961fbd2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhh7Ic:hDXWipuE+K3/SSHgxz8c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM6FC1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMC8ED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM1F89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEM76A2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DEMCD7C.exe

Executes dropped EXE 6 IoCs

pid	Process
3788	DEM6FC1.exe
1964	DEMC8ED.exe
1972	DEM1F89.exe
4900	DEM76A2.exe
3360	DEMCD7C.exe
2364	DEM2476.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3788	1888	e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe	97
PID 1888 wrote to memory of 3788	1888	e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe	97
PID 1888 wrote to memory of 3788	1888	e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe	97
PID 3788 wrote to memory of 1964	3788	DEM6FC1.exe	100
PID 3788 wrote to memory of 1964	3788	DEM6FC1.exe	100
PID 3788 wrote to memory of 1964	3788	DEM6FC1.exe	100
PID 1964 wrote to memory of 1972	1964	DEMC8ED.exe	102
PID 1964 wrote to memory of 1972	1964	DEMC8ED.exe	102
PID 1964 wrote to memory of 1972	1964	DEMC8ED.exe	102
PID 1972 wrote to memory of 4900	1972	DEM1F89.exe	104
PID 1972 wrote to memory of 4900	1972	DEM1F89.exe	104
PID 1972 wrote to memory of 4900	1972	DEM1F89.exe	104
PID 4900 wrote to memory of 3360	4900	DEM76A2.exe	106
PID 4900 wrote to memory of 3360	4900	DEM76A2.exe	106
PID 4900 wrote to memory of 3360	4900	DEM76A2.exe	106
PID 3360 wrote to memory of 2364	3360	DEMCD7C.exe	108
PID 3360 wrote to memory of 2364	3360	DEMCD7C.exe	108
PID 3360 wrote to memory of 2364	3360	DEMCD7C.exe	108

C:\Users\Admin\AppData\Local\Temp\e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7ab7dd100c12428964355f4328351ac_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\DEM6FC1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6FC1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Users\Admin\AppData\Local\Temp\DEMC8ED.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC8ED.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\DEM1F89.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1F89.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\DEM76A2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM76A2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Users\Admin\AppData\Local\Temp\DEMCD7C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCD7C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\DEM2476.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2476.exe"
        7⤵
        Executes dropped EXE
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1F89.exe

Filesize
14KB

MD5
b79c05a3a297e3b71830405385051c6e

SHA1
15009f7c0d8958fc3f86f4981c54f0560d845595

SHA256
4a0b720822d935867fcf92a9e74d57c021c74b35cb139c1ea2f2a78426280c26

SHA512
5f38e31c7af08fac4d699170d312ee85a231f2467c30cf00ee9e16ffb2230e6b3313de7b9e7a3e33c883f8e0ab1b52f9995ec2edb5fdcef65eadc6ad3152a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2476.exe

Filesize
14KB

MD5
26ff7f8a5af0565d9106462e93bc63b5

SHA1
f4cdf6b2a5252b32a1a15b655149037cd94d06b8

SHA256
3505c89fc4597c84b80629ee0188608ada136c0df845f6fc8f1a26393e9274ac

SHA512
49c9c56641d1f56f94abc88679d19de7bcf662a3ba2bc8f03e3ca7e30672d7cda6c2d38e072a97bc69a7f6a712e456ab452ba05a229f874e8a1aff9692ad62d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6FC1.exe

Filesize
14KB

MD5
737040d3cf5afe26fec7991db7d3beca

SHA1
9abb7ef2a59dca95856d09eef323a792e957508e

SHA256
9b5da93965205d0bfe7557db43f4d3fde1857e8393a8b47ec1ab2c3062e5971c

SHA512
09d21d0aa46857c03c79e350418e0e4fa7e1f00f34297c3b464c9abb1574bdd03fb26b644c139507e34fbb1e4b03995d5bd0ec15c262ec07a3d87a7555b03e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM76A2.exe

Filesize
14KB

MD5
79ec71f63bd4ecd471dc7c7ad819776c

SHA1
9aafce6efc50295dac42ff794e824ec43670b0cb

SHA256
32bd4fa5d0a98c2a5d7b71f1080f26a908128fb21ae0b7221db37bec0724f77b

SHA512
d97bca6e02f85b993a8996f456259beee3a1ce6f64aeca052fe42be9eb1a5e27b7d7be87efffeec25bb5fb0281897b2288e5022c60e31d6e7782b7673f8e942b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC8ED.exe

Filesize
14KB

MD5
13c5a0eeebcf338eb06a494652e761ea

SHA1
429e80421efd852f01689226b1db4a0e7147749d

SHA256
744dfd203ba8d0b1c7b167bf9969af8cbbeb69cee0b12be452ab6c9572d125e0

SHA512
8550dfe36e34ce240cdb0643f09631a10c3ad5dc318fc44fc2c923dfc81d566d4b52f3cb5d3af74378ca1dd9f751ce6cc1f7476c1f1370e329bb5fd63359a3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCD7C.exe

Filesize
14KB

MD5
80dac390120e31f847f2481dde05e495

SHA1
82423b57f2f46aef9dc8d5de853988bd74c591de

SHA256
b2c0d6d650a8ee61aa57a33c44807501f5edcb3993b9e6952e897e1b9f25e203

SHA512
75ce2c3114d546f8dbbae48c1a3774b994bc4279dac2c469744df1a65bb91296d97192e5395aaabc232eaddc05bb5401a9fbf81c34a498cd00627e73e56c4384

Download Submit

Analysis

Sharing