067e2fa8d83c87959e8b99bbe246bd2867172faa2807b05d119e71e7d954d79b

General

Target

e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe
Size

14KB
MD5

e931a7648532915c19b2c953496fdbf7
SHA1

0f90cd101d31f8258338232e4a4183cf3c78c821
SHA256

067e2fa8d83c87959e8b99bbe246bd2867172faa2807b05d119e71e7d954d79b
SHA512

ed13d52acd14f3bae9e29b888cb46e0073110c0bbf7202fe6c26d4ea2ed26fbeb90a52878279e276ae87e9f58853aa708f5be480a436e665567b89667f6597d9
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHukP:hDXWipuE+K3/SSHgx3NHHnP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM470B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM9E63.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMF4EF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEM4B7B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DEMA1F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
704	DEM470B.exe
1340	DEM9E63.exe
4768	DEMF4EF.exe
3008	DEM4B7B.exe
516	DEMA1F8.exe
452	DEMF855.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 704	2020	e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe	95
PID 2020 wrote to memory of 704	2020	e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe	95
PID 2020 wrote to memory of 704	2020	e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe	95
PID 704 wrote to memory of 1340	704	DEM470B.exe	98
PID 704 wrote to memory of 1340	704	DEM470B.exe	98
PID 704 wrote to memory of 1340	704	DEM470B.exe	98
PID 1340 wrote to memory of 4768	1340	DEM9E63.exe	100
PID 1340 wrote to memory of 4768	1340	DEM9E63.exe	100
PID 1340 wrote to memory of 4768	1340	DEM9E63.exe	100
PID 4768 wrote to memory of 3008	4768	DEMF4EF.exe	102
PID 4768 wrote to memory of 3008	4768	DEMF4EF.exe	102
PID 4768 wrote to memory of 3008	4768	DEMF4EF.exe	102
PID 3008 wrote to memory of 516	3008	DEM4B7B.exe	104
PID 3008 wrote to memory of 516	3008	DEM4B7B.exe	104
PID 3008 wrote to memory of 516	3008	DEM4B7B.exe	104
PID 516 wrote to memory of 452	516	DEMA1F8.exe	106
PID 516 wrote to memory of 452	516	DEMA1F8.exe	106
PID 516 wrote to memory of 452	516	DEMA1F8.exe	106

C:\Users\Admin\AppData\Local\Temp\e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e931a7648532915c19b2c953496fdbf7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\DEM470B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM470B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Users\Admin\AppData\Local\Temp\DEM9E63.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9E63.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\DEMF4EF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF4EF.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\DEM4B7B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4B7B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\DEMA1F8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA1F8.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\DEMF855.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF855.exe"
        7⤵
        Executes dropped EXE
        
        PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM470B.exe

Filesize
14KB

MD5
96728999121e4675189fb377a3e2a9ec

SHA1
b8e46e5bbabacd9efc53333ed3f05ca3ce143089

SHA256
0fb1ead7448bddb18bb113e5fb2c9be0ef026d9c63ab180282a09244b6cf0231

SHA512
013065ed8c24bd1104922c0a650cfc97ee472ab2aafe8339bbcab0d8832eda8ee1c06dab3aee2a109840b90a376c58a690a2aeaaebfc89b6c8093de13e86c13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4B7B.exe

Filesize
14KB

MD5
af00fe43a612f5b327da091dfaa4249c

SHA1
090554769c5ad0f6710a2d55933aba18a3ca3045

SHA256
ede682f0dadf64db8597a7d1da15a959004399adcf78a3d2665af11e58190759

SHA512
8898fd070daca7cce0bc46c335f9e13c59f62bd3fba5bb76f0e3416da1552ee56b3a1ce3fe80076de3964b68fe2ad1d773fa367361bec9afe837873cd6b98b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9E63.exe

Filesize
14KB

MD5
67bfdcf23a2d12aad39eda6c9122b5ad

SHA1
cac3a2c7868e55d6d1ba6d778a07fc3c24a4c74f

SHA256
502765a60a4a2c9411d784cc25200fb5db94f70edbf32a46a469cba88822b425

SHA512
88f0027016866b87f6f110bb8448387021d7b377f660206132de028820237d8023f27d5cbc54f58244f115f62de06c5a044931029fddd10681743b16368ed496

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA1F8.exe

Filesize
14KB

MD5
0a6883f0785f5e9e1ea956d2d8c4f53f

SHA1
e666fd30bd19349836f148db3741618ee2806e21

SHA256
61276454daff8d87ed2e0770861c6730d53528b8587ed5c218e8908e9c84a62e

SHA512
6b2872698ae1ba7d7ea42b3a47f7a50d782176e9c6dffeb8958fac7a718c4ef338f8a31ba121bbffcc4e47064fe0f3b805c4e6250f79be0a892549dfc14c9840

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF4EF.exe

Filesize
14KB

MD5
72c7c923c728e9776df64adda18fe569

SHA1
a5139f794c3d04da88dbf5ab74fb6df475d8d348

SHA256
415240eda36ba46a9c65dfe55659847f44449c94a01d34340628f4bb7291dcc1

SHA512
48faabfdac8a552af37ed5a82f3969189a0b6f529cbe50908dbb297746756b4b29d5ff932aac3080a8aa4aed8c009b8b125bc328a98b4d72e93f3ae389e13403

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF855.exe

Filesize
14KB

MD5
797d19cbb2d831e12bb4b91e9b178f33

SHA1
23b707960623b2bb8411123ec523556a5e05485a

SHA256
0a0405e8009aed86160fbc69f84d2d75f7a21f90cf812270042900ec25c6b395

SHA512
e656b7db6997ca8387079d40e16a88145c7133c50557681d002b73defba64e2da3d29e2120ceb36b6dda50c49bbee7c85cdfb2d6c20b7d3207f2c479b9e8a99b

Download Submit

Analysis

Sharing