781b521f9adf35b4367370d1947c83900f01f92462e99e97a045ad402fbf6f4f

General

Target

ecb98733e4c859aa969b1446ba68c3c0_JaffaCakes118.exe
Size

16KB
MD5

ecb98733e4c859aa969b1446ba68c3c0
SHA1

39c996415baee87aabe09ce4c473ce70dfe1e147
SHA256

781b521f9adf35b4367370d1947c83900f01f92462e99e97a045ad402fbf6f4f
SHA512

75879d4cde5ebcee31596fa55bb5a34fbe24e26bce09ec2befbe3e8c6b4d41a118135752251ef34ed0b772700af6c7bf682b32b4dc4858f005e780b5953477f6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0K4:hDXWipuE+K3/SSHgx4K4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEME7FE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3E3D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM946B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	ecb98733e4c859aa969b1446ba68c3c0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM3B82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	DEM91FF.exe

Executes dropped EXE 6 IoCs

pid	Process
4436	DEM3B82.exe
2600	DEM91FF.exe
244	DEME7FE.exe
3404	DEM3E3D.exe
3300	DEM946B.exe
2684	DEMEA9A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 4436	1456	ecb98733e4c859aa969b1446ba68c3c0_JaffaCakes118.exe	92
PID 1456 wrote to memory of 4436	1456	ecb98733e4c859aa969b1446ba68c3c0_JaffaCakes118.exe	92
PID 1456 wrote to memory of 4436	1456	ecb98733e4c859aa969b1446ba68c3c0_JaffaCakes118.exe	92
PID 4436 wrote to memory of 2600	4436	DEM3B82.exe	95
PID 4436 wrote to memory of 2600	4436	DEM3B82.exe	95
PID 4436 wrote to memory of 2600	4436	DEM3B82.exe	95
PID 2600 wrote to memory of 244	2600	DEM91FF.exe	97
PID 2600 wrote to memory of 244	2600	DEM91FF.exe	97
PID 2600 wrote to memory of 244	2600	DEM91FF.exe	97
PID 244 wrote to memory of 3404	244	DEME7FE.exe	99
PID 244 wrote to memory of 3404	244	DEME7FE.exe	99
PID 244 wrote to memory of 3404	244	DEME7FE.exe	99
PID 3404 wrote to memory of 3300	3404	DEM3E3D.exe	101
PID 3404 wrote to memory of 3300	3404	DEM3E3D.exe	101
PID 3404 wrote to memory of 3300	3404	DEM3E3D.exe	101
PID 3300 wrote to memory of 2684	3300	DEM946B.exe	103
PID 3300 wrote to memory of 2684	3300	DEM946B.exe	103
PID 3300 wrote to memory of 2684	3300	DEM946B.exe	103

C:\Users\Admin\AppData\Local\Temp\ecb98733e4c859aa969b1446ba68c3c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecb98733e4c859aa969b1446ba68c3c0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\DEM3B82.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3B82.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\DEM91FF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM91FF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\DEME7FE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME7FE.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:244
    - - C:\Users\Admin\AppData\Local\Temp\DEM3E3D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3E3D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Users\Admin\AppData\Local\Temp\DEM946B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM946B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\DEMEA9A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEA9A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3B82.exe

Filesize
16KB

MD5
239303ba242b50961bf10bd6793bf6d6

SHA1
4a47be970222d75618a7a10e6135661945e8f6bd

SHA256
dba32f20040dc1435d8e031e8fcb2b70dea7bd7d29e4e6e6922c0e7c2ffb9d3e

SHA512
2fa54fd3a8c44d1c02d879dad57beb669f6647b952a9e7e29ef3ef7b5b80077cc60629cdff0fc4f86a9f246ed75a4ebbd7e33997e537863fcd7bf87e508c7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3E3D.exe

Filesize
16KB

MD5
9cc0d0df4697b2a510303822054a1a79

SHA1
0b74660ea94482a9bd18d7ec5720e22ae0828db0

SHA256
813416372e9651853cb59d4041f824fe19c6e1ee3db9aed956671798f1cadf39

SHA512
ff1b4142e6ac7c7b20a1ee2f5e959ce2b6a6dfd5c9af7ef34407de517387901b0b0c1e844b1e8b1aec995b6073496c9a8580a36f6c1bb1018d6c3d5b5c9e2a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM91FF.exe

Filesize
16KB

MD5
a2f2ec598e5e8e1ac6dacf7b342ae3fc

SHA1
a403726dd9e5ddee7e33881f1bb2af4ae9aec978

SHA256
5c5c62f6d5ca80142c0edf0e0b2f667cb1ff66bd5f68cd4fae622eff40bb0e02

SHA512
88dbc6d887e008641f2c59388402950506b780f525b8f0bc3f2b7697b5e20b28bab809497aea79302ee95e3b527fb626cf62e05e84a209d6620c71bdc87fd53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM946B.exe

Filesize
16KB

MD5
496eeb8a872bdc4c6a0ab0cc53bb86ca

SHA1
5db2075547a665397c26908b989ed454c696b1b0

SHA256
748a3ecab17ae7a9d1fe272b869f8a5548cdecebadd744e06e4a2e8bfc6e128c

SHA512
8c97381964b8feec97145ae55bed855181cf96cb4818dcf68161ff72a8f0fde87b8995d42a47534ec333b16479820c66c8e5eb12654c5b9130e9e1cd8893e3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME7FE.exe

Filesize
16KB

MD5
1e37615a5aeff3abb133cabcb6499570

SHA1
98f5f4ec8beb486d560962d7aa463b49b0477a6a

SHA256
dd07cc64ddc10e57e24e9bf9c624c05c61a6f6e27be6046e218fe5c052105262

SHA512
9784c9176c033dbddf85b26254d932331bab16a979fd341ae3694fd5b1140330cd73491c8c31a11cd58d8717db4faf15a5afda763071b352a07ada01bf6df89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEA9A.exe

Filesize
16KB

MD5
1955750eb340d95216253c3f72a23cbf

SHA1
346f1f9d2b59af6159023bca5a748310858683bb

SHA256
8f130036e59bc0e7f66c7053e1225b7fa214db9b7713bf5da300014f6c5fd404

SHA512
430fb504bb9ba51bd81efe683e2295d234be5f964e2b1f8af2cff27d6656df6fd5262aff011bde1866e047d639b1f578386e6bcb297a4cc25e67a92bb267cb9f

Download Submit

Analysis

Sharing