aa69803e52805a85b69ad7681eb2de5138dfe69a4a5b7990ecb8c17059ce1c92

General

Target

f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe
Size

14KB
MD5

f00609e6ddd807c310af00e9620fce29
SHA1

57aacb299c0bb54ff13af3cf364ef530de4e29f2
SHA256

aa69803e52805a85b69ad7681eb2de5138dfe69a4a5b7990ecb8c17059ce1c92
SHA512

d9775c5a85e8f9df5a670c3b41a30959cea7f0161395e58b9b52358dc16f739ca488d385415d1c694465c943cf9036dd575966ecbc62759cc8fd4c7850db7d91
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhiiC:hDXWipuE+K3/SSHgxLiiC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEM7B26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEMD2EB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEM668A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEMCB10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEM2323.exe

Executes dropped EXE 6 IoCs

pid	Process
4092	DEM668A.exe
4716	DEMCB10.exe
3760	DEM2323.exe
1228	DEM7B26.exe
2144	DEMD2EB.exe
4292	DEM2B9A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4092	2796	f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe	89
PID 2796 wrote to memory of 4092	2796	f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe	89
PID 2796 wrote to memory of 4092	2796	f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe	89
PID 4092 wrote to memory of 4716	4092	DEM668A.exe	94
PID 4092 wrote to memory of 4716	4092	DEM668A.exe	94
PID 4092 wrote to memory of 4716	4092	DEM668A.exe	94
PID 4716 wrote to memory of 3760	4716	DEMCB10.exe	96
PID 4716 wrote to memory of 3760	4716	DEMCB10.exe	96
PID 4716 wrote to memory of 3760	4716	DEMCB10.exe	96
PID 3760 wrote to memory of 1228	3760	DEM2323.exe	98
PID 3760 wrote to memory of 1228	3760	DEM2323.exe	98
PID 3760 wrote to memory of 1228	3760	DEM2323.exe	98
PID 1228 wrote to memory of 2144	1228	DEM7B26.exe	100
PID 1228 wrote to memory of 2144	1228	DEM7B26.exe	100
PID 1228 wrote to memory of 2144	1228	DEM7B26.exe	100
PID 2144 wrote to memory of 4292	2144	DEMD2EB.exe	102
PID 2144 wrote to memory of 4292	2144	DEMD2EB.exe	102
PID 2144 wrote to memory of 4292	2144	DEMD2EB.exe	102

C:\Users\Admin\AppData\Local\Temp\f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f00609e6ddd807c310af00e9620fce29_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\DEM668A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM668A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\DEMCB10.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCB10.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\DEM2323.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2323.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Users\Admin\AppData\Local\Temp\DEM7B26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7B26.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\DEMD2EB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD2EB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\DEM2B9A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2B9A.exe"
        7⤵
        Executes dropped EXE
        
        PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2323.exe

Filesize
14KB

MD5
55620bd1d1adec14e83c577ce20295be

SHA1
0b03b9d3b1205bb13817f29f460b7881a39633e7

SHA256
a75f5daa7d4de7e6e93f49d2249a64b594091b10c9748d1596bdb2a445c71b3e

SHA512
75acf98fc4332b7ecde08a23cd231384d049852042e4096f058587ebe5bee00e8b6891e030b34a7b557f66ac4184112cdc31744c624354c8a61d7e7121aec572

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2B9A.exe

Filesize
14KB

MD5
ef47d5866193e3e2a02429f37f077e3f

SHA1
3b3bf0b01405db54aa558e42acca64304e31be3e

SHA256
fcfff09e164cfce9b92cfb1dc3d26e4121b0b8da2170b5afc43ad8850adf8b01

SHA512
efbf6e28562de6f9b35be425626cd32b3bd51d5521a9f6b21d9b63b285c1be57fb7c493596a184fe24bf54200b9eb21dc6f33c530baf974564a67d0932802a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM668A.exe

Filesize
14KB

MD5
5dae2da9010c2a0d62dfa02ac860e215

SHA1
42236dfef777da627ddaee061fad75eee071be2c

SHA256
16a162076b48f32b9e5282417b8919fe90b885cb92aa1e1d70cddbf432a33075

SHA512
91455092fc1a7ebd4ccc017a53ede812e2f6c3b1ed537c0a416a6a58503d92b1ca7d17786d3dbde1cb5c26bb7340617d88a08e2a13f985eea0ab885afa8d9203

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B26.exe

Filesize
14KB

MD5
2ef668b70f50f047b26b82236ba65602

SHA1
9ee4eb5fd8d1536ddf32870c52ba8fb24119cc7d

SHA256
62418b13abd53b98194572a7148f88c960d5cedf1a586846d266b85c7fca89f1

SHA512
1302188f0cb308f9dd393f235391c24da1e25fd8bbaece6a2046cba5fc6aec9e49706f7c7f749e6deb2178389038bc570cb76c5299459b971586d2c22393cf25

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB10.exe

Filesize
14KB

MD5
ad97f48a8e417cf5314dabefb6437597

SHA1
3bfa0386c567eac6b223cda53fff39f64facbd17

SHA256
9aa00e1f7bac8b57a44ad6c0280196868582e75faaee6e8b50d4643b6b435b1d

SHA512
ee90799ffdd5a5ee01bc262b6ca5ea9651b7931426238be2f8dce2db9eb98fe464f6bd3b51c68f9b693a8f69ccb44a63c9cbed2895f56aa12dd3e91bd675ebe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD2EB.exe

Filesize
14KB

MD5
0a8dba577b097df86d17c3672d2a1157

SHA1
f2ecb31bf4b84cad8d75c65209079c8c5d9127c0

SHA256
b29d730ae5a1c657fd0bae5f47f942f433e501336a2aa4fb677c2b6fd1b8ce5f

SHA512
41a0b660d673a1ceb1736e096e412e02292938cb30b680448dae19278a10552d85a6974fd4f2fa2b4c6d7306ec8912b90daf8737b18e708d1ee1d994f361a912

Download Submit

Analysis

Sharing