14b4568d48ac9aba0fcc420ca85cdc0215cd8c4021cd226183d4fb28a70ff63b

General

Target

f09b5c7458b147729b6de70a3907f3dd_JaffaCakes118.exe
Size

15KB
MD5

f09b5c7458b147729b6de70a3907f3dd
SHA1

43322e632802cefe8525569ff5991b495e985b1e
SHA256

14b4568d48ac9aba0fcc420ca85cdc0215cd8c4021cd226183d4fb28a70ff63b
SHA512

73cbf81585ea1f5049237c41ed0b5fde17713181da44e2920deb7d70be365ce7f1788d245c894bee5c8ce6e1901153980c4021ffa809f03d8f1713adaa9903c5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhiZ:hDXWipuE+K3/SSHgxLiZ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM3A35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM9035.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	f09b5c7458b147729b6de70a3907f3dd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM377B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM8E07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEME416.exe

Executes dropped EXE 6 IoCs

pid	Process
2980	DEM377B.exe
4476	DEM8E07.exe
4224	DEME416.exe
3804	DEM3A35.exe
3376	DEM9035.exe
4464	DEME654.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 2980	4676	f09b5c7458b147729b6de70a3907f3dd_JaffaCakes118.exe	90
PID 4676 wrote to memory of 2980	4676	f09b5c7458b147729b6de70a3907f3dd_JaffaCakes118.exe	90
PID 4676 wrote to memory of 2980	4676	f09b5c7458b147729b6de70a3907f3dd_JaffaCakes118.exe	90
PID 2980 wrote to memory of 4476	2980	DEM377B.exe	95
PID 2980 wrote to memory of 4476	2980	DEM377B.exe	95
PID 2980 wrote to memory of 4476	2980	DEM377B.exe	95
PID 4476 wrote to memory of 4224	4476	DEM8E07.exe	97
PID 4476 wrote to memory of 4224	4476	DEM8E07.exe	97
PID 4476 wrote to memory of 4224	4476	DEM8E07.exe	97
PID 4224 wrote to memory of 3804	4224	DEME416.exe	99
PID 4224 wrote to memory of 3804	4224	DEME416.exe	99
PID 4224 wrote to memory of 3804	4224	DEME416.exe	99
PID 3804 wrote to memory of 3376	3804	DEM3A35.exe	101
PID 3804 wrote to memory of 3376	3804	DEM3A35.exe	101
PID 3804 wrote to memory of 3376	3804	DEM3A35.exe	101
PID 3376 wrote to memory of 4464	3376	DEM9035.exe	103
PID 3376 wrote to memory of 4464	3376	DEM9035.exe	103
PID 3376 wrote to memory of 4464	3376	DEM9035.exe	103

C:\Users\Admin\AppData\Local\Temp\f09b5c7458b147729b6de70a3907f3dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f09b5c7458b147729b6de70a3907f3dd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\DEM377B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM377B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\DEM8E07.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8E07.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\DEME416.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME416.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\DEM3A35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3A35.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\DEM9035.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9035.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\DEME654.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME654.exe"
        7⤵
        Executes dropped EXE
        
        PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM377B.exe

Filesize
15KB

MD5
f326ab96115fbf49193b3ae899754fd6

SHA1
377dd16f706f7d1ea3477adeca9519062dbf5d89

SHA256
1de96cd79c77981b6521489377d8c31a4f033f514a36f0ee733d267c190de616

SHA512
b2203e53d81f7484ee36b8a3f190e7ca98a1ae5f22212c11cd51beee6060517b2d239acbe46efbf0963a840fee049d55f56f20780dc68dff40b2dacb11aee351

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3A35.exe

Filesize
15KB

MD5
b11d41d95a6b099410f1ab2d00b97b84

SHA1
602cc429b5f088d7693266ca32cabcd49f2a2ed5

SHA256
203d46154e4315716652ccbf7305c838c51ae1067db79b20d589ec75555bdc46

SHA512
8f4a5fe76dc41817949af377fa080a1837a5861bc74e7975ecfc618b0c919537cdc35dac0b7fa9ad4163514748f7bdbddb03487702b3084a9d9e19e751426087

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E07.exe

Filesize
15KB

MD5
3f29b70de640bef35439ef5758bfbfd6

SHA1
583e0fbe7e6b092457d1ce99d82dd0e828afb70e

SHA256
22a0b2b881dbb597967569c9ffedc1fdc1a33e0f55f1525b955b99e51b36bc95

SHA512
11a9677c9912d44fe432061b0502ba7182529c04989613e1bdefff8c89286ccc70936798fa3e864426ec530e25b9e7d3210448ee35f402b65db54e5558506d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9035.exe

Filesize
15KB

MD5
392b77209acdd05acf8d5289b1405f2d

SHA1
41ef438b3ac242b30d10cf69b0956307e4c462ed

SHA256
e4876f491f581837228fe929bccc957b65e48c7d1d1d8e15d17b59e40090450b

SHA512
dea81e250bd50d77eb61fbd41440c214eece58321c173b1b926d3ef5a2c5f57b34a31f7a0042004c787b991979fd50a162639a52ffd99f4b2f3ec4ff8a94f795

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME416.exe

Filesize
15KB

MD5
8859e62acecd769b071622552816a182

SHA1
3677a5fd9e0968e27d5232ef9e92b7642ed7d43d

SHA256
9c57a23dc81217e0146c38b1943696ce28c35be55147135c23d5c5469deb178c

SHA512
7e4dff3ea30b1c769f9e724f261933f2419b3f46faf7ce2f74764e79791110ec95e240c0b19944d3a3395b0faa100c551d2fda27147f13450cbc125e062daf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME654.exe

Filesize
15KB

MD5
cf458574275d15872f09d19b6d3231ab

SHA1
2f350c8241a6c15e2f9d16bfaec4d386eb02caf7

SHA256
07875d838eb4ac55d8073a633ea8d7e9952e16e16fc06ae7f6a3f2c60e2d3f1a

SHA512
6fcc70c2a3f5929f52c19d5648932bdd4fbca7d8dea90a3cf5657681a8b6ee8a5e239b6426c587d4048ecd7c69193a776a37ec0b814b540bd718668405aa1073

Download Submit

Analysis

Sharing