eec7ae872cd9eef16d244662f1e7707b813815ca5ac998d67fd9e7e9ee18cddd

General

Target

f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe
Size

15KB
MD5

f172b297116042c0d34ad2a92df81bb4
SHA1

bc1e7af495aa0e059cd7683cdea07e868795520e
SHA256

eec7ae872cd9eef16d244662f1e7707b813815ca5ac998d67fd9e7e9ee18cddd
SHA512

d565d77daf5c22f14ac41d03d524d1f8cabf9e76c4a2c17ca19c5ad9a095ffeb82e9e7f5ef1448ecdbe6fea3d1ee8b56a34262eadd9588b088941894e6830628
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYLNBq:hDXWipuE+K3/SSHgxmLzq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEME186.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEM37B5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEM8DF3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEM348D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	DEM8B19.exe

Executes dropped EXE 6 IoCs

pid	Process
3220	DEM348D.exe
4216	DEM8B19.exe
2836	DEME186.exe
2036	DEM37B5.exe
4236	DEM8DF3.exe
3120	DEME366.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 3220	4464	f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe	92
PID 4464 wrote to memory of 3220	4464	f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe	92
PID 4464 wrote to memory of 3220	4464	f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe	92
PID 3220 wrote to memory of 4216	3220	DEM348D.exe	98
PID 3220 wrote to memory of 4216	3220	DEM348D.exe	98
PID 3220 wrote to memory of 4216	3220	DEM348D.exe	98
PID 4216 wrote to memory of 2836	4216	DEM8B19.exe	101
PID 4216 wrote to memory of 2836	4216	DEM8B19.exe	101
PID 4216 wrote to memory of 2836	4216	DEM8B19.exe	101
PID 2836 wrote to memory of 2036	2836	DEME186.exe	103
PID 2836 wrote to memory of 2036	2836	DEME186.exe	103
PID 2836 wrote to memory of 2036	2836	DEME186.exe	103
PID 2036 wrote to memory of 4236	2036	DEM37B5.exe	105
PID 2036 wrote to memory of 4236	2036	DEM37B5.exe	105
PID 2036 wrote to memory of 4236	2036	DEM37B5.exe	105
PID 4236 wrote to memory of 3120	4236	DEM8DF3.exe	107
PID 4236 wrote to memory of 3120	4236	DEM8DF3.exe	107
PID 4236 wrote to memory of 3120	4236	DEM8DF3.exe	107

C:\Users\Admin\AppData\Local\Temp\f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f172b297116042c0d34ad2a92df81bb4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\DEM348D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM348D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\DEM8B19.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8B19.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\DEME186.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME186.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Users\Admin\AppData\Local\Temp\DEM8DF3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8DF3.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\DEME366.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME366.exe"
        7⤵
        Executes dropped EXE
        
        PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM348D.exe

Filesize
15KB

MD5
360f772792895ba482e7e992e95493b1

SHA1
61275252684b66dbf7ac08881d48d666f472eeb9

SHA256
8a9c940e870c3511038a9a1d716c34ffb367c5432dabe1f36fe06090a9471945

SHA512
0ca1060bfafa5f8a052af5a8d8290c1baee57bf6ee197747b7ed4763e94f1d374a033e8e9dad6029624ff1ea7e5746f575bf65e15538a4e771e4759ae356946c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe

Filesize
15KB

MD5
f8c80ee8c2649202edd46357e041df03

SHA1
35bd694f92650fdd5600ba96628bc5cae5f29cb6

SHA256
49a673e77bda60717ef93e7462b0ccf31717c16725505347a96d02a1e32c2c4c

SHA512
5edd40a811bcb491a5644616520af4a27ed54fcfa55a24829d29b480219cd96d7e0ec760950824a38fd3059309efdc7d001e8c3d2d83811eae40f044b5b77d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B19.exe

Filesize
15KB

MD5
6b7c25b2ca3da11ce34350f9927e8654

SHA1
ad24f4222ae1b4d6409da52e131953c759360448

SHA256
aab1e7c5e210c59e7ead2d0e2e0e5e54bf2aaa2fc311e9926b6fc768109c2ae0

SHA512
976e9563bd1931e234a0de69774cd4c44b7ac7dd8ece5660e07f4021a418d5adfa6cfe0ebfb2d105d54fb5f34099b95d6cccb88ae34b9ccc295be2b527be31bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8DF3.exe

Filesize
15KB

MD5
b132cebb04ff20d3cd7ef3e59964b314

SHA1
bfb797e2797e51c2bc0b3238e18b6c403120fadb

SHA256
7487125a6325a08dac9219f556da716c6b4fd888e57ba74d1a81a12b02d8173f

SHA512
2ff432f1c8a21d3f9a8032728c772275991b076cfded41238b3c1461f747b09ed63d7ecfc1ec40181a02ad681f38d12345eec05a9d9e30452f85e53f5e76ca96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME186.exe

Filesize
15KB

MD5
439e632c6c64829db69dc4ab6387d03a

SHA1
3334b7de46632de7c59faa7cef9a864b9e21b0b5

SHA256
3036df41405dc336a6ba73eaff77b8b8767e2757d25459df2abd50737dfd9812

SHA512
46bb64f04802e2590f9b216e507d6717a0502417d0be6c2beb51c884af7f2f397019a1be2f513e6b81016e388f453c43d375dc939c561f94193165af8044a542

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME366.exe

Filesize
15KB

MD5
a65d69003bdb987a82e4285fdfec85a6

SHA1
a5cec3d963218388d39016cc3b19f2574a48fee3

SHA256
e409e43fce7ad63b28f3f6df0eb4f06f4e918e506feec5efc00475e99c029a2b

SHA512
c6b07b9b6f8efe827874b4d74e07306c71bc1afb34104d17bce9de69b7880f7f0b7ec0f17d5a6f16eac2bfc9645ec3507b0e4f0f56e6b16f83a77b9f2c7269c4

Download Submit

Analysis

Sharing