58a99a82a898e639aad3a1a8ea7158d8adba08600f207d2525a4d54aa3be2ade

General

Target

f46dfc1aa01da29277d7237646dd4137_JaffaCakes118.exe
Size

16KB
MD5

f46dfc1aa01da29277d7237646dd4137
SHA1

2a63aa2e24483e6b1c8757ee32a97d625d6faf72
SHA256

58a99a82a898e639aad3a1a8ea7158d8adba08600f207d2525a4d54aa3be2ade
SHA512

ce66b5ea8a39fd66f3a50cd04c2ff06241012fee1046ef9a219b48ae12017d93283d12285b9d39bb03f44a422509691941ce2e371e51fc8e540cb43274e918c7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlj:hDXWipuE+K3/SSHgxmlj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM34CB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM8B48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEME196.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM37C4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM8DE3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	f46dfc1aa01da29277d7237646dd4137_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
2612	DEM34CB.exe
3540	DEM8B48.exe
3388	DEME196.exe
668	DEM37C4.exe
3260	DEM8DE3.exe
832	DEME431.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2612	2756	f46dfc1aa01da29277d7237646dd4137_JaffaCakes118.exe	91
PID 2756 wrote to memory of 2612	2756	f46dfc1aa01da29277d7237646dd4137_JaffaCakes118.exe	91
PID 2756 wrote to memory of 2612	2756	f46dfc1aa01da29277d7237646dd4137_JaffaCakes118.exe	91
PID 2612 wrote to memory of 3540	2612	DEM34CB.exe	96
PID 2612 wrote to memory of 3540	2612	DEM34CB.exe	96
PID 2612 wrote to memory of 3540	2612	DEM34CB.exe	96
PID 3540 wrote to memory of 3388	3540	DEM8B48.exe	98
PID 3540 wrote to memory of 3388	3540	DEM8B48.exe	98
PID 3540 wrote to memory of 3388	3540	DEM8B48.exe	98
PID 3388 wrote to memory of 668	3388	DEME196.exe	100
PID 3388 wrote to memory of 668	3388	DEME196.exe	100
PID 3388 wrote to memory of 668	3388	DEME196.exe	100
PID 668 wrote to memory of 3260	668	DEM37C4.exe	102
PID 668 wrote to memory of 3260	668	DEM37C4.exe	102
PID 668 wrote to memory of 3260	668	DEM37C4.exe	102
PID 3260 wrote to memory of 832	3260	DEM8DE3.exe	104
PID 3260 wrote to memory of 832	3260	DEM8DE3.exe	104
PID 3260 wrote to memory of 832	3260	DEM8DE3.exe	104

C:\Users\Admin\AppData\Local\Temp\f46dfc1aa01da29277d7237646dd4137_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f46dfc1aa01da29277d7237646dd4137_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\DEM34CB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM34CB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\DEM8B48.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8B48.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\DEME196.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME196.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Users\Admin\AppData\Local\Temp\DEM37C4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM37C4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:668
      - C:\Users\Admin\AppData\Local\Temp\DEM8DE3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8DE3.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\DEME431.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME431.exe"
        7⤵
        Executes dropped EXE
        
        PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM34CB.exe

Filesize
16KB

MD5
d029fae4b917e8e572b24c756edd893a

SHA1
9c47463d915824b01dbedaea699a0c5790ab3d89

SHA256
cb79f064a736cc372c05304246bae48741a9be9394b7b97a22c574172e6d09d6

SHA512
64dd29cc4e75cbc051426f5d0cd356c87383b724c06d88adf5ed38f6276b3f47816e9d02403272ce8c9ab92b3a0273f3d20c4ebf83b6fb036736101166af5dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM37C4.exe

Filesize
16KB

MD5
be5c9a7ea0c50558acfcd9d7f53dd539

SHA1
f52f010524d01f1b2e07bb34609b667fc939bf5d

SHA256
34d19103cf124597dd06ec62d4019d558bf0993c57b6b39194c1ec1d28474eff

SHA512
29507882e3b8e67a9968c4bfa0b3757b5661b050e572e842ece0374002e09fef6ed7982589d4895ea8fef2d0b56e0e710d6318e48cbd556f12b8a214b5ec83b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B48.exe

Filesize
16KB

MD5
09fef2cbfe74828c3f40c095b7dcd714

SHA1
8b490aa2e52ce43dd14c72dad282d459c0fbc777

SHA256
fbffc68208bd1b721e13b195dfd851b6af5c5996779c9ac5deed4f30dc9db3a2

SHA512
6e234e857b4983b25a132e1d966d05bd33a48bc5d1933a96a382c3b85703c0da33bb220ffc02e4e471d4df470d5e02ee12c65b38263d868801facc55ef557ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8DE3.exe

Filesize
16KB

MD5
7ea0a7b68bbf1e0c2783f8ddf0f8d9d8

SHA1
763bdd9673ad9dd74353fd4307e57edd615f808c

SHA256
bee06cecc9ad5a9b44f5491372577bc5e08662b40b453338c629b0f4c77d3a20

SHA512
7d76630111ab374ec2a90f720578cd60f1378ea8fd5fe853f3c1123b675d08535b7ff48aed12cca9022aba2844cb758d037930444fa758eb85c04285773488cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME196.exe

Filesize
16KB

MD5
1b564b1baa74ba09fe5f9f4c45e1f4b9

SHA1
f300cb22e18715a6db62acbc562f44bd5f0659fb

SHA256
8fdc7bfd165798790923130324d59fc3f711f15725162d1440f552f427b09a6a

SHA512
40d0aeb1b2dc6cd046c6d1940d6c5f4e5afe08ea118b7faca6e8ac30850c8993cc96e6f50e8b4190e65ed1fef9c28f77e3f38184325af87670fffad1f3fe1a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME431.exe

Filesize
16KB

MD5
41ac2268b644013463bb0fa35db63ab8

SHA1
0dada1f03a8f40561b72ec7b7aa896c49ebd7798

SHA256
14c7a4923c59a436e1d77d25b58effcf0dfdf253a0a56a5391599476d0466174

SHA512
0fb269f7d34eec33a67b0d9f6e2898240cdaaffb7c33d1ee09ba42839259d8220a6edcc48b9c2a02af4bf14779af02d6e2de345742a1205275ea40c89dfc4e46

Download Submit

Analysis

Sharing