7b371b3333dc06bcde5a069defc09d9e72c4ef79e2b0fb84a6ce191db8c82a39

General

Target

f2e1ce9042daf81151b80ed1c6cea41a_JaffaCakes118.exe
Size

15KB
MD5

f2e1ce9042daf81151b80ed1c6cea41a
SHA1

8ef63699d1c13d4d5a07cf6ccf397ea6a950ba0f
SHA256

7b371b3333dc06bcde5a069defc09d9e72c4ef79e2b0fb84a6ce191db8c82a39
SHA512

a49ca6e795370073707893fc1171911b11db36222cb0734642216c2e235f153fa0ce69ea9f786b4bb424198afdd7d86ce1a333c1d7aafff1fe0f6838134db130
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pjW2UWXG:hDXWipuE+K3/SSHgx49WdWXG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	DEM5C39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	DEMB4F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	DEMD2A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	DEM653D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	DEMBD40.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	f2e1ce9042daf81151b80ed1c6cea41a_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3212	DEM5C39.exe
3576	DEMB4F8.exe
2060	DEMD2A.exe
1152	DEM653D.exe
60	DEMBD40.exe
5000	DEM1524.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 3212	3752	f2e1ce9042daf81151b80ed1c6cea41a_JaffaCakes118.exe	91
PID 3752 wrote to memory of 3212	3752	f2e1ce9042daf81151b80ed1c6cea41a_JaffaCakes118.exe	91
PID 3752 wrote to memory of 3212	3752	f2e1ce9042daf81151b80ed1c6cea41a_JaffaCakes118.exe	91
PID 3212 wrote to memory of 3576	3212	DEM5C39.exe	96
PID 3212 wrote to memory of 3576	3212	DEM5C39.exe	96
PID 3212 wrote to memory of 3576	3212	DEM5C39.exe	96
PID 3576 wrote to memory of 2060	3576	DEMB4F8.exe	98
PID 3576 wrote to memory of 2060	3576	DEMB4F8.exe	98
PID 3576 wrote to memory of 2060	3576	DEMB4F8.exe	98
PID 2060 wrote to memory of 1152	2060	DEMD2A.exe	100
PID 2060 wrote to memory of 1152	2060	DEMD2A.exe	100
PID 2060 wrote to memory of 1152	2060	DEMD2A.exe	100
PID 1152 wrote to memory of 60	1152	DEM653D.exe	102
PID 1152 wrote to memory of 60	1152	DEM653D.exe	102
PID 1152 wrote to memory of 60	1152	DEM653D.exe	102
PID 60 wrote to memory of 5000	60	DEMBD40.exe	104
PID 60 wrote to memory of 5000	60	DEMBD40.exe	104
PID 60 wrote to memory of 5000	60	DEMBD40.exe	104

C:\Users\Admin\AppData\Local\Temp\f2e1ce9042daf81151b80ed1c6cea41a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2e1ce9042daf81151b80ed1c6cea41a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Local\Temp\DEM5C39.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5C39.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\DEMB4F8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB4F8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\DEMD2A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD2A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\DEM653D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM653D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Users\Admin\AppData\Local\Temp\DEMBD40.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD40.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\DEM1524.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1524.exe"
        7⤵
        Executes dropped EXE
        
        PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1524.exe

Filesize
15KB

MD5
5613e2d2050303225c4fdf2512a8a3ba

SHA1
ac66f829dedd974abaa89e38416817f418099af8

SHA256
5a243b1eb1d5602b7bed3613a60186fc27225c06e0334edefb49c4110dcfd3f2

SHA512
93fca89bf10c0eb67589aa4fe2b1e3c9542262a1d1efd640df5a0e9aaa6c04ba44c506fa21bbe0a2b6f4f84f3007eeb7a64ac2266a4cd81a9731be04e9041397

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5C39.exe

Filesize
15KB

MD5
68219df8f48fce398cd36fc3f3ee376a

SHA1
fe44b79673674bc5f61d5f076e8ceb5462d4ac00

SHA256
3bac2e56a4d3ac44b98c9ffe0c6c78665909f4707573ee8405d4bd7aa391f79e

SHA512
b393f218e30c3a6ce710570a536ff870a2af929bcc47cad4328b6dded6b684aa2885f7d03ba7be469f3c5db852d3c96bb3cc2a97ec50e2af75332f3900187b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM653D.exe

Filesize
15KB

MD5
a5d4715e818387381ae675db4a3d9ac8

SHA1
7663a9643f6f886affee0e9dc1d6596c42fb5c13

SHA256
4ddef3f0aac5e7acc1f23397ab76f04dc76b9dcef400fbb9c176d4d8955f3c1b

SHA512
7db5a3537c633c3c239abf48002aab6d707304a3f459eeae3036bb7b2e6b6aaac978f910960e247d0d1b13736d0c23ae20d2137dfcb8c9757b04b703d82f8f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB4F8.exe

Filesize
15KB

MD5
223fbb627a29dc9f4e329c06981f45ed

SHA1
4425ab24e12a8463ae20253b4acb08de9cbf3a9b

SHA256
1cf2382c0b83c03106b6b4b77ea1cec57c40d7661337ecbbaae0042e9900cf5e

SHA512
17dee45eeaf0357cc09c30f81277f704a6c6b4293a0c12c8b843348106487d0f544ad88f9da096893de91d3bf80b3bf63ce70a128725042d70a1283e6597f37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD40.exe

Filesize
15KB

MD5
f00bfddbeed052229186f8aaa00302e4

SHA1
4dbaabd49ef235065bf075d7909fac1b205e0e55

SHA256
3e11b3bbe2eca86c4c878291b460e071748259f661e79898b53e2d9066fd7221

SHA512
5488526c0d0c285596b177aa68d2ea40c6443160cbfbaf354da09056b305365b2ebb429e214dfb957e1e85681a0b12f6070675b3629e9c0f3dc5c60ec0e93e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD2A.exe

Filesize
15KB

MD5
660a3d26b5246819520dad9972cec0f2

SHA1
e0505170ca97788cbc0eaa6d52d2c688b3e948ff

SHA256
aa55644bef133d630e8fc7057322a55c2d4152cf11ec2399cdb6090c6955088c

SHA512
433a413224200e341409217fff4b2ca02b5906e830309cdf56167b7c859195fe555c15e9f9991d97ddac804af297b2ff0df6ddc81cd5e071241a85fc4909a191

Download Submit

Analysis

Sharing