5d7377fc6ddbf0f1d13bf431d7d5140173ea6af64ef67ec7dac2e3dab69d72a7

General

Target

f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe
Size

16KB
MD5

f5cbd2db2f3cb4c4fb69f4b27d7b574f
SHA1

6368de0a11fa988a7a40c9dc57e3f564bc95e0ce
SHA256

5d7377fc6ddbf0f1d13bf431d7d5140173ea6af64ef67ec7dac2e3dab69d72a7
SHA512

ef50f6b004a878436c5b8b39cc36ed662cb372f5798739e21309ba481fca26b94421fc02a4ca9862190db242e425d799d303a3042c717afa1c09873d69b2af45
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyOB:hDXWipuE+K3/SSHgxmyOB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEMBC56.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEM61E6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEMBA47.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEM1076.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	DEM6675.exe

Executes dropped EXE 6 IoCs

pid	Process
5076	DEM61E6.exe
3860	DEMBA47.exe
3184	DEM1076.exe
220	DEM6675.exe
1812	DEMBC56.exe
2772	DEM143A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 5076	4412	f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe	91
PID 4412 wrote to memory of 5076	4412	f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe	91
PID 4412 wrote to memory of 5076	4412	f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe	91
PID 5076 wrote to memory of 3860	5076	DEM61E6.exe	96
PID 5076 wrote to memory of 3860	5076	DEM61E6.exe	96
PID 5076 wrote to memory of 3860	5076	DEM61E6.exe	96
PID 3860 wrote to memory of 3184	3860	DEMBA47.exe	98
PID 3860 wrote to memory of 3184	3860	DEMBA47.exe	98
PID 3860 wrote to memory of 3184	3860	DEMBA47.exe	98
PID 3184 wrote to memory of 220	3184	DEM1076.exe	100
PID 3184 wrote to memory of 220	3184	DEM1076.exe	100
PID 3184 wrote to memory of 220	3184	DEM1076.exe	100
PID 220 wrote to memory of 1812	220	DEM6675.exe	102
PID 220 wrote to memory of 1812	220	DEM6675.exe	102
PID 220 wrote to memory of 1812	220	DEM6675.exe	102
PID 1812 wrote to memory of 2772	1812	DEMBC56.exe	104
PID 1812 wrote to memory of 2772	1812	DEMBC56.exe	104
PID 1812 wrote to memory of 2772	1812	DEMBC56.exe	104

C:\Users\Admin\AppData\Local\Temp\f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5cbd2db2f3cb4c4fb69f4b27d7b574f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\DEM61E6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM61E6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\DEMBA47.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBA47.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\DEM1076.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1076.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\DEM6675.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6675.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Users\Admin\AppData\Local\Temp\DEMBC56.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC56.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\DEM143A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM143A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1076.exe

Filesize
16KB

MD5
107298917b5ad745d68c14dbdfa50f1d

SHA1
6055952216e62463d7afd79cbde714455ebed256

SHA256
097764beeab458aa41ec56d6473c5b41756bb24409f9101c5168247b7fef7d88

SHA512
98d351d3555330d93266708fdd49ba8a10998defed124d28792f7205232538f14bc00bcea06331ec22d5d5841a0c1e05b95c0f86601349177244ff44ad4cdbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM143A.exe

Filesize
16KB

MD5
b5c842f330b8d6cd62215dea34302694

SHA1
ccc45a3d133789ebb4bc713d3bcd194a964c3c52

SHA256
53809065e5850e78d54b8099081acd1cabfc271c9fd2599fb1c75931730c65f9

SHA512
38e8c4c4a872632d7097607a17519407c750f8946ba6bcaed0285f410471e96282214b9e913cd87db02e9104db4189d22a4941033f0f854dae46bc343db5dafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM61E6.exe

Filesize
16KB

MD5
da88d78d8332e48a22f0ba618cbfc777

SHA1
8ec131fd4c4c90efd316988af6ace2164fd99ec3

SHA256
8552b3563ca7fdf0f81d96fae299d33567d6595239a637d47946e71f96118557

SHA512
3e17e94be70423597384f26651799eff61d1e6ae16fd684c21ff362029d210f2ca83b626069b0ee267f7630c0e15bf5c4b6e7626cdf3b76838e873ac78aa5c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6675.exe

Filesize
16KB

MD5
60db6e8a568dd1938d2f729d4574789a

SHA1
425aed1fe97dd798d3c0fd55f68cfcbe0ea6e877

SHA256
4d087fc8c56f838689208da147f936eabb85df4a3b87d47a7dcbbe8b08b83f43

SHA512
6a73d734f9fdd9f55a0c724f3ffd818f6b4358cb046705190c7581929f876d2685db3e5ba1a4b77c61d3bca29a6c951133f095b66925da09bb2e15a5db0c0d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA47.exe

Filesize
16KB

MD5
c397ab3d1d7b8b730069876736e39268

SHA1
1329dfc92f20fa9eae5fd144f027e2bc7b42ef6b

SHA256
55b7e21c577fe7f1a0fff3495161436b61fbde990b7c9ccd440acd99e82858ae

SHA512
72e85332229c6c5491338c8e85d6f703277c4bd03fe903dd24a90a7657538f3c9cedf9596cce7c8e82b64a4b85541d240a71c6ba5f02e180397135609c81c0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC56.exe

Filesize
16KB

MD5
58949dee12eafd3c7b2a116e0222e9bc

SHA1
b23262afd07c0f6e22324806e48f829c9b47b72a

SHA256
f5e4659efc0d6781117a64d5628be245d0e58fc77601af4539326ed6829630c0

SHA512
c353ac5053cb452e8661486dcb66ba25228467e88e1be625b5b7859dcf5c82846f74e55f406e991698b0db4e2a6b4de17794666854848445a448eaf93d275ae8

Download Submit

Analysis

Sharing