41944aaeccf7677ef208a7a301b2dcbc843ed161b13f99dda35866f60f32f915

General

Target

fdef180065710cfd1d2c61f9724930bc_JaffaCakes118.exe
Size

14KB
MD5

fdef180065710cfd1d2c61f9724930bc
SHA1

aed3519face08075ce3ff37f9857b1e967d3b0ed
SHA256

41944aaeccf7677ef208a7a301b2dcbc843ed161b13f99dda35866f60f32f915
SHA512

9361e2f204a614a07f07e4629ee95faf6e937551cd630c9304dcff5a4593f03e2f051c4bbd55344b209af6148db745e68a2ee21dde7dcc2a2b9f014f242bfc7c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRL:hDXWipuE+K3/SSHgxP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM1E60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM7460.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEMCA6F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEM209E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	fdef180065710cfd1d2c61f9724930bc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	DEMC7D4.exe

Executes dropped EXE 6 IoCs

pid	Process
3596	DEMC7D4.exe
4484	DEM1E60.exe
4080	DEM7460.exe
2000	DEMCA6F.exe
3372	DEM209E.exe
8	DEM766E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 3596	3892	fdef180065710cfd1d2c61f9724930bc_JaffaCakes118.exe	100
PID 3892 wrote to memory of 3596	3892	fdef180065710cfd1d2c61f9724930bc_JaffaCakes118.exe	100
PID 3892 wrote to memory of 3596	3892	fdef180065710cfd1d2c61f9724930bc_JaffaCakes118.exe	100
PID 3596 wrote to memory of 4484	3596	DEMC7D4.exe	106
PID 3596 wrote to memory of 4484	3596	DEMC7D4.exe	106
PID 3596 wrote to memory of 4484	3596	DEMC7D4.exe	106
PID 4484 wrote to memory of 4080	4484	DEM1E60.exe	108
PID 4484 wrote to memory of 4080	4484	DEM1E60.exe	108
PID 4484 wrote to memory of 4080	4484	DEM1E60.exe	108
PID 4080 wrote to memory of 2000	4080	DEM7460.exe	113
PID 4080 wrote to memory of 2000	4080	DEM7460.exe	113
PID 4080 wrote to memory of 2000	4080	DEM7460.exe	113
PID 2000 wrote to memory of 3372	2000	DEMCA6F.exe	115
PID 2000 wrote to memory of 3372	2000	DEMCA6F.exe	115
PID 2000 wrote to memory of 3372	2000	DEMCA6F.exe	115
PID 3372 wrote to memory of 8	3372	DEM209E.exe	120
PID 3372 wrote to memory of 8	3372	DEM209E.exe	120
PID 3372 wrote to memory of 8	3372	DEM209E.exe	120

C:\Users\Admin\AppData\Local\Temp\fdef180065710cfd1d2c61f9724930bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdef180065710cfd1d2c61f9724930bc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\DEMC7D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC7D4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\DEM1E60.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1E60.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\DEM7460.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7460.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Users\Admin\AppData\Local\Temp\DEMCA6F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCA6F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\DEM209E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM209E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\DEM766E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM766E.exe"
        7⤵
        Executes dropped EXE
        
        PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1E60.exe

Filesize
14KB

MD5
eaf7829a784cffe977bc32a3addedcdd

SHA1
5724024447662ba5f14d805090cd618e168fefea

SHA256
99fe6ae3a82061616057f4de99fd85996ae6dda8be2ec197a8814a0affef33fb

SHA512
d30ac22db6accb6e06f867c17095a6d0a106941c1703e2956170d61df4406e06bcbe03afb4563c0c5c13789acff77e773844b1c0ffce12f4753047de25959c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM209E.exe

Filesize
14KB

MD5
e225c47bb34c2ecc75f1ee3a6787c720

SHA1
379d760bf672ad7ec315e8afd1903138467810be

SHA256
b2f17b99e7c240608352326fe5710c110fcb6ec6c4f9e89df913756f1c583a4d

SHA512
45feddbc76d8f2cd25a7c96f7403c5b30938b6463c91db6041738c2043dcfd8e23fb72b92a741ded3eff3e27ec1b67b9683dac78d2af805191faf5a483087da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7460.exe

Filesize
14KB

MD5
91fd3a64d3585a1b1c243088f2e4f13b

SHA1
18bb0d1603175d768d48063cd6ca22bec4b9d7e3

SHA256
651a8305b042f81e9f8ce39e2ad172c765920a3cc2a1dfadba0eee414c0c088d

SHA512
e96ec6913459ca86d9aa51b8734c3f9892db74bddcc7a0e347fed6bf256fca6049effc191189998fd48bbee30a18b73c335782e4858a4b93e190093eaa4c43c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM766E.exe

Filesize
14KB

MD5
c59d6e33cf89baaab6a49f1d04e27ef1

SHA1
86088173aa7a9f98fcff2befa493f843aab36fbf

SHA256
81fc67bde116f189227ad1cbee5b5258e932acf2847246521de94e8c39b75602

SHA512
810dcbea5b9f453ea3e5daf619b36384f182c5473ff9000c0fc19131a6cf6a46812efd59b95a9c39ae401d65e6e236bd4887322cd00f191fa089580d4678e8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7D4.exe

Filesize
14KB

MD5
4f96cdc03e402d481312922912794432

SHA1
d5eecba1422c648064376871851f120b9444f3ba

SHA256
a4a83d9e9a456814a7d3498b1c86399eadf3e3635eab0ad56fd2f8f48021edad

SHA512
fd05c27307b7c0c64c1b2546fb43f70153ce8f3c02756024972adb86d950ce58275aa19ff9781d83d659d3c5db2b2432bd9262cc2d45fecde9d31b21e7651fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA6F.exe

Filesize
14KB

MD5
97e4e3bb3089f4934bd55bcaf112e68e

SHA1
5a64722fdda27893531bcbe65dd755b0e9ab02b9

SHA256
72f152ae95d9953b36c8efc29d09a3c17d8a9ad41c3f088197a217e2fa478d9f

SHA512
62a042ae9633db3d81332fc7384c6ee67e6918690489560ba7fa7c4d711fcd448754ff9490f7675f787d15350cc6176db01b84a01cda6fe2adfafebe343a290d

Download Submit

Analysis

Sharing