675df4e95365007f3f3da8fd28b1e6687cfd513217718b01b8f0ea7562637a21

General

Target

089db6727582e6e158b513367b561a46_JaffaCakes118.exe
Size

14KB
MD5

089db6727582e6e158b513367b561a46
SHA1

d5b7e927cc79273771472132597b432a096797bd
SHA256

675df4e95365007f3f3da8fd28b1e6687cfd513217718b01b8f0ea7562637a21
SHA512

e914061db4383ca435323fbce02b923ba23b0f23cf1593c020331097fa73bd8d1a948971cdb29595a14be85f97848257902e721cc9a153d9b8c516d44d417298
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXd2:hDXWipuE+K3/SSHgx3N2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	089db6727582e6e158b513367b561a46_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM49F9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEMA076.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEMF6A4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEM4CF2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DEMA37E.exe

Executes dropped EXE 6 IoCs

pid	Process
384	DEM49F9.exe
4740	DEMA076.exe
3288	DEMF6A4.exe
2140	DEM4CF2.exe
4380	DEMA37E.exe
1752	DEMF9DC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 384	3536	089db6727582e6e158b513367b561a46_JaffaCakes118.exe	83
PID 3536 wrote to memory of 384	3536	089db6727582e6e158b513367b561a46_JaffaCakes118.exe	83
PID 3536 wrote to memory of 384	3536	089db6727582e6e158b513367b561a46_JaffaCakes118.exe	83
PID 384 wrote to memory of 4740	384	DEM49F9.exe	87
PID 384 wrote to memory of 4740	384	DEM49F9.exe	87
PID 384 wrote to memory of 4740	384	DEM49F9.exe	87
PID 4740 wrote to memory of 3288	4740	DEMA076.exe	94
PID 4740 wrote to memory of 3288	4740	DEMA076.exe	94
PID 4740 wrote to memory of 3288	4740	DEMA076.exe	94
PID 3288 wrote to memory of 2140	3288	DEMF6A4.exe	96
PID 3288 wrote to memory of 2140	3288	DEMF6A4.exe	96
PID 3288 wrote to memory of 2140	3288	DEMF6A4.exe	96
PID 2140 wrote to memory of 4380	2140	DEM4CF2.exe	98
PID 2140 wrote to memory of 4380	2140	DEM4CF2.exe	98
PID 2140 wrote to memory of 4380	2140	DEM4CF2.exe	98
PID 4380 wrote to memory of 1752	4380	DEMA37E.exe	100
PID 4380 wrote to memory of 1752	4380	DEMA37E.exe	100
PID 4380 wrote to memory of 1752	4380	DEMA37E.exe	100

C:\Users\Admin\AppData\Local\Temp\089db6727582e6e158b513367b561a46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\089db6727582e6e158b513367b561a46_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\DEM49F9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM49F9.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\DEMA076.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA076.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\DEMF6A4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF6A4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3288
    - - C:\Users\Admin\AppData\Local\Temp\DEM4CF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4CF2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Users\Admin\AppData\Local\Temp\DEMA37E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA37E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\DEMF9DC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF9DC.exe"
        7⤵
        Executes dropped EXE
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM49F9.exe

Filesize
14KB

MD5
5ee465a809a3442c85a3e41e74cc97ad

SHA1
1571fb1d44eb7cc2cddb1e75968dc521dc601741

SHA256
5c5be811f832985b0dbe4f407421548ea1fe73fe87d7658e13a42cd446cd32f0

SHA512
a5f3a58896cd8778a4950bbe828b881e56ff1a7745ecea4c083658f5abeff36d70c9e96d5b5b00e428f1c3e47a39257a21e06a838801659ca10fce5928865b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4CF2.exe

Filesize
14KB

MD5
71cb0156d8b13bb648a18a070d998a23

SHA1
71f3e2ca0031f6da0bb25e92c3466d070f8c74af

SHA256
0d27f5d8a1c4d89fac014fbdacbfd12daada9cd1af413c9ec7d04d0a5d07ac8f

SHA512
59f38473f3cd34883c122eb45ea453a9d299867388a18e324f4718da3c4d2da831ea3f98bb2712a8f3615ef63442a0483b90d072e79317ee3bc6e796a7307c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA076.exe

Filesize
14KB

MD5
eff567fb2517cf2a63fbecfde66b52ac

SHA1
e5939e8b0c8473c24c2bb7a0df04ae1cf9c29f6c

SHA256
6c1501b28f8bc12febed3a6026b783d143d3edf5e5c6c72669efd4b7c4985749

SHA512
4aacce345a5d9f198a02030e7cfce09157e197333c2607aeece434cfafa3072b0691d02d0f0cac1e96a1204f547223908a8da8bc73ffdc347fc1987de42faed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA37E.exe

Filesize
14KB

MD5
4e74c0e407cd30d50a8ffa72ebd7e53a

SHA1
cc2028c058234aa291d1979a88364061d8129799

SHA256
aab3e9dd952eceafa38036a970364dae197dc5b94d04b8a9f767db88d9f32e99

SHA512
7c784f1a901f4f7c43522b0c28590ddc1cff7275e9781c5ae6a8ac505cde783b6528e968e2779647e1927bae6ad66727b2bcc3782eb7f01bb774af8e321f75bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF6A4.exe

Filesize
14KB

MD5
2566c628ca0615cd8dfbb51a3ff7ddec

SHA1
4d3f7b00e4ac01cab8f9de714adfc2284dd1aa0a

SHA256
514ca71b1097310d120c597ced9577657059459d4b8c25a3bd680023b2b933dd

SHA512
7c3c2051383f354640de20aeb9c2dc86b012124536c7fbf222bfda899a378a2dc710daca169d60b64cf41e8e1757e6c8de7c545958d9807736ea9916920eb0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF9DC.exe

Filesize
14KB

MD5
ad573846b9d3fc044af79179b1a1a5e2

SHA1
0e3c0402f2892ccb4a99f8ff69b1f47bccac793f

SHA256
853a68d52894219e36d8e7033e9d54a70e87a75d80a32cae02d0b72dd0384f58

SHA512
790b7b20ddd4599a1364379148efc6268e6bc28aaa1bc07608a2ec549b738dd477e6f60c697232de77bccef2f97e5c5afd86e0ae3991b0e7a94f105e6a290720

Download Submit

Analysis

Sharing