ab653fbc0331f42a46943415fbfd20ba5cd618ce08601e24c437e1cf7a17374e

General

Target

0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe
Size

14KB
MD5

0a95f401af9f4eaf823cbf0900270245
SHA1

73b9cb3ef7459dc6a8fdd1eacb7225f2c336bfc2
SHA256

ab653fbc0331f42a46943415fbfd20ba5cd618ce08601e24c437e1cf7a17374e
SHA512

2fd1edf1b669b9d471446758d77649abe2fda05923e4af5a7f3d55d770875dcbdd3829a7397d71ac3c0dcc67a7f473991e45c9e5f579df44eef20081c0790a36
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhT6:hDXWipuE+K3/SSHgxN6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEM4CE7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEMA335.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEMF983.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEM4FE0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEMA63E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3664	DEM4CE7.exe
1900	DEMA335.exe
3864	DEMF983.exe
3856	DEM4FE0.exe
4100	DEMA63E.exe
2992	DEMFCE9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 3664	3644	0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe	89
PID 3644 wrote to memory of 3664	3644	0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe	89
PID 3644 wrote to memory of 3664	3644	0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe	89
PID 3664 wrote to memory of 1900	3664	DEM4CE7.exe	93
PID 3664 wrote to memory of 1900	3664	DEM4CE7.exe	93
PID 3664 wrote to memory of 1900	3664	DEM4CE7.exe	93
PID 1900 wrote to memory of 3864	1900	DEMA335.exe	95
PID 1900 wrote to memory of 3864	1900	DEMA335.exe	95
PID 1900 wrote to memory of 3864	1900	DEMA335.exe	95
PID 3864 wrote to memory of 3856	3864	DEMF983.exe	97
PID 3864 wrote to memory of 3856	3864	DEMF983.exe	97
PID 3864 wrote to memory of 3856	3864	DEMF983.exe	97
PID 3856 wrote to memory of 4100	3856	DEM4FE0.exe	99
PID 3856 wrote to memory of 4100	3856	DEM4FE0.exe	99
PID 3856 wrote to memory of 4100	3856	DEM4FE0.exe	99
PID 4100 wrote to memory of 2992	4100	DEMA63E.exe	101
PID 4100 wrote to memory of 2992	4100	DEMA63E.exe	101
PID 4100 wrote to memory of 2992	4100	DEMA63E.exe	101

C:\Users\Admin\AppData\Local\Temp\0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a95f401af9f4eaf823cbf0900270245_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Temp\DEM4CE7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4CE7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\DEMA335.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA335.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\DEMF983.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF983.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Users\Admin\AppData\Local\Temp\DEM4FE0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4FE0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Users\Admin\AppData\Local\Temp\DEMA63E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA63E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\DEMFCE9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFCE9.exe"
        7⤵
        Executes dropped EXE
        
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4CE7.exe

Filesize
14KB

MD5
c0fd6fcc45c3bafcf3f69422b2d1baec

SHA1
7be3700b5b31cd50680ba3c2774b14ae343fbd39

SHA256
07bbf85af7f47c5d72ffcc3f090374fcb490199a84eeac6508e42cee037dd18a

SHA512
27cc559cf28dc49f168c77374af04f6cc7490fc6cf8837889b47281483080da9365e3a67ab7430ce90292d663a37196462cb4792c6921e0fb158e183e0a5394b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4FE0.exe

Filesize
14KB

MD5
5694dc58326bd9f78b698ffba66352ef

SHA1
304ca49686cae3b510f980140a03db278a320331

SHA256
a828fe37f42a77da2f02152a095ede41deba207da6bf92821aacafb3394e0c21

SHA512
24e880bfcef4314a3e9752943e60027c1b3d91fd214b53f0ce5ba7841e14fd26f586a756d3ac84e7d2a791acb8b10a431d34e29bfb474ed8edab75fbfd442932

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA335.exe

Filesize
14KB

MD5
6f5b55fff7282a1d56649f2f756f845a

SHA1
7c2ee8ce3f42ee050075728612e14df6f11643ee

SHA256
f54e21000eff561f822e7f9c766bd97a6db4630a1c70f333e23c984c9914296c

SHA512
fbe4078db84bef5d6cc93b44c8459a9cb70241442d7e400c65bfba800da03c71344a895792ea48f188518d1ddb18aacf91f8421077e439f7754320055f0e9db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA63E.exe

Filesize
14KB

MD5
7a452629c575a55ac9aad284d2cf13ca

SHA1
bce81152b5e5f3582bb94f21b5d0651cec023378

SHA256
f4a25a430480f29b87b505d87d4e395f998a4d90876cd6c4e7075e69e9d0a4ce

SHA512
7007a0bd95b5ab0bf91d2b4741c3587af9a75829492ab652099a9858a2c1f3cb78628eeffdfc1152654ad5783816154a737945387b405add78dad0d16bf4709d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF983.exe

Filesize
14KB

MD5
b3021c6e3be9b167d7ac3ba8de3ec346

SHA1
728f23c68e3dd0c3f462d1cf470e46aa6ff5e009

SHA256
73c20ee6c2c21017f6466442d896ac185aefdefaa55fb41ce42abe70fc1af34b

SHA512
428dd565368ff5d56f1e6a9221c9b31c0076a12717265edad55387857388ccfd83f5df276c9e251c93dd95d0b43f6ef818d91c5c3092175409061df4aad43558

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFCE9.exe

Filesize
14KB

MD5
30638b35c46d558982dace0d449bfb56

SHA1
0a0957a66caca37ad2a70dfac7a495001c422168

SHA256
591cb9d28ee0e8f6ec4703c1ba07c4f77b75ec45ec9575df80b75489fe0619e7

SHA512
a6f3b0f51927557ebdf3b62c41c2eed061781a465082cec21ea92c572a596ae0f808e122f26753a7e758234e917c5afa0e872ba2c6049cbba458574d2ddfe5c7

Download Submit

Analysis

Sharing