46a1e923e3f4033bff23e1890fd4f62421cb6fd3f1b6458c1b34a73504be051e

General

Target

0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe
Size

14KB
MD5

0c483e8dd777bd13dd7c6e22c14121fd
SHA1

49cd9981dab51336135247a5175f5dd1ddfe252d
SHA256

46a1e923e3f4033bff23e1890fd4f62421cb6fd3f1b6458c1b34a73504be051e
SHA512

b06ad50355d1c51b0a31cff1fce53b9c7312f6ac5928109311ae0b07910fdcac378ba00c90a9dc0f764945fe98d2d9bb2543f572ac2d7c6882390519681674f0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJrJ:hDXWipuE+K3/SSHgxnJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEMFABB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEM5148.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEMA803.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEM4CF7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEMA3C2.exe

Executes dropped EXE 6 IoCs

pid	Process
3596	DEM4CF7.exe
4904	DEMA3C2.exe
4236	DEMFABB.exe
2132	DEM5148.exe
3884	DEMA803.exe
4364	DEMFE7F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 3596	4704	0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe	95
PID 4704 wrote to memory of 3596	4704	0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe	95
PID 4704 wrote to memory of 3596	4704	0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe	95
PID 3596 wrote to memory of 4904	3596	DEM4CF7.exe	100
PID 3596 wrote to memory of 4904	3596	DEM4CF7.exe	100
PID 3596 wrote to memory of 4904	3596	DEM4CF7.exe	100
PID 4904 wrote to memory of 4236	4904	DEMA3C2.exe	103
PID 4904 wrote to memory of 4236	4904	DEMA3C2.exe	103
PID 4904 wrote to memory of 4236	4904	DEMA3C2.exe	103
PID 4236 wrote to memory of 2132	4236	DEMFABB.exe	105
PID 4236 wrote to memory of 2132	4236	DEMFABB.exe	105
PID 4236 wrote to memory of 2132	4236	DEMFABB.exe	105
PID 2132 wrote to memory of 3884	2132	DEM5148.exe	113
PID 2132 wrote to memory of 3884	2132	DEM5148.exe	113
PID 2132 wrote to memory of 3884	2132	DEM5148.exe	113
PID 3884 wrote to memory of 4364	3884	DEMA803.exe	115
PID 3884 wrote to memory of 4364	3884	DEMA803.exe	115
PID 3884 wrote to memory of 4364	3884	DEMA803.exe	115

C:\Users\Admin\AppData\Local\Temp\0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c483e8dd777bd13dd7c6e22c14121fd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\DEM4CF7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4CF7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\DEMA3C2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA3C2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\DEMFABB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFABB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Users\Admin\AppData\Local\Temp\DEM5148.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5148.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Users\Admin\AppData\Local\Temp\DEMA803.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA803.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\DEMFE7F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE7F.exe"
        7⤵
        Executes dropped EXE
        
        PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4CF7.exe

Filesize
14KB

MD5
b5465e5d7b2fa0679ffaae57c609196c

SHA1
ffc6351c739b836c2ff3735bf34e81a17e1c247a

SHA256
ecbda66cf00052aed0f2decbdaa47396d4ef7d6e576948fa822f69d30df59f0a

SHA512
6204107689ea572a0a44e60eafdc9931fc9059693f1f21b52c1cb4a1d064294fd0e5613472d58cf99b9586a17eb78ce68d1ff727410935d057809919bf2f7482

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5148.exe

Filesize
14KB

MD5
027a05eb8c719fbe52b30baa072bbb2e

SHA1
ec50861e02d072baf021a677eb2058f50549c9ae

SHA256
d0fdc4eeee755564e52f7de7894beb7f508b4f621cc02886bfc8765953619c9b

SHA512
c5653cebc69b9c30bd50afb481ff685acc2a6704e5776fd584938c0140948f905dc2bd1720311b145a24f516d0e0d33d0c87eb763bc18b7fa25cab813d1a576b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA3C2.exe

Filesize
14KB

MD5
b487992b52156e7af7163c7e87d280ab

SHA1
0ec80e7cc89c6903aaa049ec8a212f7f2f375448

SHA256
2e2f4029c7b2a1a1e0d76a4748da370a455602fb1183607a350714d8d5657545

SHA512
63d0a856c9482ae88b85ad994b549f4d659e7d9e7afda374c1c41e3745607b86b9645b400a0b93db90b256af0792107a37ec089f7e2c9104ef90933caa73c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA803.exe

Filesize
14KB

MD5
ba8d855d3c0488bd307d9229a1fb063c

SHA1
69d1b24a98012a58881caaef5bdd3ddae2c7f82a

SHA256
f4cf81953daa7759026b41609f8a0ad5eee4c2248e2dc3000531ea252fa5f5bc

SHA512
b66112f4fa97deba07a67a7bc2cdf935aa85fc8f731afe5a011e02b38e7160bd601bcb2c14e11663fe74be19a4909dd9f9130bcf4904986b434d9891b9558f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFABB.exe

Filesize
14KB

MD5
c4515a8b2e875e5d6a70b700a9eac4e4

SHA1
f43fd7c6386654b0483d3ad171af1473b9427434

SHA256
48b4a4cc33157649adfd5c4758f1406aeb44aff7f3ebed70f7680b7db540ee19

SHA512
ec6e0713e5b1d61b4b92930719d81513759e054c5a25f55f27e0a6386d0b7c3f61ccf29d40c9c78df1914cd56b65b98e981e31bbd81ac98db180e585699c7f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE7F.exe

Filesize
14KB

MD5
2da74c55c1edc546b2b99cf642b40571

SHA1
abe351352aab63431e6f635ee3b74c68962bdc8b

SHA256
1373afe99dc841c7606bdf41ee1a5ad9eef3772613d997a681bcc9e361171481

SHA512
84ea3168f3bbbbac246a799b52a3fcc9464fcf75e73bf81819eb2c1fa3da92cd483482540c73f19ccd8bc1a7eb230f367dc4d9f0004949530dfc7e2bc15dbbe3

Download Submit

Analysis

Sharing