be393e789497efdf46b874a5f4fd239b3cb9782819a0d60a866966b396dcf4c2

General

Target

0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe
Size

14KB
MD5

0ed40792dc8e2de61899d4283bde5287
SHA1

14441d782b1e9a310d608e2683249a9fbe1b0273
SHA256

be393e789497efdf46b874a5f4fd239b3cb9782819a0d60a866966b396dcf4c2
SHA512

bc5c8e44b57459f0902c892a8d52f21dc9b85a484e495dd12138aa59297513436de877d6b0645b39a309035827c38b3a14387fbf2b234d940f8cb9692d12e26c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRs:hDXWipuE+K3/SSHgxo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEM3C4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEM5985.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEMAF85.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEM55FF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	DEMAD18.exe

Executes dropped EXE 6 IoCs

pid	Process
1172	DEM55FF.exe
3592	DEMAD18.exe
4904	DEM3C4.exe
1852	DEM5985.exe
5076	DEMAF85.exe
4016	DEM620.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1172	3468	0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe	94
PID 3468 wrote to memory of 1172	3468	0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe	94
PID 3468 wrote to memory of 1172	3468	0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe	94
PID 1172 wrote to memory of 3592	1172	DEM55FF.exe	99
PID 1172 wrote to memory of 3592	1172	DEM55FF.exe	99
PID 1172 wrote to memory of 3592	1172	DEM55FF.exe	99
PID 3592 wrote to memory of 4904	3592	DEMAD18.exe	102
PID 3592 wrote to memory of 4904	3592	DEMAD18.exe	102
PID 3592 wrote to memory of 4904	3592	DEMAD18.exe	102
PID 4904 wrote to memory of 1852	4904	DEM3C4.exe	104
PID 4904 wrote to memory of 1852	4904	DEM3C4.exe	104
PID 4904 wrote to memory of 1852	4904	DEM3C4.exe	104
PID 1852 wrote to memory of 5076	1852	DEM5985.exe	113
PID 1852 wrote to memory of 5076	1852	DEM5985.exe	113
PID 1852 wrote to memory of 5076	1852	DEM5985.exe	113
PID 5076 wrote to memory of 4016	5076	DEMAF85.exe	115
PID 5076 wrote to memory of 4016	5076	DEMAF85.exe	115
PID 5076 wrote to memory of 4016	5076	DEMAF85.exe	115

C:\Users\Admin\AppData\Local\Temp\0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ed40792dc8e2de61899d4283bde5287_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\DEM55FF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM55FF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\DEMAD18.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAD18.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\DEM3C4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3C4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\DEM5985.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5985.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Users\Admin\AppData\Local\Temp\DEMAF85.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAF85.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\DEM620.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM620.exe"
        7⤵
        Executes dropped EXE
        
        PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3C4.exe

Filesize
14KB

MD5
218f7c0f4970c61f8527be2aa87a1c14

SHA1
8b30b8c0a9c66ee4132fb817fb97dbd873baa6c0

SHA256
fdd3a47ad529e49b116235f1a5a2abeb1e0b6222afeb8361a5aabd49301afffd

SHA512
d8ef7c79d175080888d5117c653853b519b587f27b884818ad98bea74e3bc9a2cb1739214953312f4dc619f4149e69ccc7e48751aa1b74d3b59f7f1a5cf9f54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM55FF.exe

Filesize
14KB

MD5
16f403cffcb50f50415eaf63894f330b

SHA1
1d2bcf6c0846ff5bb0123f898c1c108a5c304f06

SHA256
5d921f2c45162743c854c27e017d4289541f1e3db39f1b8feedb00589c32b5af

SHA512
c30f222a49805e7a86c970c2ab1b83e62eb3ab0f645ed823cf3b9d6c9c960e87f7da670b339fb89d6b1c2d527b448d80d27441afcee4b61a2e452d7d38a9c098

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5985.exe

Filesize
14KB

MD5
f4a0c8cbef7205877c4c8778bcf0df50

SHA1
2266d6958ccbf7536d6518cab17f6ccbcaf120bf

SHA256
6481dff74ead64ab55b2cb43c3b2cfa23d4ff0e3c5a99980fe92041887eaff1f

SHA512
82f90973f743a1644994cf5b16c1104f005a968664ffaf35014951e7809fec9d0f03162c2bf57447d92f5f4071237142f3d0aeae95ce271de7b758ea5ccb649c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM620.exe

Filesize
14KB

MD5
82c7144d41687a61f680d3c6af75a323

SHA1
0e557e00e8761693d3c1b1460b6e616ff501aefc

SHA256
52bc76b8eca6be9adb828c6526821ede05778ead28f59661c6ab3834c2308319

SHA512
6b2c28cb1c572c6f30a05db33250297eb46cb51f198c6f17068b277a7ec8bbc651cf2dab64f374f8dbc1e0b61e530d1f47a934d051062740f3f6fc641e686619

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAD18.exe

Filesize
14KB

MD5
173bed213b3e7d246b483119701a3389

SHA1
d4d3ebf225a8f065f4ac7303fba2922ccd5d1108

SHA256
abafb8d1828a2730afd3dc3c497b8adf8ded11a42f706f0746a011189fbd9461

SHA512
a40b95f56541a231b97d004485f098cb10b410f47e897a1346d5255ced25fa2928e0f2b1fe64b3f4f266ecb094a46a275c9af20cc57ac2b13107e0097f20fa70

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAF85.exe

Filesize
14KB

MD5
baf085735a29100a4fa3dfbcb53b7f88

SHA1
138008a49047b0f519aa00c4569fb0ea1c1eaafe

SHA256
2b6b020f2b830fdf0c3231c7fa4b70794205ea0e8e5b7d76a1aa74de36a16dbe

SHA512
752ded723baf659ec916907ba2f7f573e35366616f4e8ea594ed4c4b73537e3a93bc3cc9c90f21cccb34477973002cc1590a8813e5201c8d719d64938b8f9e33

Download Submit

Analysis

Sharing