eb27d1687bb5a5ff2f6a33fee9afbd1cca5864152c36baaec046e8b1870ab006

General

Target

18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe
Size

15KB
MD5

18e89d4d859a4b25523ded273b70dfd8
SHA1

6ece8775a2efe99c7cbf6801de747d198b983cc5
SHA256

eb27d1687bb5a5ff2f6a33fee9afbd1cca5864152c36baaec046e8b1870ab006
SHA512

bd2b95f150ec8b38a53f5c9c9c023ca5512788d452ddd61691cb91346887b218f1d7ecedfe4021cedde5ce976ec75ba51cda591ed097aaf0f518d3112c62d0cf
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxw:hDXWipuE+K3/SSHgxmHi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEM969E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEM3D47.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEM9385.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEME9F2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	DEM405F.exe

Executes dropped EXE 6 IoCs

pid	Process
5056	DEM3D47.exe
4676	DEM9385.exe
936	DEME9F2.exe
1152	DEM405F.exe
3812	DEM969E.exe
4716	DEMECFB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 5056	4456	18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe	89
PID 4456 wrote to memory of 5056	4456	18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe	89
PID 4456 wrote to memory of 5056	4456	18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe	89
PID 5056 wrote to memory of 4676	5056	DEM3D47.exe	93
PID 5056 wrote to memory of 4676	5056	DEM3D47.exe	93
PID 5056 wrote to memory of 4676	5056	DEM3D47.exe	93
PID 4676 wrote to memory of 936	4676	DEM9385.exe	95
PID 4676 wrote to memory of 936	4676	DEM9385.exe	95
PID 4676 wrote to memory of 936	4676	DEM9385.exe	95
PID 936 wrote to memory of 1152	936	DEME9F2.exe	97
PID 936 wrote to memory of 1152	936	DEME9F2.exe	97
PID 936 wrote to memory of 1152	936	DEME9F2.exe	97
PID 1152 wrote to memory of 3812	1152	DEM405F.exe	99
PID 1152 wrote to memory of 3812	1152	DEM405F.exe	99
PID 1152 wrote to memory of 3812	1152	DEM405F.exe	99
PID 3812 wrote to memory of 4716	3812	DEM969E.exe	101
PID 3812 wrote to memory of 4716	3812	DEM969E.exe	101
PID 3812 wrote to memory of 4716	3812	DEM969E.exe	101

C:\Users\Admin\AppData\Local\Temp\18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\DEM3D47.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3D47.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\DEM9385.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9385.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\DEME9F2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME9F2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Users\Admin\AppData\Local\Temp\DEM405F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM405F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Users\Admin\AppData\Local\Temp\DEM969E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM969E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\DEMECFB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMECFB.exe"
        7⤵
        Executes dropped EXE
        
        PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3D47.exe

Filesize
15KB

MD5
47cd6c652a3fff986255d6046a9f0289

SHA1
9e3d09ae19a1da578ced89b168aa084bd69738d9

SHA256
8eaf55fe9d7ac98b0e18d5628aa06ec06df4b419450b40d9000dd67a150ac8af

SHA512
79945688893d8bb38774b894649797c28464fef8367940558683244bc8b2eb8161ecb887b5d2d91469dad5122d1890a5205e5355a384fc21c35dd61621666694

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM405F.exe

Filesize
15KB

MD5
5217e034cad2daaa6ba5996498300b35

SHA1
2443d7cadd351d83f8864369bbd3e74e65215efd

SHA256
2c2fb4dbc1e655ac184ec9f7cc9a11eeb75d07103f6ed4acea07c2adf2469d99

SHA512
b2bb15d18311a10eebe45840b28b75f5f864a632704d41b5e8f721ca1324440f87ceedaf04a1086f97ca2634a00651678efb66460032e9d421ca961b4d8dbc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9385.exe

Filesize
15KB

MD5
d4ff59cb242af434d20752d6298b1cb8

SHA1
c7e1ac95d784258248acd826b5d3a9dfa930af81

SHA256
eb68969afac79f07744aa0fd70b98e64f8bacacfcf23150c40e8667d4cdf7c77

SHA512
c4f49b108e8f58737aa8649b1a5a8017d804657e5d6327637cdff50cd90342e9348d59829ce80124aa6096d8c7f3e1b22eb7508abdd291f320143786214881da

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM969E.exe

Filesize
15KB

MD5
9b1b88fe4d2c223ae6b133c7adeefbd0

SHA1
dccc4d83ced772543b58a996c78af0ef37305080

SHA256
16705aee9efdf8c958ad7d590bf3e36b7bdc7f102036b2daf1d342043d1a1976

SHA512
8365d200b39d9ddaf7b05d4637b71f241fcb28010402e6028c97d779b72efdc1fd6661485fa044354e65719867be16e2b1259a2bd790f513c1cb66c7aba47095

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME9F2.exe

Filesize
15KB

MD5
49706f93eef0f06d5044c25f74027455

SHA1
5f5b74516bfff83722fd6c74ca3be3694f38f750

SHA256
3c795aff701d6fcea90f22713b2e383059866defef6089d354f95f2b78547ed1

SHA512
ca5e35139223d4c159a6defe98ff2703f97e185b749966df85d9f257cb4667078ea0fcf14f7a85aa6da499f50a573843c4a50c3c4bc7d5c5f51721e4d78a941c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMECFB.exe

Filesize
15KB

MD5
d06ad177caec4512f005d6b7e0d93ede

SHA1
41d4fdc4c8c91ea05e2e1a47b5b3cdbb3b83928c

SHA256
fbddcb962a82a8a58a415c343ec02cbd4d92d944c57daf56854a948d646975c2

SHA512
2dca5c7d1403a43652665e6bf532412326ed00ca283dbf70af670ab206bd0bed70342ab959fd5fbe237863178180b01184c39e9b29eda7825a9f48694dca0e46

Download Submit

Analysis

Sharing