3a9ecb0c9d93f4d75fce2cb12b555f6e918378b90c22c48eb5193b51b26559d0

General

Target

1b91dc2a3e08cc86bc51f955549dd18e_JaffaCakes118.exe
Size

15KB
MD5

1b91dc2a3e08cc86bc51f955549dd18e
SHA1

bd713e146b858ea3d2a0130b75325f73232bcf43
SHA256

3a9ecb0c9d93f4d75fce2cb12b555f6e918378b90c22c48eb5193b51b26559d0
SHA512

3ec36c7c8a93ccf864f6b7262f4c65ddc4cb7192b0e91123b9228390159e1eb9939d0ee2ef6ed01f2c88d519b67f95dc108ca370b4654070fad0a2e64db816d7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxX:hDXWipuE+K3/SSHgxmHB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	1b91dc2a3e08cc86bc51f955549dd18e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEM5294.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEMA894.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEMFEB3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEM5510.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	DEMAB20.exe

Executes dropped EXE 6 IoCs

pid	Process
1720	DEM5294.exe
1892	DEMA894.exe
884	DEMFEB3.exe
5004	DEM5510.exe
1480	DEMAB20.exe
4316	DEM13E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1720	4812	1b91dc2a3e08cc86bc51f955549dd18e_JaffaCakes118.exe	94
PID 4812 wrote to memory of 1720	4812	1b91dc2a3e08cc86bc51f955549dd18e_JaffaCakes118.exe	94
PID 4812 wrote to memory of 1720	4812	1b91dc2a3e08cc86bc51f955549dd18e_JaffaCakes118.exe	94
PID 1720 wrote to memory of 1892	1720	DEM5294.exe	98
PID 1720 wrote to memory of 1892	1720	DEM5294.exe	98
PID 1720 wrote to memory of 1892	1720	DEM5294.exe	98
PID 1892 wrote to memory of 884	1892	DEMA894.exe	101
PID 1892 wrote to memory of 884	1892	DEMA894.exe	101
PID 1892 wrote to memory of 884	1892	DEMA894.exe	101
PID 884 wrote to memory of 5004	884	DEMFEB3.exe	104
PID 884 wrote to memory of 5004	884	DEMFEB3.exe	104
PID 884 wrote to memory of 5004	884	DEMFEB3.exe	104
PID 5004 wrote to memory of 1480	5004	DEM5510.exe	113
PID 5004 wrote to memory of 1480	5004	DEM5510.exe	113
PID 5004 wrote to memory of 1480	5004	DEM5510.exe	113
PID 1480 wrote to memory of 4316	1480	DEMAB20.exe	115
PID 1480 wrote to memory of 4316	1480	DEMAB20.exe	115
PID 1480 wrote to memory of 4316	1480	DEMAB20.exe	115

C:\Users\Admin\AppData\Local\Temp\1b91dc2a3e08cc86bc51f955549dd18e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b91dc2a3e08cc86bc51f955549dd18e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\DEM5294.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5294.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\DEMA894.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA894.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\DEMFEB3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFEB3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Users\Admin\AppData\Local\Temp\DEM5510.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5510.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\DEMAB20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAB20.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\DEM13E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM13E.exe"
        7⤵
        Executes dropped EXE
        
        PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM13E.exe

Filesize
15KB

MD5
c40afae7988f03658dcdea72f22dc3c0

SHA1
b1f24a070a90a4296120825a67716b33fa792686

SHA256
26c60e3ce17276cb647677b59a81021e3669e7fa50b70918ac2ebd2afdae63eb

SHA512
f2d5f28d914b44701f8b1bd242bae4135adba160a84a0f6832012b94719b60f67b89f90e97029952a76e85391f220673e9cfb19b10ad43c512317fd954aa682b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5294.exe

Filesize
15KB

MD5
7f58d7ffbf1a2fee38ef1e509a2b25c2

SHA1
3b598fdc3c48407787490bd839d2a90719f028e8

SHA256
8cfbcb350f8c4a2ec2c649f3896c7348f4ec2f4158807feb9a383ad779dae261

SHA512
9e85eb1a6c45a32be395221bac4dc9fd71ca680a369290df4f084783b4ef9a854a855cdaa1649138acacee920bf36add4eab1c6bd18feb4d19edb5db335e8d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5510.exe

Filesize
15KB

MD5
d4d0f967b40ec0dcedee360ed0fed3de

SHA1
5f0fd3f26e5a5bd38ecf9a942b9a3ab1ec5d1420

SHA256
80c20dcf8d3ce0f3b3f5dcbfb5a0df4e0cc1d326c76c2dc042e0627b55b0d3aa

SHA512
e45cf97f7bc8c55da68316b3fb917041a621204e72797e54a6ecc2f9c6128b2ca555a64271c858c752dc03d140431712b8408300ef4c24de00781e619363875c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA894.exe

Filesize
15KB

MD5
d5ebdb37747bbdf6aaf8779526bd0f14

SHA1
544f61cbf3840aab74a59ec782b45eb7b6ca0428

SHA256
bca1d4fd2f8f26edea2b591a5a7ac258116bb8d713a97a7d29db9b870014b3be

SHA512
57b07da2ce8ebb95a758cbc7d76e7620acbabb5eb6f4e9011d3e38ffc02bd3ec75a6edf1af5654a90658de80f6e17dfb64a7a7a10823dd493daa92626192726a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAB20.exe

Filesize
15KB

MD5
29da8d53fc0ea276cf2e1ae1d2014993

SHA1
3a80a97526eb2e78e775146175f1a8a974b56999

SHA256
ca9aab7d165057094286c64611d2259435173ed5a3652415afe11c6743bce63e

SHA512
fc080ec3fc5c3da061b259dd63a2bbe14cdf69e42d30fba2acc4a471074c8525e14a09926859af123e2d14bb63429010e147ce9a8d73414da4d0d3e4a0d3d9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFEB3.exe

Filesize
15KB

MD5
7acb70a65f460cc85421e6bec61e9845

SHA1
35e114854f551773acc1a7082d5a6c32cbcf0454

SHA256
82e235462949d38bf21e308b402f33afd279e7c152450d300a1834dcea987372

SHA512
c9aae5a2cfed37c150b20c3256080553ba77b69e0ee1782393a979aaa449cbba06b6c80caebabc21064f5df6c93106377a63c463ef0af42b2d033bc745bd8686

Download Submit

Analysis

Sharing