9f2173862d9a80cc7e1148f0ba178b73de76dd7d6ae0a6fd8fff9114a3e140fc

General

Target

22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe
Size

14KB
MD5

22a38029ca6945568a588f1967e191c2
SHA1

b1cf486918e951a80df05e7e3bc8149941829cc4
SHA256

9f2173862d9a80cc7e1148f0ba178b73de76dd7d6ae0a6fd8fff9114a3e140fc
SHA512

67c55fd743add96902cdacad32071df407538e9e92face9964308d4afd863f73dd49eab9c8190414077c612c98dac27f0c0c8030b254b18b3d5ca479f6110108
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhWD:hDXWipuE+K3/SSHgxcD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEME9A4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM3FD3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM95F2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM3CDA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEM9347.exe

Executes dropped EXE 6 IoCs

pid	Process
2056	DEM3CDA.exe
2008	DEM9347.exe
3224	DEME9A4.exe
2012	DEM3FD3.exe
952	DEM95F2.exe
4172	DEMEC5F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2056	2988	22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe	82
PID 2988 wrote to memory of 2056	2988	22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe	82
PID 2988 wrote to memory of 2056	2988	22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe	82
PID 2056 wrote to memory of 2008	2056	DEM3CDA.exe	92
PID 2056 wrote to memory of 2008	2056	DEM3CDA.exe	92
PID 2056 wrote to memory of 2008	2056	DEM3CDA.exe	92
PID 2008 wrote to memory of 3224	2008	DEM9347.exe	94
PID 2008 wrote to memory of 3224	2008	DEM9347.exe	94
PID 2008 wrote to memory of 3224	2008	DEM9347.exe	94
PID 3224 wrote to memory of 2012	3224	DEME9A4.exe	96
PID 3224 wrote to memory of 2012	3224	DEME9A4.exe	96
PID 3224 wrote to memory of 2012	3224	DEME9A4.exe	96
PID 2012 wrote to memory of 952	2012	DEM3FD3.exe	98
PID 2012 wrote to memory of 952	2012	DEM3FD3.exe	98
PID 2012 wrote to memory of 952	2012	DEM3FD3.exe	98
PID 952 wrote to memory of 4172	952	DEM95F2.exe	100
PID 952 wrote to memory of 4172	952	DEM95F2.exe	100
PID 952 wrote to memory of 4172	952	DEM95F2.exe	100

C:\Users\Admin\AppData\Local\Temp\22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22a38029ca6945568a588f1967e191c2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\DEM3CDA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3CDA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\DEM9347.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9347.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\DEME9A4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME9A4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\DEM3FD3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3FD3.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\DEM95F2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM95F2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\DEMEC5F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEC5F.exe"
        7⤵
        Executes dropped EXE
        
        PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3CDA.exe

Filesize
14KB

MD5
ccb24ebf80677cd6b313ae2f789ee07b

SHA1
265d193a0313450e998aec1a1babab6122ba2f8a

SHA256
900c28e0e42423c2a0cb8d44ce47e03d0e61dae3abd09b73b6d3fc57c23c4f5d

SHA512
5ceb98626869b8462550975235f5fe264f77825dca775ca31116f1162af079f0547ebfb81b1399baba5326e0ceca797063cd320e7ca2ffb19b32af1e95791194

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3FD3.exe

Filesize
14KB

MD5
50194ef8aadb1a6ef88949ef7e81cd3a

SHA1
04e7280b769ddd9f0ba377fa20f1f424fe80845d

SHA256
d05ee2be3702e9931cb6fb11919d5ea897ad17b49d6f432e8281bbc037a56bb7

SHA512
bf2d53700d0fbb1bc2035c4716c2e99aa8b7120ae9b149af6f3e83659e3309e13c476dda945def8dc533478c8f54ffd82a19143783638ea71e681097e84dc796

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9347.exe

Filesize
14KB

MD5
189fea706a11b0a5860c630ac91471bb

SHA1
9ee92941aa8dd5cda886142b5c8c2816fbb587d7

SHA256
0e08c29bee374d3a80ad7b71869c5b91f252a8d66e4e4d4dd6a34517b083955d

SHA512
5898a342690e84ce314824c405766c43cdd20bcc125c8efa7e9a24326bd9569cf0bc64b971814fe0c4f7911d9144e1dea2497a3dde3c494adc0b2c30909b04f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM95F2.exe

Filesize
14KB

MD5
3106b07d3b84c5a60437d1adebeb689d

SHA1
613801a0f7825caae30a3792b126dbeb00e8b9cb

SHA256
065bb4ef9229baf357ff91a5955eeeef33c12636b784852e6aebbe830a596f60

SHA512
a15ebab4801f963d0823322e25fdbc908c3e7f644a7086c3d8dde3719d221c1ad0b5318fb43bb7adbf11bf1f093794c11e3457f6ca126d192d6cf4bd4fc0719e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME9A4.exe

Filesize
14KB

MD5
a69ce746393d96cb030831c507600f27

SHA1
32fd999db144a5ff4b1aa5aecb8a8df4511ca13a

SHA256
f12dff5c7ebd4df9fe2654cf1dda41dbed8d7a23cfd0844f2fd84e9a2f787164

SHA512
ae2d08d4432a8fd4cbbf120a6e6c465134cd68a914bd2ef7d55851189750d0cf03e1f459d2e82d538f876521cd77aa4c658f151117dfaa535ab78205365a9977

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEC5F.exe

Filesize
14KB

MD5
8e80efcf5498cb07b7f835ad3b31f1a8

SHA1
f76a2ef58397a241eba21ee7c875b7926a22ee99

SHA256
d69fe718594b51d90ce48f4dc707c5a5f6869cd765ecbeb9d527d892c81e0a87

SHA512
19e0c7cb2194effe8d59e1c8fdd6b18561f73493a77ff7ecc6ba14d5d2e6fe605cb77bba2c45780ec0435dd45593e1118cffea9ad41d53ed80e201607daebf6b

Download Submit

Analysis

Sharing