8f7fc87a3066c65cbdba85e3a7e217a65d57f20185957906a5ca5c62fa01237f

General

Target

2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe
Size

14KB
MD5

2ae5edb00b4699c17f107e96ecb726ff
SHA1

9761c59cfa4e59aad6bf9a2b96c76632208e5a99
SHA256

8f7fc87a3066c65cbdba85e3a7e217a65d57f20185957906a5ca5c62fa01237f
SHA512

8a48446a9976665940e749d38586d31529d2fb68910670c72cf1ad98aa0037d56eb5254072c1b9499d65894bc70d2aca0d9b122c03ba483228cf8674ac950ec7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhW8B:hDXWipuE+K3/SSHgxc2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	DEM9B75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	DEMF27E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	DEM48AC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	DEM9F39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	DEMF548.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
4892	DEM9B75.exe
4304	DEMF27E.exe
756	DEM48AC.exe
2756	DEM9F39.exe
2896	DEMF548.exe
4628	DEM4B57.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 4892	2136	2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe	86
PID 2136 wrote to memory of 4892	2136	2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe	86
PID 2136 wrote to memory of 4892	2136	2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe	86
PID 4892 wrote to memory of 4304	4892	DEM9B75.exe	91
PID 4892 wrote to memory of 4304	4892	DEM9B75.exe	91
PID 4892 wrote to memory of 4304	4892	DEM9B75.exe	91
PID 4304 wrote to memory of 756	4304	DEMF27E.exe	93
PID 4304 wrote to memory of 756	4304	DEMF27E.exe	93
PID 4304 wrote to memory of 756	4304	DEMF27E.exe	93
PID 756 wrote to memory of 2756	756	DEM48AC.exe	95
PID 756 wrote to memory of 2756	756	DEM48AC.exe	95
PID 756 wrote to memory of 2756	756	DEM48AC.exe	95
PID 2756 wrote to memory of 2896	2756	DEM9F39.exe	97
PID 2756 wrote to memory of 2896	2756	DEM9F39.exe	97
PID 2756 wrote to memory of 2896	2756	DEM9F39.exe	97
PID 2896 wrote to memory of 4628	2896	DEMF548.exe	99
PID 2896 wrote to memory of 4628	2896	DEMF548.exe	99
PID 2896 wrote to memory of 4628	2896	DEMF548.exe	99

C:\Users\Admin\AppData\Local\Temp\2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ae5edb00b4699c17f107e96ecb726ff_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\DEM9B75.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9B75.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\DEMF27E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF27E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\DEM48AC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM48AC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Users\Admin\AppData\Local\Temp\DEM9F39.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9F39.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Users\Admin\AppData\Local\Temp\DEMF548.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF548.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\DEM4B57.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4B57.exe"
        7⤵
        Executes dropped EXE
        
        PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM48AC.exe

Filesize
14KB

MD5
de6519482849b021dd2a16f614327968

SHA1
e5416b02be457b7b578f2ac3901e14828c6ed9d2

SHA256
c585c0e7fa2585e28b688291b8c0df85831035f897c4bc51a6f0f81ca85b0239

SHA512
138371a2b98546b707ec00dba44a23bba5b06c15da57c72437840e3c6a46555e2c59ba7b172d413f41943f00f5d993193c95971afda6155e83f49ff272aca094

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4B57.exe

Filesize
14KB

MD5
42f47c75c3aa079ce419de8161f41a09

SHA1
7a5b9aacd4f11e57b7004e26856abaf32ef851e7

SHA256
d24bae8dedda78ba741d2bcd877ea065a8a8bd2dc11664f6d9f7e14593ae6ff8

SHA512
5b5763eb87bd41d1ce0af7df00b9e2b5d0231c1c1ab5b117986127346bc810efcc7c71ac0a1eeb35b188cf7def2b9904ad3561db2dd27e470e0e6dcafef9ac74

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B75.exe

Filesize
14KB

MD5
fbe9d0ad668c86324aa1f4344563e1b6

SHA1
2489727a22d714c72807452b85ca1b28b4508cfe

SHA256
ef2f28b968b5de0fc27fb18ee31a4af4d1dca9957c90cc9f14b71b24c78a016d

SHA512
ddfa0dc6f9f88f48c49d25601e23b81d58572eb0acc52a6d0d05f3e248ef7e409c21f17f07c0b8b494c85a33cbe4e9f9127d2d2e0c0ca434c172edd6a593ecfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F39.exe

Filesize
14KB

MD5
a6389d1cdd012e6fecdc12dec3bb156a

SHA1
288f75dedd57da2d6ace6900fa8f0373318f6cc5

SHA256
cec58894febee3c106d3ceea6fc3b2f91ddc6765ff953281b27d1547a9db2b6b

SHA512
e26fcef5a7522925cc85dd0425689c1ecf9cf5a745b00c48026dcf6f753d2275bca463d5d869f30df663bf970dbff732906dbc7ea1ca66f08455b6576bf3552a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF27E.exe

Filesize
14KB

MD5
79c3a38989fc814a699ceb0f256bc06b

SHA1
c6519b142aa8647dd730343f1a0529d629a049c8

SHA256
5e8fb4eaa50febd563ed0c6f088c47432d26fd56f97f75f42b25791a915ad98b

SHA512
ba9249f2a3d09bb4d9b958b668d53a6d56b66a44d51305f95a793b9873d1aeada222d8481822c8ab79905309b98866ff05225894ef0a03c562fef2c2bd97d580

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF548.exe

Filesize
14KB

MD5
c7b4322c0ad30625fcdf14b4b7d21582

SHA1
4e73aeba11e4514bea4b59da26c2bf11e496eca4

SHA256
c3344fae557c44aa2fd348230da9c7fc0e37fe1639afe73dfe133d15077b9a2b

SHA512
1a2b7fb540f24c323db7414fc740cd4be494bd980c514b3983d5be118b44a913587738e078099c619140a6c3ff2c3c80e43fd103e9952e287cc05b37666c309f

Download Submit

Analysis

Sharing