f56c4119f0715e747b522c38c08e91af3a3411419bd4190406f6f6436d4bc46f

General

Target

2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe
Size

14KB
MD5

2bfea4a8754925e30ee7c6207b24478b
SHA1

cbd9aac1145c2ef7c9fd4afcf682cdb15484ac6b
SHA256

f56c4119f0715e747b522c38c08e91af3a3411419bd4190406f6f6436d4bc46f
SHA512

5493be357b12e0a977eec0912fa543cfd8a320109192ac2a2a9f8ef37625d3000b994794d8b44283945b863d3aacf096b0d74925d836139d7ac40a4a51e4cfed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/Tyt:hDXWipuE+K3/SSHgxm/TK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	DEMEBA3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	DEM42BC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	DEME55F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	DEM3DFE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	DEM94F8.exe

Executes dropped EXE 6 IoCs

pid	Process
4800	DEME55F.exe
3660	DEM3DFE.exe
2328	DEM94F8.exe
1912	DEMEBA3.exe
4832	DEM42BC.exe
4908	DEM99F4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4800	552	2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe	86
PID 552 wrote to memory of 4800	552	2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe	86
PID 552 wrote to memory of 4800	552	2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe	86
PID 4800 wrote to memory of 3660	4800	DEME55F.exe	91
PID 4800 wrote to memory of 3660	4800	DEME55F.exe	91
PID 4800 wrote to memory of 3660	4800	DEME55F.exe	91
PID 3660 wrote to memory of 2328	3660	DEM3DFE.exe	93
PID 3660 wrote to memory of 2328	3660	DEM3DFE.exe	93
PID 3660 wrote to memory of 2328	3660	DEM3DFE.exe	93
PID 2328 wrote to memory of 1912	2328	DEM94F8.exe	95
PID 2328 wrote to memory of 1912	2328	DEM94F8.exe	95
PID 2328 wrote to memory of 1912	2328	DEM94F8.exe	95
PID 1912 wrote to memory of 4832	1912	DEMEBA3.exe	97
PID 1912 wrote to memory of 4832	1912	DEMEBA3.exe	97
PID 1912 wrote to memory of 4832	1912	DEMEBA3.exe	97
PID 4832 wrote to memory of 4908	4832	DEM42BC.exe	99
PID 4832 wrote to memory of 4908	4832	DEM42BC.exe	99
PID 4832 wrote to memory of 4908	4832	DEM42BC.exe	99

C:\Users\Admin\AppData\Local\Temp\2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bfea4a8754925e30ee7c6207b24478b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\DEME55F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME55F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\DEM3DFE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3DFE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\DEM94F8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM94F8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\DEMEBA3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEBA3.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Users\Admin\AppData\Local\Temp\DEM42BC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM42BC.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\DEM99F4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM99F4.exe"
        7⤵
        Executes dropped EXE
        
        PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3DFE.exe

Filesize
14KB

MD5
4c247d2bae917555f394fa61ad4129aa

SHA1
ae30ecac1b63ad056405ddcdd810c67af427ad93

SHA256
32d0d45246af86b100e22786095d91fda9ed12bd57020951f965f5596c064977

SHA512
bf3626c2de91d0c77a4f0516ede67c58c2f93d64110e4cabfe0bd2e2a137e440bd2ef03670c8975855f76e50865be0d8ebf096a1f3b9f50b78727c428e154d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM42BC.exe

Filesize
14KB

MD5
c069982ca259669b8baa52491fec7709

SHA1
197e415f5eb7747d14b2c05999fb927997e258f3

SHA256
de76f88c561abc64d525e23a98a256e616ecfd3726a842bc7777415d5e62e7e7

SHA512
02b1bade27902077bcbbb90618bbaf9e188ae6c80863b5754abe482fb9e4138cd9aa28b0597291286cf6ecc367fdfe75c4eb5b69bebb0c7c95608db201f42258

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM94F8.exe

Filesize
14KB

MD5
eb4dcbc89b6c3050cc0e5c00c0d32194

SHA1
9d8dde755d59c8f32ba8d437510fe772b2c065ae

SHA256
4e14da2fb3b870b2ad94700dacabaddda127ce831cc98336c1d06d9b8ffaa93a

SHA512
1180246871c15720c6fbca27b2282412b811dd27f302bf3a7d78a1ffb1c9decd80e943ee9c3cbff135a3a562e348e95152f14af221bfaecb939816e5853f5e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM99F4.exe

Filesize
14KB

MD5
f10626e4522f902eb739db2be448abf8

SHA1
a1ee5314b4f9daf23a85e61727536bab8a7cd715

SHA256
9f0b55c5b37a3948e24e332ca8c183cb09e065d73e05f150fcad461e9853714b

SHA512
e81b668320505efa1f9a7171ef86a8f3edc1dc619428ba7bb6423aa91a6b68cdcec3d3546c049c20c57fb3fce0a37f3f4e80f470f68816c4efda2350b0a45fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME55F.exe

Filesize
14KB

MD5
3a40b19f8d544124693c28b2b1165a69

SHA1
580e496c8355993affe9d85199872049951aeafc

SHA256
035039c52cc16619ffe9a0ecf0c527a98a9dd6f513af991c9dbb67cc69d3c4d8

SHA512
fde49b9c30fd31591a5c6f971664423c987644791914176d4d505b1e9dbaadc0aa575a90f462c7059c59c05a647c13776afdf465bdcb92e060c85b39f33608c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEBA3.exe

Filesize
14KB

MD5
780345e9244bb37e7fbb01a1dc2c400d

SHA1
5969c5410feed466cc4b71bc6a214fcb29a49b7e

SHA256
f77b3e97af92fe54229bcba09425b7d12434013ca27eb5db01af55a42fd2d5f8

SHA512
d5e2a7a926a5855c0837be8187c4fe6ec99fb0e0469453c54e9380f0683017c00e6a7edd3afca2b878edac09799657754f59f026d109eb2cad4b7ca8aa5b5ba6

Download Submit

Analysis

Sharing