bde59a251fc0d718bf23b466c816bbb875ac8e50baea97bc236d890b8dd4b24f

General

Target

318c8def767c7f42d4a2051ca1c39440_JaffaCakes118.exe
Size

14KB
MD5

318c8def767c7f42d4a2051ca1c39440
SHA1

b9a9b1fad4165934b9883c03e61f1d708a5442e2
SHA256

bde59a251fc0d718bf23b466c816bbb875ac8e50baea97bc236d890b8dd4b24f
SHA512

08a14901988151055effc6757acc40fb3e8bb7a12c374168d1ad008e62e4741c6b855c4ef824278a312907863cb251ce5e0a46da883ee4cc5387965d3916c18c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbn:hDXWipuE+K3/SSHgxmWmbn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEMA7C9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEMFF11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM55DB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEMAC48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	318c8def767c7f42d4a2051ca1c39440_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
2152	DEMA7C9.exe
2952	DEMFF11.exe
3304	DEM55DB.exe
1132	DEMAC48.exe
1252	DEM296.exe
3904	DEM5903.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 2152	3900	318c8def767c7f42d4a2051ca1c39440_JaffaCakes118.exe	85
PID 3900 wrote to memory of 2152	3900	318c8def767c7f42d4a2051ca1c39440_JaffaCakes118.exe	85
PID 3900 wrote to memory of 2152	3900	318c8def767c7f42d4a2051ca1c39440_JaffaCakes118.exe	85
PID 2152 wrote to memory of 2952	2152	DEMA7C9.exe	88
PID 2152 wrote to memory of 2952	2152	DEMA7C9.exe	88
PID 2152 wrote to memory of 2952	2152	DEMA7C9.exe	88
PID 2952 wrote to memory of 3304	2952	DEMFF11.exe	90
PID 2952 wrote to memory of 3304	2952	DEMFF11.exe	90
PID 2952 wrote to memory of 3304	2952	DEMFF11.exe	90
PID 3304 wrote to memory of 1132	3304	DEM55DB.exe	92
PID 3304 wrote to memory of 1132	3304	DEM55DB.exe	92
PID 3304 wrote to memory of 1132	3304	DEM55DB.exe	92
PID 1132 wrote to memory of 1252	1132	DEMAC48.exe	94
PID 1132 wrote to memory of 1252	1132	DEMAC48.exe	94
PID 1132 wrote to memory of 1252	1132	DEMAC48.exe	94
PID 1252 wrote to memory of 3904	1252	DEM296.exe	96
PID 1252 wrote to memory of 3904	1252	DEM296.exe	96
PID 1252 wrote to memory of 3904	1252	DEM296.exe	96

C:\Users\Admin\AppData\Local\Temp\318c8def767c7f42d4a2051ca1c39440_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\318c8def767c7f42d4a2051ca1c39440_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\DEMA7C9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA7C9.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\DEM55DB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM55DB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\DEMAC48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAC48.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
      - C:\Users\Admin\AppData\Local\Temp\DEM296.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM296.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\DEM5903.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5903.exe"
        7⤵
        Executes dropped EXE
        
        PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM296.exe

Filesize
14KB

MD5
2235782c2b590320de15c81ac032a995

SHA1
d0cbe09ca03e81206efeeed03d338c5c39a39147

SHA256
185397ea22161da3a55442a362ae38f2bfa092248334b04d08e98399849744b4

SHA512
073c1157f8a78ffea43f351257d3e2ec34fe7b241ea614c16b372aee7dcda2559d72d3dcfecbd40b2375c73349344e9485fab028c4fdcd4a5fc394c725aef13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM55DB.exe

Filesize
14KB

MD5
13caf3deb781c31731d4e6ba7c222bb2

SHA1
eea3dab7b32ec55789a4cd22cf2fa4c92ca29469

SHA256
b86d7e6bb7d6fb58aa74fdfe91a85d048c7956009e726e117bfc2b5fc54ba22c

SHA512
57c920873025a53bc7f7a45f39cdd5e16bda095434a49111580d9db84daceae0914bf6e5e6ad495e9abd1fb777407b4938428b0577e846a2e913ea20ed795af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5903.exe

Filesize
14KB

MD5
d35b597d8f8099be84f61fa0a00e3bbe

SHA1
89187cc5de8dc84acf756167004bfbbeb5711820

SHA256
eed70e0bb126bb1bbfe6803cd6a0c84aa7f0d923b2998d03ebda7bb70238bb07

SHA512
e03a5e4aeece82bf8669344152700f0926c68c2ed093ab492da5c288906cbacd9e6293bbea97e923fa0760ccca3447794a43e36ebcf54b2a1f3fcaf975452ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA7C9.exe

Filesize
14KB

MD5
affb1ff15b3ba451bacf093debc04b2a

SHA1
83ed11c1196e10feda328bd90bf82992db2bafb5

SHA256
438e62dc840f9e19291201d7da4e382192897e71a4bf7b69388c52e46cadef9c

SHA512
7fee0ac63154b646097dae0b7f15a6a7bf111ca2b1ab8ebee86005d7e73de0742811b5c59dc9c17edf32eecae20784ab731b3de9dc5c183c9dda58d38ef792af

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAC48.exe

Filesize
14KB

MD5
41a4771a1096eed347cb99e24754985c

SHA1
5262e5530690445f512acbd4c971862c90798ec8

SHA256
fcdb0c826a1a1515bd9a45aea46dc00173d91a145b98e1017f1bead70608f170

SHA512
51cf7b0cf257340b13529a5277ab67a897eadefdefe759ca9c60b692101c5c00c51e7dfd0612b2e657c0d18410fdf8c603b3819b6381e94c73d25b2ee3711e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe

Filesize
14KB

MD5
65a4ff79e49b21a4592ab4b73fff8d41

SHA1
84338f6d28cdda4b7bd741287e5eda074ebdd5be

SHA256
f4af802e3e365fa9b2c20a2fd5fda6a1889104c417d219b3333e2fa15adf1753

SHA512
67f431950cec10160f0a6ca51faa4035279a636b659c56989946f2cfb35cbef7b95ae889fa915a6aec1a00fb001edeee0fd2b206ede1a156ded8fba3fb67bb37

Download Submit

Analysis

Sharing