88536141f176da07d5141f80357ebd99bf739c21b76129acce69de6e1a3ec50c

General

Target

34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe
Size

14KB
MD5

34dcf09c98326ca9d077f56c2552a916
SHA1

b529372da8a86eca44d29e6adc54b31ae3bdd4c8
SHA256

88536141f176da07d5141f80357ebd99bf739c21b76129acce69de6e1a3ec50c
SHA512

4a5fe167e47088b0fe58051bc8a3c53162f2da13ccd0c67a1f2e4a978c55372142d52d3ee9cbf8930eeff28ca5a3d1d5e559a9e931cfb489a7c0686d60fb68ae
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlI:hDXWipuE+K3/SSHgxmlI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMACB6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEM342.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMA894.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMFFCC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEM5678.exe

Executes dropped EXE 6 IoCs

pid	Process
4764	DEMA894.exe
4484	DEMFFCC.exe
3472	DEM5678.exe
1576	DEMACB6.exe
216	DEM342.exe
4888	DEM5A3C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4764	2324	34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe	87
PID 2324 wrote to memory of 4764	2324	34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe	87
PID 2324 wrote to memory of 4764	2324	34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe	87
PID 4764 wrote to memory of 4484	4764	DEMA894.exe	92
PID 4764 wrote to memory of 4484	4764	DEMA894.exe	92
PID 4764 wrote to memory of 4484	4764	DEMA894.exe	92
PID 4484 wrote to memory of 3472	4484	DEMFFCC.exe	94
PID 4484 wrote to memory of 3472	4484	DEMFFCC.exe	94
PID 4484 wrote to memory of 3472	4484	DEMFFCC.exe	94
PID 3472 wrote to memory of 1576	3472	DEM5678.exe	96
PID 3472 wrote to memory of 1576	3472	DEM5678.exe	96
PID 3472 wrote to memory of 1576	3472	DEM5678.exe	96
PID 1576 wrote to memory of 216	1576	DEMACB6.exe	98
PID 1576 wrote to memory of 216	1576	DEMACB6.exe	98
PID 1576 wrote to memory of 216	1576	DEMACB6.exe	98
PID 216 wrote to memory of 4888	216	DEM342.exe	100
PID 216 wrote to memory of 4888	216	DEM342.exe	100
PID 216 wrote to memory of 4888	216	DEM342.exe	100

C:\Users\Admin\AppData\Local\Temp\34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34dcf09c98326ca9d077f56c2552a916_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\DEMA894.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA894.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\DEMFFCC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFFCC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\DEM5678.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5678.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Users\Admin\AppData\Local\Temp\DEMACB6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMACB6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\DEM342.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM342.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\DEM5A3C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5A3C.exe"
        7⤵
        Executes dropped EXE
        
        PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM342.exe

Filesize
14KB

MD5
c819f60c4686b7135149722b1cc71767

SHA1
62c2ebb1e3c4325bea51e658f11fe3a287fb3ecc

SHA256
272d1354c955d641dd0ce5b4a56dba80b854eb526268bdb88de54e37583332cd

SHA512
6613bc92026cbb06f710f8e9de3501c64b77226e46b1eb8c07fa38dfc909004106c20a2da8c6889226e9b01901be876b7bf5892eb637a65369888f5c1d383d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5678.exe

Filesize
14KB

MD5
18b2766d28be15ef8a68b5d2f6194a0b

SHA1
89aa7be3858c0aa3e31eb57b144254811269c915

SHA256
8fbebbc7f8a070f523f79a3d4a5694cb6085aa5cac4d559019cea005adb53f12

SHA512
e79196e7cea512575a44438cc65678463524df09e97c0790df84eb29b5469d00e51ac8ebdb142e5d021f8dec6de2e0ec733cffb75c52d5e8c7c43f0a390b6232

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5A3C.exe

Filesize
14KB

MD5
75653f8f0fd5d09d66ff5695e5750c27

SHA1
9258ae5eb97776c6d4419f4e3894e0b102b709ac

SHA256
02f421cb475a435f1b9dbf43acb7c78110a1afd11794ce43f14648f37588da28

SHA512
803f3f584bf341e500d2df9ddefca2f216e2a92cf4d57ac290c136e31ae34f93228e0577d79b54ebfdb55f6ecf961550957f53b6b407091c17e99f525b791c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA894.exe

Filesize
14KB

MD5
04808268ea3e747b7c84e1af1645fa13

SHA1
1a067355d84314ffaaead79ca418369aa83e1a84

SHA256
e434360302cab8b441542081cad3a1c8bdebba2eb41d85ef28bb378429eb4b87

SHA512
5145c01998d467496d57d57d8dcdefbd21b0bc0da0e3a92ed0b2c39d715f9879c839766a4eed128135238412bd10fa9cf0524abad93c212ce8d892f0cc85c168

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMACB6.exe

Filesize
14KB

MD5
eb7a964de8d1799e56dac1bdc5778a1c

SHA1
ff761dd881d86b38267e8157809846fd18eabee2

SHA256
0058d54f12634cba0de79870f14f34ab7ff52df44f23bb22cf961ded160a5647

SHA512
2ea905cd95458bd14edc3c57c29df782d9cfc2f9ec0894178f7ece16621facd5a70d262aab60c77ef3552aba6af42efd6e44253d4e8ed27956abcb0bb1ff5322

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFFCC.exe

Filesize
14KB

MD5
2a3a238f3e5c81b3862a01c7af3f8cdc

SHA1
429fa986166d8ed8acb8379338bac08329531d4f

SHA256
17927ccda3d2ef7a633f0d35652b46b26f6df3454b5ee23a666e39f487185788

SHA512
793b53302d9e19c44ca2c1b2394104309461ddbe85f9e2e73064616b0126672e05f0bedd596e860ba00b9dfdcf83c0fcede9d9ed944eaa219422ba569baa9c0c

Download Submit

Analysis

Sharing