5c0d3b8c26b55ea82e432bd5b125f5a0659f99fb459e77629a8a84c2c1a2de7e

General

Target

35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe
Size

14KB
MD5

35dd25c590ee4de5137c3b36a1af1c66
SHA1

bdc36e0effb2fe58c79be5be25117781d75850e4
SHA256

5c0d3b8c26b55ea82e432bd5b125f5a0659f99fb459e77629a8a84c2c1a2de7e
SHA512

f5231281046e94e73015172724935b4a9726d83ebfc531b23613b105dede4ac5e3bcaf8814f46907b74dfea32dfbbe1638dd0926ff3206f4e7e9dedb5c839b33
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlp:hDXWipuE+K3/SSHgxmlp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEMAECE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEM73E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEM5DBB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEMB438.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEMA95.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
620	DEMAECE.exe
2972	DEM73E.exe
3560	DEM5DBB.exe
1980	DEMB438.exe
544	DEMA95.exe
316	DEM6102.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 620	1880	35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe	85
PID 1880 wrote to memory of 620	1880	35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe	85
PID 1880 wrote to memory of 620	1880	35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe	85
PID 620 wrote to memory of 2972	620	DEMAECE.exe	90
PID 620 wrote to memory of 2972	620	DEMAECE.exe	90
PID 620 wrote to memory of 2972	620	DEMAECE.exe	90
PID 2972 wrote to memory of 3560	2972	DEM73E.exe	92
PID 2972 wrote to memory of 3560	2972	DEM73E.exe	92
PID 2972 wrote to memory of 3560	2972	DEM73E.exe	92
PID 3560 wrote to memory of 1980	3560	DEM5DBB.exe	94
PID 3560 wrote to memory of 1980	3560	DEM5DBB.exe	94
PID 3560 wrote to memory of 1980	3560	DEM5DBB.exe	94
PID 1980 wrote to memory of 544	1980	DEMB438.exe	96
PID 1980 wrote to memory of 544	1980	DEMB438.exe	96
PID 1980 wrote to memory of 544	1980	DEMB438.exe	96
PID 544 wrote to memory of 316	544	DEMA95.exe	98
PID 544 wrote to memory of 316	544	DEMA95.exe	98
PID 544 wrote to memory of 316	544	DEMA95.exe	98

C:\Users\Admin\AppData\Local\Temp\35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\DEMAECE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAECE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Users\Admin\AppData\Local\Temp\DEM73E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM73E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\DEM5DBB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5DBB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\DEMB438.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB438.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Users\Admin\AppData\Local\Temp\DEMA95.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA95.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\DEM6102.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6102.exe"
        7⤵
        Executes dropped EXE
        
        PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5DBB.exe

Filesize
14KB

MD5
c1a1bc53e2204d1bbd46f49e2305be4f

SHA1
6ccaac54970bc6f17b905d43e53fc5625e4d73b7

SHA256
af14b0fc458514e84e1f897c500c9c810c02aebd2b6c36e4a28f0d9193b518ec

SHA512
5f3927cd55d8bbc8dce8f97e7cf1cf84c0bd515abf7d58fddf76f816c5fb58d51e56dfa5412f62746d878e3a8eed4e0b5e7af13d320267dec4eae576b9868b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6102.exe

Filesize
15KB

MD5
4a0adcace75a5a681beeae3d11ab2753

SHA1
ae657353d5c41437c90d893c1d11e8733e666080

SHA256
6e8e07218e280fad6dfe6548eacbc123359df9c88161518b3b456b7df5d0ad0f

SHA512
763e0e2c4c5be0242bfd7b3bab4412db56a9d9ebe2fd870a7be4c29f05a82761f32d3a8ba32779d9cc71a2339208858abb32dc72e3a218323260e21c5c3d9f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM73E.exe

Filesize
14KB

MD5
e44b77528f7ecfdbd91d5407d33373e4

SHA1
670218429a3cad22879812447c7c7dff923d91b8

SHA256
15b7e80bfe8e3f7615d1019d5b28dda75e4596958dd9e5e8c546e5530a2d4124

SHA512
b7bf797b0ad8245aa52c0dcce3b97eace23c3aff5407e0e27ebd883b76529ea0bbcd49dfc42997d39379591461f21545e2f9dd729fbe33cc710229a673962c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA95.exe

Filesize
15KB

MD5
995b589a749cf7ffa8e599da82484343

SHA1
a6f61521cf23af1865c1c7cda140da7dc3d9b0a1

SHA256
1475bcf83a477b9f117063588b4be8f35413cd9f7bb5feaf2830d900439fc070

SHA512
2f2ed8b15bbbef66c196366e3d6b1b8d3a0f8157cc452804082fba47ca66e046d45db8060db2a0dd362f1e36237cc66cb23b534ec99a7776ed04ec914e9f6540

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAECE.exe

Filesize
14KB

MD5
784c595a100f671eb585d9b7f35ece63

SHA1
ec8bd392869db5a3f6a51ebd94393865a82e9b38

SHA256
72101c9aaa04a25a6e929d3f82437e389580f5ea00070b71e414ec8afffc861f

SHA512
da1975e2a237ff0faf35a01da00c7382797e088986815d9e119dc73bd6b819c490a2d6b361dabb928caca1ae8352648575a6282639edfda2d08b8bb8c5103b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB438.exe

Filesize
15KB

MD5
d3dc6036cf081c77fbc51aea9e1704cc

SHA1
aae63a40584d63444078365f83ccb066940c5168

SHA256
943819dd6dd7d0c53b9bdf2dc120eca141cd0e2af08ea56aab1453437183e440

SHA512
f8142f769da1fa5515f7c4bc268615af97706fbd11de40aefbf00dcf435940bff28d9e53178c78231add9187e603496d8908d08476ea490a1572f52224bf45b9

Download Submit

Analysis

Sharing