c112952df50732c936ff07194c0dc98e4f54b3906f2212a47397040ed49d4794

General

Target

386f7633879e8179d20b96e43082cef7_JaffaCakes118.exe
Size

14KB
MD5

386f7633879e8179d20b96e43082cef7
SHA1

001f7b6d62352b3135b5a61607a8d03517dfbe2e
SHA256

c112952df50732c936ff07194c0dc98e4f54b3906f2212a47397040ed49d4794
SHA512

9b29de34291c6d65477b1f6a3fde7271f21a85b9423f7e484e6f9dd7d3803c60513b9bf05d03a24bfc0f9243b892deb05720fe52edfaae420a37c924e987f8d4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYf+:hDXWipuE+K3/SSHgxmf+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEM70DA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMC861.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEM1EDD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEM751B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMCBD7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	386f7633879e8179d20b96e43082cef7_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3640	DEM70DA.exe
4508	DEMC861.exe
4456	DEM1EDD.exe
3996	DEM751B.exe
3796	DEMCBD7.exe
3604	DEM2253.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3640	4052	386f7633879e8179d20b96e43082cef7_JaffaCakes118.exe	87
PID 4052 wrote to memory of 3640	4052	386f7633879e8179d20b96e43082cef7_JaffaCakes118.exe	87
PID 4052 wrote to memory of 3640	4052	386f7633879e8179d20b96e43082cef7_JaffaCakes118.exe	87
PID 3640 wrote to memory of 4508	3640	DEM70DA.exe	92
PID 3640 wrote to memory of 4508	3640	DEM70DA.exe	92
PID 3640 wrote to memory of 4508	3640	DEM70DA.exe	92
PID 4508 wrote to memory of 4456	4508	DEMC861.exe	94
PID 4508 wrote to memory of 4456	4508	DEMC861.exe	94
PID 4508 wrote to memory of 4456	4508	DEMC861.exe	94
PID 4456 wrote to memory of 3996	4456	DEM1EDD.exe	96
PID 4456 wrote to memory of 3996	4456	DEM1EDD.exe	96
PID 4456 wrote to memory of 3996	4456	DEM1EDD.exe	96
PID 3996 wrote to memory of 3796	3996	DEM751B.exe	98
PID 3996 wrote to memory of 3796	3996	DEM751B.exe	98
PID 3996 wrote to memory of 3796	3996	DEM751B.exe	98
PID 3796 wrote to memory of 3604	3796	DEMCBD7.exe	100
PID 3796 wrote to memory of 3604	3796	DEMCBD7.exe	100
PID 3796 wrote to memory of 3604	3796	DEMCBD7.exe	100

C:\Users\Admin\AppData\Local\Temp\386f7633879e8179d20b96e43082cef7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\386f7633879e8179d20b96e43082cef7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\DEM70DA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM70DA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\DEMC861.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC861.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\DEM1EDD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1EDD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\DEM751B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM751B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\DEMCBD7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCBD7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\DEM2253.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2253.exe"
        7⤵
        Executes dropped EXE
        
        PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1EDD.exe

Filesize
14KB

MD5
8e7a271f2bb273e2a30868a52e558ad0

SHA1
979702f81b19e3adc1b3c01a37c4e7a76702795d

SHA256
495372d378cec048566e12cf8917266b6dad6d884607bdf8bae8131d9d3b212f

SHA512
cd9f162a76d384040aed6c1dad5e01a52040594d85f5f62d9b4ccc1cb8625a9483b6dd11ff88f43d76d30f075d92372deacb31a699fefacb4d9c2f0d5a07bc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2253.exe

Filesize
14KB

MD5
320abe17b7598de562ded2d55a6f9f22

SHA1
4b6bb5d8c902b180d7394ef8ad98fedb478273fd

SHA256
fcfc76d9cf10e0e29189f53db25fea53b561d8f75dbdef2981370882164c8cc6

SHA512
01b1049dd2d68fb81738d4e759aea2252e307b9e6795ef1f26f83219e01ac30d896f3e93d1ae304d71cfd51e474160ec7272edf1dd74f5fb0f593e7198454954

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM70DA.exe

Filesize
14KB

MD5
052028a41695484147ab3de72fd8e34b

SHA1
9ec04782fddb7356fc606e5836770ae86c1ce3a5

SHA256
5d8a3d3d3c0eefdb9888e30adac1589de2dbc625be34a1037c204a60f97d9534

SHA512
8098edb0f072929f393aba3269e3d1ec8bc7103eaffa11c206b6000e57169af8fe0b54706fd6dd3b0e925ec49b4af1d1e7e7c072f43f9d2844244ad15c968462

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM751B.exe

Filesize
14KB

MD5
fa7ff2c475ea1bcb76de3879f6b3437a

SHA1
4b676101d24a656310b3c132da8fee3ca69c5b9f

SHA256
53c73f04a29893d862920f33f083cebb37938fc9011a6e9cdc587e06cb245cb4

SHA512
4059e2467c599b6380886355405fb0cce52de38c3d95e25d0dd81426b4d191c5b8ab7a2568a45589703905baa2a8684be0e1ef8bcd510201b95ba7ae0ffde33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC861.exe

Filesize
14KB

MD5
1d6051004a1a5b4e2fb9b1a5e657429b

SHA1
200d4958576f2f4abda6870c2f5b2abb839e8eb5

SHA256
6d807337571b6e20cb8ca2cbaf2235eca492d05fc2dde10e535ad094c5e5fc19

SHA512
743bfc5ad4bca16e6edce96d29b6df58cc5297908d88ba73b0c4cb6664503f4e7f2c4db9bc919fa769d8854b618e087f19c98c596617f133ade1f550d6bc6996

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCBD7.exe

Filesize
14KB

MD5
4ed4a5903144b96ad66478914c257b16

SHA1
5608d34d8e6ee282223c06b6b09af0dcadba07d4

SHA256
45b0c1e525d92eb588bd15e99baf92823f1ea749385231630db930a0091df716

SHA512
2520b7047dadaec9c8b750700fc9b8ca756abd7d0396152a4123700afbc65eefc9cff9ef30e79d9b93e663c626fb6df1f5d58249a1dafc7770ca07e16dc3d4a8

Download Submit

Analysis

Sharing