07cba4942c05fc9362f7bc54e8cc45a744238967e353c385f0cf2fd3c91e05c8

General

Target

39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe
Size

14KB
MD5

39fbc835735faed7d9ec207e38116c7a
SHA1

eba077abcc661cc033720a7fbace4add7f3e036e
SHA256

07cba4942c05fc9362f7bc54e8cc45a744238967e353c385f0cf2fd3c91e05c8
SHA512

febf30d977276ff6e86aae62f178cb0e35f2d548be5d93bbecf306e19b5e259247158c88186abef2538d119cdb03c7a47f59eb4680173a4545835de65c375b6b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY53:hDXWipuE+K3/SSHgxmh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM55AD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMAC39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM2C5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMA846.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMFF11.exe

Executes dropped EXE 6 IoCs

pid	Process
4992	DEMA846.exe
2376	DEMFF11.exe
1460	DEM55AD.exe
2788	DEMAC39.exe
4824	DEM2C5.exe
5024	DEM58E4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4992	4056	39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe	87
PID 4056 wrote to memory of 4992	4056	39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe	87
PID 4056 wrote to memory of 4992	4056	39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe	87
PID 4992 wrote to memory of 2376	4992	DEMA846.exe	92
PID 4992 wrote to memory of 2376	4992	DEMA846.exe	92
PID 4992 wrote to memory of 2376	4992	DEMA846.exe	92
PID 2376 wrote to memory of 1460	2376	DEMFF11.exe	94
PID 2376 wrote to memory of 1460	2376	DEMFF11.exe	94
PID 2376 wrote to memory of 1460	2376	DEMFF11.exe	94
PID 1460 wrote to memory of 2788	1460	DEM55AD.exe	96
PID 1460 wrote to memory of 2788	1460	DEM55AD.exe	96
PID 1460 wrote to memory of 2788	1460	DEM55AD.exe	96
PID 2788 wrote to memory of 4824	2788	DEMAC39.exe	98
PID 2788 wrote to memory of 4824	2788	DEMAC39.exe	98
PID 2788 wrote to memory of 4824	2788	DEMAC39.exe	98
PID 4824 wrote to memory of 5024	4824	DEM2C5.exe	100
PID 4824 wrote to memory of 5024	4824	DEM2C5.exe	100
PID 4824 wrote to memory of 5024	4824	DEM2C5.exe	100

C:\Users\Admin\AppData\Local\Temp\39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39fbc835735faed7d9ec207e38116c7a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\DEMA846.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA846.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\DEM55AD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM55AD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\DEMAC39.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAC39.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\DEM2C5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\DEM58E4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM58E4.exe"
        7⤵
        Executes dropped EXE
        
        PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C5.exe

Filesize
14KB

MD5
7cc8c32bb10462082495218a5e3aa1a7

SHA1
e8e4542dc4cf23d0b975f7f78a5be17452db2aa7

SHA256
31bbdeb4bf18912eb56dc94d9e277fd27ebb668801c12a52c0befbfa07f704e1

SHA512
417609e404d782fad0ec270e35706a17640f67e4365ce3e6e4d9b9954155b4dae7515e0ab5a82339b0e73eb1658cfb77352fecebab92ec2ee454e873d17b217a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM55AD.exe

Filesize
14KB

MD5
06466615c143c8cd94371fc258589fe8

SHA1
0453a7934c895555a95119d500cf92b0d743f3fc

SHA256
9758420786145dc373d9b9aab9015a971eb3173daaf3fe1540ffd9201a4e4eb4

SHA512
d8ba7fb703060de1d8254168c55f681c946c9e8f8a70803c69b3f56f66a48fe96544a2105f5153209821d830b660669f8aabf5223716d443e623388828ed48db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM58E4.exe

Filesize
14KB

MD5
69d2e940062116bbb08652e84c797574

SHA1
a13a160acd6f9892c1efb885fcde2a5f83808351

SHA256
8823dbcb7483c7cd6ab8880389c06607459990e7f4b8ccad41153841e8d6dc46

SHA512
d52b5bc1601f336b9ee5e32a479d146339cb5682ae31aa2cd08592bf7d590d3617b64fde4d3350b62dc26873b23a63c4c019ad9367a235b86a08d2940a4787cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA846.exe

Filesize
14KB

MD5
77d36b2357fb73b97043aae807089c61

SHA1
a11a3836b8b891eabfd77a3e7e3a1a465d972a3c

SHA256
d4c6b0680d17aa861d01d0f2ba17e67bd9477b53e6644684f8bb2392b472f504

SHA512
5e4e4fac1fc46e4e6bf67e9f73ad968e3e381d2cfac0f30c7f4d3421e3e36e6c5467223bb8b40960aad169ea9ae0bad10752832d541bf3cf51af400a4a2c5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAC39.exe

Filesize
14KB

MD5
8b684c2c094414f83943db185b69fdb4

SHA1
eee66622c510d8e627cbde38a2b049e42c446b93

SHA256
85cef6b4424f89df5d6f9b2c4cf2292c0af9abec48b6ceb2995bf5b0f4b9dc42

SHA512
02fdd535bb3047fae216da39ee628b9f5b8f858de1a7fbd5c510d7a1ea3a6fc8e78e543ff6704f517227eb5b22ae559053529a32f69c8379529110e1d2ea52bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFF11.exe

Filesize
14KB

MD5
158f6d9395d14bbd50a52742e7bc889e

SHA1
7523aae43498f11e71f63b56b6258afc3897039a

SHA256
fac490d7b581577c60dea5d58dceaa3af5b2f92fa7c8c10a5040858a3cda6d7d

SHA512
6bb68adb9ea41222eddf3bc45be3b1823128e70e068b19a4bc8f11b496dc39794af01c3b0a7eba7f097ea2d5881900e8f6995e2c0d923a273b15f08a0e1f1fdf

Download Submit

Analysis

Sharing