4e5cc11d9e9f1c0b3b31fd6cbc62b8343d7a08bbbaf741ca7d06328c94b1f639

General

Target

3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe
Size

14KB
MD5

3f94514c101fbbd6c5e48627c1fec6ba
SHA1

8d6fa8f2874188f56b7760e11e44118504212e02
SHA256

4e5cc11d9e9f1c0b3b31fd6cbc62b8343d7a08bbbaf741ca7d06328c94b1f639
SHA512

0c0078e80b6624e22c0533bcd381dd044f73d93b655d3251b6d5c30681754c687e60b73082c13d68f95ea35fe381c6fd960b8c3c68fc31349876345e25fc9a1e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJGD:hDXWipuE+K3/SSHgxmwD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEM16FE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEM6CEE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEMC33B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEM1989.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEMC052.exe

Executes dropped EXE 6 IoCs

pid	Process
1696	DEMC052.exe
2808	DEM16FE.exe
5028	DEM6CEE.exe
872	DEMC33B.exe
3272	DEM1989.exe
3712	DEM6FB8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1696	5072	3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe	87
PID 5072 wrote to memory of 1696	5072	3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe	87
PID 5072 wrote to memory of 1696	5072	3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe	87
PID 1696 wrote to memory of 2808	1696	DEMC052.exe	92
PID 1696 wrote to memory of 2808	1696	DEMC052.exe	92
PID 1696 wrote to memory of 2808	1696	DEMC052.exe	92
PID 2808 wrote to memory of 5028	2808	DEM16FE.exe	94
PID 2808 wrote to memory of 5028	2808	DEM16FE.exe	94
PID 2808 wrote to memory of 5028	2808	DEM16FE.exe	94
PID 5028 wrote to memory of 872	5028	DEM6CEE.exe	96
PID 5028 wrote to memory of 872	5028	DEM6CEE.exe	96
PID 5028 wrote to memory of 872	5028	DEM6CEE.exe	96
PID 872 wrote to memory of 3272	872	DEMC33B.exe	98
PID 872 wrote to memory of 3272	872	DEMC33B.exe	98
PID 872 wrote to memory of 3272	872	DEMC33B.exe	98
PID 3272 wrote to memory of 3712	3272	DEM1989.exe	100
PID 3272 wrote to memory of 3712	3272	DEM1989.exe	100
PID 3272 wrote to memory of 3712	3272	DEM1989.exe	100

C:\Users\Admin\AppData\Local\Temp\3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f94514c101fbbd6c5e48627c1fec6ba_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\DEMC052.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC052.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\DEM16FE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM16FE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\DEM6CEE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6CEE.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\DEMC33B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC33B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Users\Admin\AppData\Local\Temp\DEM1989.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1989.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\DEM6FB8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6FB8.exe"
        7⤵
        Executes dropped EXE
        
        PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM16FE.exe

Filesize
14KB

MD5
97caa2a0ca152130c0d863cd7b896edc

SHA1
580075ccb9aab158e7a5bbf58f9d50820c66160c

SHA256
34e90657be1129d20b883f5727b9e099a1919115ec552cc9355d900a69567b44

SHA512
e982565c73a3a180669b82d7197defee2eb69dc77c855cb55b712bd46aa2f271916899ea282c445ba7cd232aa00826d1b855ea8b8658617fed7b77536cd98c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1989.exe

Filesize
14KB

MD5
2d0e32578599039a1ceb7989c61fbe23

SHA1
18d8da6fcd567987c6b9f811816a8ff6c1acbcf5

SHA256
523fc8adaf17840880cb66cd4604a083e5dbbba0aa5a2272760c4dff43a5affb

SHA512
653eaa6d4b38deb41780d61f9b4985d704331ba879863d2768807b05d4cb81248cdace2f710c555e77cc2c2e5841aff7a49e2ee07d4ca9f5126711da03e20a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6CEE.exe

Filesize
14KB

MD5
d241446062f86b39c5d378f6dfdb5a5d

SHA1
c9ec9fc5db956225fd890700c086f39da1aaf1e1

SHA256
980c47dd49f168fa965c93a3993c966b476c57afa52f2107d162aae2a1b28b8a

SHA512
3249d0fb491d4311d8d17f362ffa818c17872844872da76aaab4ae850ee9d21c07df8f16e1c8c1c7c09a78af540c277eab8e7f0ff62be112f92d3bb2de89623d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6FB8.exe

Filesize
14KB

MD5
a626054c3bfeeaa2e4fbc71f72683085

SHA1
6663cc5290ef616cb60995caced1b175374d3dea

SHA256
cbccc12bd25f36c3796711f1c0386befc0926323faf1913e88b9e0461e834305

SHA512
aa1cab318f2253bc4b5113ab330cb5749e9c600afded63759dbac9d70a8e2bd3e2912aa50408e7d9f997c487486137f64c45a32a36c4f78d347b9dbd80e262c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC052.exe

Filesize
14KB

MD5
f33de4f27f89c77c1113346316f95a08

SHA1
5817f94c829613eb8268133a700b7ce5de99626e

SHA256
03528854ec239f214b0e78b7d7c5a021a3a3fcb2ce617371ab4e1dcff5371ea4

SHA512
1d71250de950fc14a88bfc2b6aa13b421a7d704d2406a8ee756a468ad2aace90c60435b76c9f25a14febcb232c402df372b12760a8767c692509bebbb4bb3231

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC33B.exe

Filesize
14KB

MD5
f44b891e99047aeb3dc21b660b9d3db3

SHA1
33deabae108c6a04e84c06665f7f5317513865ec

SHA256
437750af834218046630a4f14baa30b4b1a495753fc6d80b3095b3abf54996a3

SHA512
c7010f585f46bca807275e1702a0f63c30fe8aad228cbd031f26b1022ab3e60588c21df58b51126acb259be0a023728803dd2ffafcb42b5acce985534e044d5c

Download Submit

Analysis

Sharing