d36aefc1c4fa84c853d33afae00ff585fd9335f2216586ffa3eadd3195835006

General

Target

417b39c3251dc5dbe7c6622091853729_JaffaCakes118.exe
Size

15KB
MD5

417b39c3251dc5dbe7c6622091853729
SHA1

b15a7be9fd7d93fcfdac0875f74c84d5aa528f7e
SHA256

d36aefc1c4fa84c853d33afae00ff585fd9335f2216586ffa3eadd3195835006
SHA512

471c2c93bff1516456a7ef55ded17bcc781d0c61af2d083bb78a5eafa1df7c2323acecbae2167a7e76cb078373abe7cd5344e029ec46a28498e7706c627a77cc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlzvOw:hDXWipuE+K3/SSHgxmlKw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEMCEA5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEM24D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	417b39c3251dc5dbe7c6622091853729_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEMCBDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEM2268.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DEM78A6.exe

Executes dropped EXE 6 IoCs

pid	Process
4108	DEMCBDB.exe
208	DEM2268.exe
3984	DEM78A6.exe
1548	DEMCEA5.exe
2560	DEM24D4.exe
3824	DEM7B12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4108	5016	417b39c3251dc5dbe7c6622091853729_JaffaCakes118.exe	87
PID 5016 wrote to memory of 4108	5016	417b39c3251dc5dbe7c6622091853729_JaffaCakes118.exe	87
PID 5016 wrote to memory of 4108	5016	417b39c3251dc5dbe7c6622091853729_JaffaCakes118.exe	87
PID 4108 wrote to memory of 208	4108	DEMCBDB.exe	92
PID 4108 wrote to memory of 208	4108	DEMCBDB.exe	92
PID 4108 wrote to memory of 208	4108	DEMCBDB.exe	92
PID 208 wrote to memory of 3984	208	DEM2268.exe	94
PID 208 wrote to memory of 3984	208	DEM2268.exe	94
PID 208 wrote to memory of 3984	208	DEM2268.exe	94
PID 3984 wrote to memory of 1548	3984	DEM78A6.exe	96
PID 3984 wrote to memory of 1548	3984	DEM78A6.exe	96
PID 3984 wrote to memory of 1548	3984	DEM78A6.exe	96
PID 1548 wrote to memory of 2560	1548	DEMCEA5.exe	98
PID 1548 wrote to memory of 2560	1548	DEMCEA5.exe	98
PID 1548 wrote to memory of 2560	1548	DEMCEA5.exe	98
PID 2560 wrote to memory of 3824	2560	DEM24D4.exe	100
PID 2560 wrote to memory of 3824	2560	DEM24D4.exe	100
PID 2560 wrote to memory of 3824	2560	DEM24D4.exe	100

C:\Users\Admin\AppData\Local\Temp\417b39c3251dc5dbe7c6622091853729_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\417b39c3251dc5dbe7c6622091853729_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\DEMCBDB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCBDB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\DEM2268.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2268.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\DEM78A6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM78A6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Users\Admin\AppData\Local\Temp\DEMCEA5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCEA5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Users\Admin\AppData\Local\Temp\DEM24D4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM24D4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\DEM7B12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7B12.exe"
        7⤵
        Executes dropped EXE
        
        PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2268.exe

Filesize
15KB

MD5
56c315f1dd027d19df6baa1014729327

SHA1
6893bb36cf9062c6a5172e2472b8795f9177b7b9

SHA256
9db82bd67e9bb32998083e5fcca6cd7de9c92cbdec831aa3e3e576aa7c5b5a75

SHA512
fb666b35d513a405b5642e29a5e01eb321d59b47c890b6fdbd182a04820b93755690807b2197a92e94cc821748398e891221150706b4d3afd2137abd751ff7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM24D4.exe

Filesize
15KB

MD5
064c30c73e32e00edcc58b4592e24fe5

SHA1
3cdf92f2ec17b8388d8eca2452ebf2c173b25281

SHA256
eb70ff81cffb88a42394c7191357e1ef1a85f9e70f31f950343e8418a6113d11

SHA512
2ed8e81c9a7dd1c2ebc11bd21caeac94bf74c12293a49cfbe6fc5706913f2d87a81da56153dbd7b446232137b4ac4fe9be15be8f3f8d61e3c602187feb7bf4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM78A6.exe

Filesize
15KB

MD5
e40534357ec204165ea7f6c4ee09b36b

SHA1
7b0b0b0786f26b2765d9c6a649c3550507a9da77

SHA256
ba860c6420e244c02073218d53687a1a9c2a0e5b4575e905e0ed74cc7c1fc686

SHA512
583a1b8da3533b0c56e784ff0218d4719192eb426fa1496829e5a539926f3bb360592afe5164bdc3b285601289a6f6967dd898b4c248dc2197b2881f498ccab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B12.exe

Filesize
15KB

MD5
d894e1c69662732891c3b511b50556bb

SHA1
6ca8b06a8cc5e509a7d173b713ba655c75798d89

SHA256
3932d56c4ce2c9dd659f480ca727877eed79b5956fb1cd433c32694b9c56d78a

SHA512
135fa1e6ecebbf81455b36e97001dff87661f8cf985dd01b30e826d7d4d85fa323df563c7b637606ca29dde3d12abda079d2b66142e3477bfa1fbce7ac69ea93

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCBDB.exe

Filesize
15KB

MD5
f293e673e45b3a3b154343336c32b3bf

SHA1
95d459d89e795f88d270156793472daaddef3b4f

SHA256
b4f915a8515aa1e41cf6a64bf376ee78915a5bb454a5038b8198672a40468208

SHA512
cbb7ff0b13911fc7fa5bcc85b72c92a36054479ea532ac223379556f218dbb11bd263b213b84651a5838ad7f50ae0445798ef1554dfb4f8ffe95577fe121e8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCEA5.exe

Filesize
15KB

MD5
a8ae6ee081ee43af12328dc38c1aabad

SHA1
9049a042cbb42d5fe9f4094a0a8ea63d076ea5f9

SHA256
2e7cc7741e2a9ed2bb76dc0d70287a52cf12eefcf23b6700c3ed692f3ff9f4ef

SHA512
61f195488400c8f312e59425e94d3d1992610ea30dddc7cb6f47396e844284f50e02724ab240a968ad96bba66705d761b77c0bd8e20a4fddacebd71b4b8529d1

Download Submit

Analysis

Sharing