e09c582c72461abcdda0f3b6d49929097223c5df4c3713e10194f0c73e776f60

General

Target

45916582f333dfc6dec47c11ae886e13_JaffaCakes118.exe
Size

14KB
MD5

45916582f333dfc6dec47c11ae886e13
SHA1

2437139459170ecdeab64cf2d7f0441f96f9f55c
SHA256

e09c582c72461abcdda0f3b6d49929097223c5df4c3713e10194f0c73e776f60
SHA512

bfce7f015274a149565449f5a597d6f9471ffd762b7db46533db903d726a0de6c8ce81c88d5bf6b4099bb0929f8c74b76c050bdb4417ae6ce967d4be63995962
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJW:hDXWipuE+K3/SSHgxvW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEMCB9D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEM21BC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEM77AC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEMCDDA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	45916582f333dfc6dec47c11ae886e13_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEM7511.exe

Executes dropped EXE 6 IoCs

pid	Process
2960	DEM7511.exe
892	DEMCB9D.exe
3432	DEM21BC.exe
2672	DEM77AC.exe
4424	DEMCDDA.exe
3632	DEM2428.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2960	1188	45916582f333dfc6dec47c11ae886e13_JaffaCakes118.exe	87
PID 1188 wrote to memory of 2960	1188	45916582f333dfc6dec47c11ae886e13_JaffaCakes118.exe	87
PID 1188 wrote to memory of 2960	1188	45916582f333dfc6dec47c11ae886e13_JaffaCakes118.exe	87
PID 2960 wrote to memory of 892	2960	DEM7511.exe	92
PID 2960 wrote to memory of 892	2960	DEM7511.exe	92
PID 2960 wrote to memory of 892	2960	DEM7511.exe	92
PID 892 wrote to memory of 3432	892	DEMCB9D.exe	94
PID 892 wrote to memory of 3432	892	DEMCB9D.exe	94
PID 892 wrote to memory of 3432	892	DEMCB9D.exe	94
PID 3432 wrote to memory of 2672	3432	DEM21BC.exe	96
PID 3432 wrote to memory of 2672	3432	DEM21BC.exe	96
PID 3432 wrote to memory of 2672	3432	DEM21BC.exe	96
PID 2672 wrote to memory of 4424	2672	DEM77AC.exe	98
PID 2672 wrote to memory of 4424	2672	DEM77AC.exe	98
PID 2672 wrote to memory of 4424	2672	DEM77AC.exe	98
PID 4424 wrote to memory of 3632	4424	DEMCDDA.exe	100
PID 4424 wrote to memory of 3632	4424	DEMCDDA.exe	100
PID 4424 wrote to memory of 3632	4424	DEMCDDA.exe	100

C:\Users\Admin\AppData\Local\Temp\45916582f333dfc6dec47c11ae886e13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45916582f333dfc6dec47c11ae886e13_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\DEM7511.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7511.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\DEMCB9D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCB9D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\DEM21BC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM21BC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Users\Admin\AppData\Local\Temp\DEM77AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM77AC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Users\Admin\AppData\Local\Temp\DEMCDDA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCDDA.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\DEM2428.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2428.exe"
        7⤵
        Executes dropped EXE
        
        PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM21BC.exe

Filesize
14KB

MD5
7b13e8e3452767195523c9f78ffd11d7

SHA1
9bce2a92ad8624a22e33041b0bb39697f6598860

SHA256
45746daa22f5390aa229f2f7efd6e3b0186c63aced6e9d7630ef740062aefe78

SHA512
692da840c77d06cc70b5d5f4742800ad01b774f20159fa27c7c2100835d7bcdc7e8df428e679a7b17897380636651c9914c9f42f90c95e4f60acbe36c58a0325

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2428.exe

Filesize
14KB

MD5
298190c655b1415781e07b214d5b1376

SHA1
2ce9cb0bbd8719869b5f3b4fcd84d0ca02758ba8

SHA256
cf278688e3c2e86fbbf526b320df157009f19116bdaedb7c531e0d41f0db3bbd

SHA512
54fefc74feab85ad0771c299bb9854afec747fe6a0d25eea2968ef7312ea5c86bd78ca811e51929bc08aa18cbcec309cc967bfad13e6f1c0f64d2de27cd1580e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7511.exe

Filesize
14KB

MD5
b9669235f9d240d781bf9f4e303547c7

SHA1
2d8255bf408c1576d903053ff64fc21b4957ad71

SHA256
92ef29d2c8353090610578d3de5bdae4795c73d65e74dde1f78523a971c77dbc

SHA512
87a488102e3208eabb62ea5573d887ad234a3c3b4694faa63acca7b3a8edfdd65aad9e897b27f543012aac40b61a2c804c7082fd17ea10083d1ee5650255cf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77AC.exe

Filesize
14KB

MD5
5460ec4f3c84c008867adf2c675d8165

SHA1
c3edf7d1eaeb904461a530b669e09603b336efbb

SHA256
cbdaa6be1349d92e45d22d1ec33679e158b41cbd1aa7923263cd3be36c328426

SHA512
9c7a80e8a7e4ad5ea7f9d2d9e670c3d8a79f04392db42ef93845530a469ba45dcebdff5c646775a8ed426f9b914f262620e46047867338a567613aa3d8ff29b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB9D.exe

Filesize
14KB

MD5
88ea3b30b1c1adaafe436713531d1210

SHA1
593f50d75712b1e41f7decdec99617fac4c821ef

SHA256
b850e56c38a2ec049de0e3a1520c3c8fe0a560bfa30525d61c7b5356347750ac

SHA512
5785fb2d1e2dac806d793c0b96445b02bc27f1e7840ac3a2c1ca1034d3b1ee3774314ae38aee78714a923c493ffc676e36fdb144d540dd21031bf684292ed521

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCDDA.exe

Filesize
14KB

MD5
420a2348a9fda9c3011b3651e917fcd2

SHA1
7c5ad14b8b3e4ecd7a4349c9bade267323fb8a0d

SHA256
bae003032341bb7cec4ab31505aca79a63129508564a3d8c07c28d2e91314c71

SHA512
87c3803894d07a383cdd74b80461f3e2be65636c5c107cfbf4334d674698eb0e612dd72c389aa5a942857c7c6145b5ee011827a3149cad12f7f47c460321b4bc

Download Submit

Analysis

Sharing