f0b7d095bf2e268684871a203d4f637db9e49514ad225bcd5a9f9c1fe335fa17

General

Target

59a7c352be88b626667d833b2706818c_JaffaCakes118.exe
Size

13KB
MD5

59a7c352be88b626667d833b2706818c
SHA1

b3b193722627937e867c78e0eb392228c6e9b71d
SHA256

f0b7d095bf2e268684871a203d4f637db9e49514ad225bcd5a9f9c1fe335fa17
SHA512

882f21e370507ad5a83493dc7df4b4ee4b38fcf400e906c835efdf44eb3b6fa03cba9e513e490cb8f5246e6ab6d4098adbf073cce6445ab5dc8d0b78ba6ff98a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhBW:hDXWipuE+K3/SSHgxfW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEM8373.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEMD983.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	59a7c352be88b626667d833b2706818c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEM8117.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEMD7B3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	DEM2DE1.exe

Executes dropped EXE 6 IoCs

pid	Process
4788	DEM8117.exe
2840	DEMD7B3.exe
2944	DEM2DE1.exe
1784	DEM8373.exe
5092	DEMD983.exe
932	DEM2FD0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 4788	1692	59a7c352be88b626667d833b2706818c_JaffaCakes118.exe	95
PID 1692 wrote to memory of 4788	1692	59a7c352be88b626667d833b2706818c_JaffaCakes118.exe	95
PID 1692 wrote to memory of 4788	1692	59a7c352be88b626667d833b2706818c_JaffaCakes118.exe	95
PID 4788 wrote to memory of 2840	4788	DEM8117.exe	100
PID 4788 wrote to memory of 2840	4788	DEM8117.exe	100
PID 4788 wrote to memory of 2840	4788	DEM8117.exe	100
PID 2840 wrote to memory of 2944	2840	DEMD7B3.exe	103
PID 2840 wrote to memory of 2944	2840	DEMD7B3.exe	103
PID 2840 wrote to memory of 2944	2840	DEMD7B3.exe	103
PID 2944 wrote to memory of 1784	2944	DEM2DE1.exe	105
PID 2944 wrote to memory of 1784	2944	DEM2DE1.exe	105
PID 2944 wrote to memory of 1784	2944	DEM2DE1.exe	105
PID 1784 wrote to memory of 5092	1784	DEM8373.exe	115
PID 1784 wrote to memory of 5092	1784	DEM8373.exe	115
PID 1784 wrote to memory of 5092	1784	DEM8373.exe	115
PID 5092 wrote to memory of 932	5092	DEMD983.exe	117
PID 5092 wrote to memory of 932	5092	DEMD983.exe	117
PID 5092 wrote to memory of 932	5092	DEMD983.exe	117

C:\Users\Admin\AppData\Local\Temp\59a7c352be88b626667d833b2706818c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59a7c352be88b626667d833b2706818c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\DEM8117.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8117.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\DEMD7B3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD7B3.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\DEM2DE1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2DE1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Users\Admin\AppData\Local\Temp\DEM8373.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8373.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\DEMD983.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD983.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\DEM2FD0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2FD0.exe"
        7⤵
        Executes dropped EXE
        
        PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2DE1.exe

Filesize
13KB

MD5
54b8d46769d4f99822bd76b076103adf

SHA1
05433cf8ff5ab8f27c4eb5dce447224814446514

SHA256
dc4dc46ed59f90d50eab335bbfdf2bc51a1be204068d41a5cb3430ecb8501020

SHA512
c5f5311466aec72175d0b6c1c5a2d7cff57e5af241d9f81bc1470b3b6527e286cd99174b8631757e3084ff0bf80864f238e3ab98376c2ea8e1d9dac52d868b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2FD0.exe

Filesize
14KB

MD5
77eb1b4aa3c7002049625bc1b38cd2eb

SHA1
9d44b3b72c95c7b88035ee0b703f6f159a30305f

SHA256
0966b4f0635ca747d452723ffad0fcd8c6e78d058aaf9ce9d10525c0c37d4d01

SHA512
396ae3279a4f66acae7bc29bb4c207a088b6467d98d672bbf7bb60886594964912ea14cd781e3486591e6286f03707618d7b1ef6e10fe7d8dbc6797d84ca03f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8117.exe

Filesize
13KB

MD5
6d0b59ca105ec36236d2102f6a820b88

SHA1
553f9c409a1a98657301c619c362d68f8749ef3b

SHA256
3392ddefd6e74e5648f3c39cc13a8355b00f106fabce5aa58e15a1bcd29115ae

SHA512
3a5b960b17a691612aff8e2422f6381ff21d4ed80d8725d7ca1006e01f4fa948c935eb4b42c50fe126db4e0b127504eac9bf21f7df8021b6a2b016aefad0edcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8373.exe

Filesize
14KB

MD5
3708c6a9bb322d0140684de322948f0b

SHA1
e385a5f5b5c275ad86e3ba805c7454bd89270cbc

SHA256
077fffd7913fa185ba453c141da881275e8b0749460f2c31316be52fda039dc9

SHA512
7d823f5cdabf3766cf5334b92bc29fad7ac0f4fa2dce6b33cd5b1254671e5e726280b80ecb631c8c05068a05c8d259e99e43309a462797bcb10e097093ecd75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD7B3.exe

Filesize
13KB

MD5
22322063887eec85edb71ad182b90e19

SHA1
986b5e1babd12bca01f73a5c84a695294acd6afa

SHA256
c9cf0ddbb61ef304a2f779618ee5a8b406bb777b033a1c7a6b904eb60f369d51

SHA512
028422430312278489f4c35392687d572d3ff3b576e779e045f19b0bb3ffbc5ccdbdc3589a03691f52baf15b401afc3234b62a5e46f345c365d5be4c7be82a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD983.exe

Filesize
14KB

MD5
9de7eed7dcfdf25b14cc486122632441

SHA1
6c9b8acef2766d72dd2444db9d88ec55e9c58b6d

SHA256
3e67e42942d6d667b4b766c767c3c18cfaba4b09c9459ebeb429b25a45c6e5a3

SHA512
cc553e22d0f9c2d17300f3045b9829234f22ada1a1e218522dcffc639c02a83a437421f3236d248d0ebd240749438b1d940d43093872c060adf450f791061cc7

Download Submit

Analysis

Sharing