d05f3913df2c75e95a07f898d470cdc5ced07b93e13816544d189ee70da6c64c

General

Target

5a672671755e94a230d3f600dc7389fa_JaffaCakes118.exe
Size

14KB
MD5

5a672671755e94a230d3f600dc7389fa
SHA1

4c5c9b13afe4f245e2b8342e53d88c181457fe2c
SHA256

d05f3913df2c75e95a07f898d470cdc5ced07b93e13816544d189ee70da6c64c
SHA512

d12b8acccd45a4013fddcc8beb4083df56bd0883b87648cd6fb0075fde9404c5086e91e799a49a4e06490efd34237ec2065efee7dfac2cac60832cb9ef7c8cf6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYp:hDXWipuE+K3/SSHgxmp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM3052.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM86DE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEMDD0D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5a672671755e94a230d3f600dc7389fa_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM82CC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEMD9D5.exe

Executes dropped EXE 6 IoCs

pid	Process
2416	DEM82CC.exe
4936	DEMD9D5.exe
3148	DEM3052.exe
3160	DEM86DE.exe
1396	DEMDD0D.exe
4828	DEM336A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2416	2396	5a672671755e94a230d3f600dc7389fa_JaffaCakes118.exe	95
PID 2396 wrote to memory of 2416	2396	5a672671755e94a230d3f600dc7389fa_JaffaCakes118.exe	95
PID 2396 wrote to memory of 2416	2396	5a672671755e94a230d3f600dc7389fa_JaffaCakes118.exe	95
PID 2416 wrote to memory of 4936	2416	DEM82CC.exe	100
PID 2416 wrote to memory of 4936	2416	DEM82CC.exe	100
PID 2416 wrote to memory of 4936	2416	DEM82CC.exe	100
PID 4936 wrote to memory of 3148	4936	DEMD9D5.exe	104
PID 4936 wrote to memory of 3148	4936	DEMD9D5.exe	104
PID 4936 wrote to memory of 3148	4936	DEMD9D5.exe	104
PID 3148 wrote to memory of 3160	3148	DEM3052.exe	106
PID 3148 wrote to memory of 3160	3148	DEM3052.exe	106
PID 3148 wrote to memory of 3160	3148	DEM3052.exe	106
PID 3160 wrote to memory of 1396	3160	DEM86DE.exe	117
PID 3160 wrote to memory of 1396	3160	DEM86DE.exe	117
PID 3160 wrote to memory of 1396	3160	DEM86DE.exe	117
PID 1396 wrote to memory of 4828	1396	DEMDD0D.exe	119
PID 1396 wrote to memory of 4828	1396	DEMDD0D.exe	119
PID 1396 wrote to memory of 4828	1396	DEMDD0D.exe	119

C:\Users\Admin\AppData\Local\Temp\5a672671755e94a230d3f600dc7389fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a672671755e94a230d3f600dc7389fa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\DEM82CC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM82CC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\DEMD9D5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD9D5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\DEM3052.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3052.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\DEM86DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM86DE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\DEMDD0D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD0D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\DEM336A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM336A.exe"
        7⤵
        Executes dropped EXE
        
        PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3052.exe

Filesize
14KB

MD5
90dac331d1457354051254bab79f71c8

SHA1
81cbbf97e001f924c5effe90420294f35bd8b3bf

SHA256
d3d8a971da650023a9b77bcab3110250b4ac4f6efc8d17d717b2b9dbfc464f23

SHA512
8d80a41c870900ac97390b6c3868ef3a8442851df2a6ebb6b6c5372a7385a2a9c49cefb6b89a5836743ac39fb88b5491fbe5e2069076f58861aa26f1e9321e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM336A.exe

Filesize
14KB

MD5
1d09ca690a30d825e046ff28b4cfdf16

SHA1
a5f9118c7a29bda440edcfd9abe5db27d4dbd0d2

SHA256
5c28fdcda03a36b773f07c184cd7ab4132d902a4bd3af29a9c211f5ab350f1a9

SHA512
7c13438ed2d3f85e2adac3cd788193e91a85c60aaabf601fd89ae2c2098bc0d1469f095f7ac3760ce56ed4b9dff8c2fa06589fc3e24c9cff12e2f56dfeed9a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM82CC.exe

Filesize
14KB

MD5
bf56748fded9c602fc1c865fcd2cf4db

SHA1
458b91397f964c8bb4c394b3576382651f699b85

SHA256
99b986a87a50508728867af1434bef60b6503e28792725414cbf3397835e6194

SHA512
cacfce0d840f385e648297ff962a30f9e596a9c41f7cafd045c9083daed977ca2735f241744d65385eac252a41e009cd4c9bede4d2f0800b2ce9842fab80478b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM86DE.exe

Filesize
14KB

MD5
986c0bb1205a41ede8c5093605d7ea76

SHA1
8f80e5f0e280e965bd44e109afa0fdb7cf1c3b75

SHA256
76f6b76f45087a364c6f405861b9eefd780ef41998b2e72a2e89d096f3969379

SHA512
15a4d694d4bd10660639d11c8e9c77a270f2bc0ae009be8e08d617b81a601f1ab223f68addb9cbf10aebc0d4c6ab6a63b1aeb59bf48e1a335f8e40cc24c5ef81

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD9D5.exe

Filesize
14KB

MD5
89cb67c4b5310495d6adf66a933bbc6d

SHA1
f837bf6a2f418e01e2f69a011139cec02d9fa4f9

SHA256
4ceb9ef4ee1d2a7e89d6c3901fdcdc717895b2794c839117ce57ec46fc3261e3

SHA512
e95315fdf9f72d26a754e9b0868016286bed67e0e12ade1bece5bb797624059b1dc09b4c14b05c40b059002772f7df180dba3220e3f0f2fb26329d0b977c53ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD0D.exe

Filesize
14KB

MD5
7763d90d399219c6b5620d0e571f3385

SHA1
564e4194837018b9ce3467a0ad9a988abc1d225a

SHA256
5affe65b8ddb0ca37e9b29421bf66b360e1c6e85df5958a4d9c70a952da55f6c

SHA512
ee2e7e77e527a51ed35b7cc1781d8341b2bcc0698d2abc1c7996651006717940a1f4eff4132d282e01bc9c308ad97a6c00b91c40617b9588e6db214a0ab3c096

Download Submit

Analysis

Sharing