59b0aeacca07cd300955e9010b6aee69724ab36ad306fedf50359928feb2720b

General

Target

5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe
Size

15KB
MD5

5aa9384054baf008b3e9c7b6e460151a
SHA1

f43a6e7221b12c7b40fe65bb8aa3ffa092ea6f06
SHA256

59b0aeacca07cd300955e9010b6aee69724ab36ad306fedf50359928feb2720b
SHA512

59000d070c97f2410dfb923d01f3088005664cfaee04b75629775c5a004a5b94965b8d919f324938d5a5caec3475f8e08072cf99df6117b560bea67c518cbfca
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY52+p:hDXWipuE+K3/SSHgxmz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	DEM96AD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	DEMED1A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	DEM4349.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	DEMEA50.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	DEM40BD.exe

Executes dropped EXE 6 IoCs

pid	Process
4768	DEMEA50.exe
4872	DEM40BD.exe
1308	DEM96AD.exe
448	DEMED1A.exe
3260	DEM4349.exe
4400	DEM9977.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 4768	3744	5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe	94
PID 3744 wrote to memory of 4768	3744	5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe	94
PID 3744 wrote to memory of 4768	3744	5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe	94
PID 4768 wrote to memory of 4872	4768	DEMEA50.exe	99
PID 4768 wrote to memory of 4872	4768	DEMEA50.exe	99
PID 4768 wrote to memory of 4872	4768	DEMEA50.exe	99
PID 4872 wrote to memory of 1308	4872	DEM40BD.exe	103
PID 4872 wrote to memory of 1308	4872	DEM40BD.exe	103
PID 4872 wrote to memory of 1308	4872	DEM40BD.exe	103
PID 1308 wrote to memory of 448	1308	DEM96AD.exe	105
PID 1308 wrote to memory of 448	1308	DEM96AD.exe	105
PID 1308 wrote to memory of 448	1308	DEM96AD.exe	105
PID 448 wrote to memory of 3260	448	DEMED1A.exe	114
PID 448 wrote to memory of 3260	448	DEMED1A.exe	114
PID 448 wrote to memory of 3260	448	DEMED1A.exe	114
PID 3260 wrote to memory of 4400	3260	DEM4349.exe	116
PID 3260 wrote to memory of 4400	3260	DEM4349.exe	116
PID 3260 wrote to memory of 4400	3260	DEM4349.exe	116

C:\Users\Admin\AppData\Local\Temp\5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5aa9384054baf008b3e9c7b6e460151a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\DEMEA50.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEA50.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\DEM40BD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM40BD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\DEM96AD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM96AD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\DEMED1A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMED1A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:448
      - C:\Users\Admin\AppData\Local\Temp\DEM4349.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4349.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\DEM9977.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9977.exe"
        7⤵
        Executes dropped EXE
        
        PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM40BD.exe

Filesize
15KB

MD5
65675dbb01673bd19f4cefc374b8211e

SHA1
cc896d6ebc2d81c6c0d5e2b95e8f5fbf72656835

SHA256
0adfdb4ef27b6fcaf3043ac22ef0fb4554f9627ebbe04554153f29e5d7c41c25

SHA512
fc5bebff31446ba6c1ea00b6132a7bc48772687f6c189b368aaffeacc831ac1405e0677aacb3adba5a64e4ccaffba5194dd19bd7c8e77cb4520d241e9be3d780

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4349.exe

Filesize
15KB

MD5
a1758f143a5a98e3b816222c0ef90562

SHA1
f2524f70795652bfa21e06af3b223fb6e474cb68

SHA256
89dae25c48bc5a0294370b5640a1fb3f32155c6edcbb2f6becb669d67d652a61

SHA512
6489b2955fc6ffd20bcfb2a2fde6eb4c981a7990d8230d469d48d3639f156467a8ed6eba209841c0ecd3c5f99744a404486ef4708ae31b61a2887a818becb505

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96AD.exe

Filesize
15KB

MD5
24102ad4c55dc46cd95b097a1a215882

SHA1
de219879495d89c56332d6df6f44cc63ca4291e7

SHA256
1f86efae02064eb1c10adfe9ef0df0d7b30b2a861221adb64f3f9e113855c280

SHA512
d473754d316623b4cb7d90c8047ab39cecf0aac952d6fb312ef806d9f3cdfa1e2ef95cc7587c271ad2e4714a8783e103d5ee36a23b833a902abef085beb1432c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9977.exe

Filesize
15KB

MD5
6a0c6b3f2ae3ce171f1e2227f2a0aac9

SHA1
c2adb346eea6bd8c9baafe6dda823aeea5d87e67

SHA256
91705fdce4ef43677ed45236c5b3625ff6e99c65f8db27bd6d352c6b93c49845

SHA512
c0704b1a5ab30c348fc6f29bbdb617fc09f1fec3939884953a4367805ee6ef669e2134c752d69329b6376dde868bb65ba91b78f509388449fa3615b95c52cea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEA50.exe

Filesize
15KB

MD5
5be14b474ee8d8c795818154c4f1e5a2

SHA1
b9c392b37dcfc26c27c1df912197d63178b92d35

SHA256
476554b06d8c235720857c6920c863475f61cf966d922159922bd1aa6863dea0

SHA512
3ef70a5cafde2f56064d17a22a0fcccf4d5fe4dcf0c8749ef0e0e92e5be284fab518b0cc98ff5010fd05ecd51a02fe7a8c3ca4cb03fcc9aab981b290beb1e3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMED1A.exe

Filesize
15KB

MD5
b53b93230f940648b86ac3218c2ba9e8

SHA1
b200505f508c12051c9a15e9e757fd525920fe2b

SHA256
ed8a225ff465ee3649908c0bfedec6550ea9eaab06cdda633059d56cec25fb59

SHA512
907416a7ee9d792bc361256867fd3f6b243804f32d2715928a46f366dad18d2e725b9349ec7f063084ba0960f2029821c6bc59a03c1fc061091ebc93b4f5a6d4

Download Submit

Analysis

Sharing