b49f3764944f37df8507481c61f59b0a54333e36746e18e80b9a297a8ba138e4

General

Target

5b3d02d41319de57a69e039c13a89b9e_JaffaCakes118.exe
Size

15KB
MD5

5b3d02d41319de57a69e039c13a89b9e
SHA1

1a559e2a73bed0bbe3f1dd6b42e4dbda7dae8238
SHA256

b49f3764944f37df8507481c61f59b0a54333e36746e18e80b9a297a8ba138e4
SHA512

9d8f9abbadb97b8d00d74d45e922020cc1514d8ac507995624ba39f37b2677c7003c19cc75565ea5bb967586bee050f7e08a2884d7a347e2d9d84e7d0a694538
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY84/l:hDXWipuE+K3/SSHgxm84/l

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMCBCC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM2323.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM79BF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMCFCE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM2570.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5b3d02d41319de57a69e039c13a89b9e_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3652	DEMCBCC.exe
1976	DEM2323.exe
4040	DEM79BF.exe
1688	DEMCFCE.exe
1096	DEM2570.exe
2940	DEM7AE3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3652	1964	5b3d02d41319de57a69e039c13a89b9e_JaffaCakes118.exe	97
PID 1964 wrote to memory of 3652	1964	5b3d02d41319de57a69e039c13a89b9e_JaffaCakes118.exe	97
PID 1964 wrote to memory of 3652	1964	5b3d02d41319de57a69e039c13a89b9e_JaffaCakes118.exe	97
PID 3652 wrote to memory of 1976	3652	DEMCBCC.exe	102
PID 3652 wrote to memory of 1976	3652	DEMCBCC.exe	102
PID 3652 wrote to memory of 1976	3652	DEMCBCC.exe	102
PID 1976 wrote to memory of 4040	1976	DEM2323.exe	104
PID 1976 wrote to memory of 4040	1976	DEM2323.exe	104
PID 1976 wrote to memory of 4040	1976	DEM2323.exe	104
PID 4040 wrote to memory of 1688	4040	DEM79BF.exe	107
PID 4040 wrote to memory of 1688	4040	DEM79BF.exe	107
PID 4040 wrote to memory of 1688	4040	DEM79BF.exe	107
PID 1688 wrote to memory of 1096	1688	DEMCFCE.exe	117
PID 1688 wrote to memory of 1096	1688	DEMCFCE.exe	117
PID 1688 wrote to memory of 1096	1688	DEMCFCE.exe	117
PID 1096 wrote to memory of 2940	1096	DEM2570.exe	119
PID 1096 wrote to memory of 2940	1096	DEM2570.exe	119
PID 1096 wrote to memory of 2940	1096	DEM2570.exe	119

C:\Users\Admin\AppData\Local\Temp\5b3d02d41319de57a69e039c13a89b9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b3d02d41319de57a69e039c13a89b9e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\DEMCBCC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCBCC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\DEM2323.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2323.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\DEM79BF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM79BF.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\DEMCFCE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCFCE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\DEM2570.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2570.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\DEM7AE3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7AE3.exe"
        7⤵
        Executes dropped EXE
        
        PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2323.exe

Filesize
15KB

MD5
073a3776e166e93362f84da740bc6d14

SHA1
b97a002b0b082f98b7149cecdabd0f534241e8bb

SHA256
a821dd22bbe5d5e64d906df8c2b2f26158b1e4f17e39559b2d0bd35ffbe671d5

SHA512
bcdea8bd8cdf62fd85dae8b0ed2b97785578f6cb5d73ce3a34ca4732403f1449b4d49806be1bbab3df6e74ae723fd5ae3e6f47b1fb6ad53f010bf04edd40d064

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2570.exe

Filesize
15KB

MD5
458e41fe87cbb719303e99c4eba8253f

SHA1
07e308e2616390c72f09b99e5999a2545bf93a21

SHA256
aeccf3192fdc54860bd66c5d31c7f9af0a1d16cb4bb1497271c563aa4fd28023

SHA512
2a78a14dcb14476987c3ceba3ff34e49152d13bf018b29dfd390febecc0b4cdd38ca8fea3895f7babeea778fb211d6034463a8a2573ce1b49dc393643b10343f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM79BF.exe

Filesize
15KB

MD5
7889d31687186a31f6c7b0b4b35b3449

SHA1
6de16130de5408011350f2c9818929060b58e631

SHA256
549761c6b32edef72147e2bca82fd27ee1b786d41711b5fe3f2f7ceb0404c6d2

SHA512
be022470f7fff2cd881720c656f35577699ccebb2bcdadf0420034fd5e16d1fe65276294ba9d0d7460e06b53f5b03b67980c8f887888c6b20de95ccd356e8dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7AE3.exe

Filesize
15KB

MD5
ea0fc500842b5d70ede8b33dfa8be176

SHA1
010428b930fd88ecc3c7194e168e42a5ba16dc52

SHA256
3bce17530460cc1c8956efcade2f888b0e1b4ef80a9648c32b9e0cf3673e6c7e

SHA512
4314e9467041457d873b22b986f9212dc203dcc58953aee348af7c9f6abaca0fc99da50383e1a4b8b9ea636cc05fe9955ba2c36b0ecb2d38c1284a88be0763b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCBCC.exe

Filesize
15KB

MD5
fa0716b5b3cab3292c41b06572e601c4

SHA1
d1e69388a16ad8b510e3b6ace95d95c4f7ede348

SHA256
c9cbfcc5e9674cebd9320bcf4b0c5ec9c6c0e5856ffded12554e38aed76e4715

SHA512
11249ade21b32f4a986442839ce3bed92f8653a392548c369db2a26570113bec30eb0c107a0ff2e44ae5d59a3b3740d941f467e81d35ee66eab921e6a9116453

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCFCE.exe

Filesize
15KB

MD5
fd92a645454a7b2321f49b96f480f995

SHA1
b59747d570dee367c5d1ba1803250e102ac0e34d

SHA256
811e592f0b69f9e2874b93a11887a90efc02c8c0e5037858f3362de462ff496a

SHA512
b0abc0391f9f0258fca42f481ee60af8effec6730e2995e7e672fc236aa07d84363bbc23c230bc0e1e8762390aa68c412b2f48067b099782d2fc1b5c0ac25ef1

Download Submit

Analysis

Sharing