e090a5fdd69c6791219da70701656a381e74e91795becd824e78a8e2a354b8ba

General

Target

63e19972eeaf32dbc57ac8a81133cbb2_JaffaCakes118.exe
Size

14KB
MD5

63e19972eeaf32dbc57ac8a81133cbb2
SHA1

fb7188ae1c085208f6aceb43beaf284c1c7b5378
SHA256

e090a5fdd69c6791219da70701656a381e74e91795becd824e78a8e2a354b8ba
SHA512

e62376cda79b29621663b635dc0e791adcf1ad6fba9c3661237ad20bd57851d73846e9fde077b132ab5c6b3d098988976aee5da44a4265d02bdcf4f47cd8d58e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbvp:hDXWipuE+K3/SSHgxmWmbB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMFAC6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	63e19972eeaf32dbc57ac8a81133cbb2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMA095.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMF78F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEM4E0B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEMA42A.exe

Executes dropped EXE 6 IoCs

pid	Process
2744	DEMA095.exe
828	DEMF78F.exe
3324	DEM4E0B.exe
1876	DEMA42A.exe
552	DEMFAC6.exe
5104	DEM5078.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2744	1080	63e19972eeaf32dbc57ac8a81133cbb2_JaffaCakes118.exe	95
PID 1080 wrote to memory of 2744	1080	63e19972eeaf32dbc57ac8a81133cbb2_JaffaCakes118.exe	95
PID 1080 wrote to memory of 2744	1080	63e19972eeaf32dbc57ac8a81133cbb2_JaffaCakes118.exe	95
PID 2744 wrote to memory of 828	2744	DEMA095.exe	100
PID 2744 wrote to memory of 828	2744	DEMA095.exe	100
PID 2744 wrote to memory of 828	2744	DEMA095.exe	100
PID 828 wrote to memory of 3324	828	DEMF78F.exe	103
PID 828 wrote to memory of 3324	828	DEMF78F.exe	103
PID 828 wrote to memory of 3324	828	DEMF78F.exe	103
PID 3324 wrote to memory of 1876	3324	DEM4E0B.exe	105
PID 3324 wrote to memory of 1876	3324	DEM4E0B.exe	105
PID 3324 wrote to memory of 1876	3324	DEM4E0B.exe	105
PID 1876 wrote to memory of 552	1876	DEMA42A.exe	115
PID 1876 wrote to memory of 552	1876	DEMA42A.exe	115
PID 1876 wrote to memory of 552	1876	DEMA42A.exe	115
PID 552 wrote to memory of 5104	552	DEMFAC6.exe	117
PID 552 wrote to memory of 5104	552	DEMFAC6.exe	117
PID 552 wrote to memory of 5104	552	DEMFAC6.exe	117

C:\Users\Admin\AppData\Local\Temp\63e19972eeaf32dbc57ac8a81133cbb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63e19972eeaf32dbc57ac8a81133cbb2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\DEMA095.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA095.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\DEMF78F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF78F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\DEM4E0B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4E0B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Users\Admin\AppData\Local\Temp\DEMA42A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA42A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Users\Admin\AppData\Local\Temp\DEMFAC6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFAC6.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\DEM5078.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5078.exe"
        7⤵
        Executes dropped EXE
        
        PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4E0B.exe

Filesize
14KB

MD5
c20f6225654e62d8ed79c2168bb02669

SHA1
6eab4e2b1991db63e651fb4c79834b09ed349584

SHA256
d2c1310218ec560ae6919287fca293e609005a763d7806f2401873cbda99ee23

SHA512
4f73e0d829161ed81b3e55da55f341e81a638557afd1e712024ceddb4f34517eb0ab4358fc60ca652f1b3ef524518e5ff337a291a68f676843b220147add1152

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5078.exe

Filesize
14KB

MD5
1e69ece8bf1ad001452b57d7b64e944c

SHA1
514dde93f4376e374cb97107551f7e48b722627e

SHA256
e339d2a2b300a742439b54fce984209a86ad3958d3346cb936a2e6331648f633

SHA512
2b4ecaeacd5c84b1992a97e5dfd2c7231b7a42e9c81d48dbdd81baa4ede2f800bf141b1cbe83753f7829a06c0f441423738169d093b5033e77052ed18455cab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA095.exe

Filesize
14KB

MD5
7c8e5269f2fba63397531d8bcbedf94f

SHA1
ead720d05bd1a3c150f978272cbfb87f7ddcfe6d

SHA256
211063dbead5d9fc7bcdf086802d1061afe4e6c397544995437d26fe4e242ef1

SHA512
e5f03415a1437cb9b971f667c6ea0ca39abf4d571e2ca69551f2a4e0cb2ea4068a663b072aa989de04fc116e04e40ec7e8f2d3725caa6f8a05c2932c26220842

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA42A.exe

Filesize
14KB

MD5
4709d8a497bab12c7d67c3ecf71fc244

SHA1
fc9c472ef3fd600a6b6c259e761961146f5da17d

SHA256
921aed10c4f6078881b3f901c513ceef7a584f61f4bf99e96ad7f257f3fd4a8b

SHA512
ced429b15bca1635dd9d10574ee13f475bdbbdf907bde44886113e16e2fbdef5dd4bfb3dd28f1a2255d444999ab1a9037a1b175b00fc727e39f3f7529fd520c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF78F.exe

Filesize
14KB

MD5
f0d2de71e3300578fde2f39ec347dcf5

SHA1
a305f4df7416538ccac086b2fdef2cd3dcc8b4ba

SHA256
ff0c8d0eb16515e58de178dcc9396d3604415b63d25d440c32a3a4e957e8b1ea

SHA512
016ef6eef9b20a5d826d65314cc4874c639325fd01e96a019f46dada8c792ca95bb5e011b17b3ce92a84f080f3bb0f55a6f54b3ba96f6b4e559b2315ff1972ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFAC6.exe

Filesize
14KB

MD5
52ebd77b9f1a27f26c0849e628920551

SHA1
05e8d884698f532badaaa570431801ce3b8fb8a2

SHA256
3c0c6bc3f4f6363501e8cb3158a8d6935a867f92e0b3cf46ebabd9493c587f86

SHA512
ff89607aeda07e4c781ab24a7ba76f97e4f27f09f937f7442683b5a864b8f7aab7ce0e81892ebe3b32552f298439da06d17a0d164d2e95ed82ad72e2d7273d41

Download Submit

Analysis

Sharing