f6396c9bde6f7fbaa8923e8b4fe6f5425da03d17ee5f51478e0ccfafd9298c71

General

Target

6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe
Size

14KB
MD5

6829cd44c4455b477d6b05d169164f42
SHA1

fc463f3c5c939adc99f39c9a8d3199e6abd5303d
SHA256

f6396c9bde6f7fbaa8923e8b4fe6f5425da03d17ee5f51478e0ccfafd9298c71
SHA512

f7553fd54424e1b1231849e0d76f86f4684eb402149493e4cf991e94e268e2b593eafd3d153814bef3e10239800416f3b2cab837294b0da768a40f32f2503f39
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhi6z:hDXWipuE+K3/SSHgx1

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMF112.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM97CB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMEE96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM44E4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM9A95.exe

Executes dropped EXE 6 IoCs

pid	Process
4856	DEM97CB.exe
4184	DEMEE96.exe
1504	DEM44E4.exe
2192	DEM9A95.exe
1876	DEMF112.exe
396	DEM4721.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4721.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM97CB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEE96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM44E4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9A95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF112.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 4856	1676	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe	96
PID 1676 wrote to memory of 4856	1676	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe	96
PID 1676 wrote to memory of 4856	1676	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe	96
PID 4856 wrote to memory of 4184	4856	DEM97CB.exe	101
PID 4856 wrote to memory of 4184	4856	DEM97CB.exe	101
PID 4856 wrote to memory of 4184	4856	DEM97CB.exe	101
PID 4184 wrote to memory of 1504	4184	DEMEE96.exe	104
PID 4184 wrote to memory of 1504	4184	DEMEE96.exe	104
PID 4184 wrote to memory of 1504	4184	DEMEE96.exe	104
PID 1504 wrote to memory of 2192	1504	DEM44E4.exe	106
PID 1504 wrote to memory of 2192	1504	DEM44E4.exe	106
PID 1504 wrote to memory of 2192	1504	DEM44E4.exe	106
PID 2192 wrote to memory of 1876	2192	DEM9A95.exe	112
PID 2192 wrote to memory of 1876	2192	DEM9A95.exe	112
PID 2192 wrote to memory of 1876	2192	DEM9A95.exe	112
PID 1876 wrote to memory of 396	1876	DEMF112.exe	117
PID 1876 wrote to memory of 396	1876	DEMF112.exe	117
PID 1876 wrote to memory of 396	1876	DEMF112.exe	117

C:\Users\Admin\AppData\Local\Temp\6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\DEM97CB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM97CB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\DEMEE96.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEE96.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\DEM44E4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM44E4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\DEM9A95.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9A95.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Users\Admin\AppData\Local\Temp\DEMF112.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF112.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\DEM4721.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4721.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM44E4.exe

Filesize
15KB

MD5
7d11f014de5359343399f437b4380963

SHA1
aa6d1a4262203d4aba2f5cbc3b992f66359ec0f9

SHA256
9c2f12a7b8a7f6536fcd2d7d672e7143211df073e286dc814c5d7f54de1c3555

SHA512
45655e9822f8909704a19226a9d1b0979502164716a2d11d57482cf044f87491278817c8d74a3949c98a646d2f64cae0cf120d21b38d4a749f8c0296cf413226

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4721.exe

Filesize
15KB

MD5
530621f44bd59751352ab1806466af6a

SHA1
1b89a8c48a6ed6a500d4d6199916634c3c2da4cf

SHA256
5124811da4040c49097a5b947a5a5f6841efe84ea5772fc933bc8219f560e29e

SHA512
aa73a658677ea70ca9f09cc2ffe0d0ed2e2c7ec35e8b50ee415fe9c4079d438552d99e1717d765c94c36bf3c4f40586e0f5837f7f01de782474386854234d967

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM97CB.exe

Filesize
14KB

MD5
58ae050ff123ce4221834562fd2bb735

SHA1
cac873c403ce25bb5af185f91b5ca7a2b13d2cec

SHA256
e7caa8b48684adf2e71ebd29cc866ecccf03758b0360b62626b2f2f37e109b4e

SHA512
711c2a2f87f2617c0284cd242c293f9b0923dbe4a938c06086178af30a051cad2a3f870fc1f2f931141ac1d8431165c6f02fdb6ddedb4ed0f6db510c7c778e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9A95.exe

Filesize
15KB

MD5
7fae1b7cc021f99af4f22c689d7e1734

SHA1
8454cc85a57cc71572371c31e71121d413a833bb

SHA256
a06012425a968b12307b915467db2919585fe6a5b11d17397f252ee32561c6cd

SHA512
845814791ee9eea32fe5f434d334b0603d566c1c71ea8cb7bd371e71418e5f2dc93bf4fabc864d9608e0f051e0fe4f0afc46a3d2cf114c09687f8c344f8fb527

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE96.exe

Filesize
14KB

MD5
1770616ef8487685abbacd68e629c403

SHA1
925351a63880fe8f1870f8a6c6e5a80269f73684

SHA256
731c81d58603a7fc080992b49472c538f1e8c71ed9c8ef3b7709887339c4df16

SHA512
9ff359971abaeaa6eed21d32dceb5508b072514edb8b0c76ac93d2c67541ac6df71d77c88bc17b9c1e94739732d6e93e21e939134365c88b30b2d19d30188b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF112.exe

Filesize
15KB

MD5
0315a4c4a846ab90545119e0518cd58b

SHA1
5d83396a8663656b5c5b4fd81b8b92ce33b331da

SHA256
e72b19982195f24ef1fd658e1b030ae9f7e08a1a2df98a18f3ee54f771f02bef

SHA512
31439cf7df81e4ac9b167ca262c1af32bb6ed60d340d7caf29b9eee17f52e8f7d718b9aa95ee7132657fe70e0828fe2368abc5cf77aa422eb7511ed7b21577dd

Download Submit

Analysis

Sharing