6a08eee29d5988c87413e2bad5d8d091a6cf58154e0473159dd47ae2aa76d7c8

General

Target

680dcaf2909202ee8771c3d88d1995de_JaffaCakes118.exe
Size

14KB
MD5

680dcaf2909202ee8771c3d88d1995de
SHA1

ba40bfbe023bd6bcb7d83cab908b1505fceca348
SHA256

6a08eee29d5988c87413e2bad5d8d091a6cf58154e0473159dd47ae2aa76d7c8
SHA512

63790d941b613217b42b5d54e89cb58272a65b9d596b037e1c149d7052f774630ed43050093a84bd28cc3ba49bb5855a96f9e523eb71e135ffe9cb09acbcb8ed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbSp:hDXWipuE+K3/SSHgxmWmbSp

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEMC7E4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM1E80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM748F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEMCA02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	680dcaf2909202ee8771c3d88d1995de_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEM70EA.exe

Executes dropped EXE 6 IoCs

pid	Process
2560	DEM70EA.exe
2576	DEMC7E4.exe
4324	DEM1E80.exe
3336	DEM748F.exe
1536	DEMCA02.exe
4768	DEM2040.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	680dcaf2909202ee8771c3d88d1995de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM70EA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC7E4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1E80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM748F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCA02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2040.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2560	1044	680dcaf2909202ee8771c3d88d1995de_JaffaCakes118.exe	95
PID 1044 wrote to memory of 2560	1044	680dcaf2909202ee8771c3d88d1995de_JaffaCakes118.exe	95
PID 1044 wrote to memory of 2560	1044	680dcaf2909202ee8771c3d88d1995de_JaffaCakes118.exe	95
PID 2560 wrote to memory of 2576	2560	DEM70EA.exe	100
PID 2560 wrote to memory of 2576	2560	DEM70EA.exe	100
PID 2560 wrote to memory of 2576	2560	DEM70EA.exe	100
PID 2576 wrote to memory of 4324	2576	DEMC7E4.exe	102
PID 2576 wrote to memory of 4324	2576	DEMC7E4.exe	102
PID 2576 wrote to memory of 4324	2576	DEMC7E4.exe	102
PID 4324 wrote to memory of 3336	4324	DEM1E80.exe	105
PID 4324 wrote to memory of 3336	4324	DEM1E80.exe	105
PID 4324 wrote to memory of 3336	4324	DEM1E80.exe	105
PID 3336 wrote to memory of 1536	3336	DEM748F.exe	115
PID 3336 wrote to memory of 1536	3336	DEM748F.exe	115
PID 3336 wrote to memory of 1536	3336	DEM748F.exe	115
PID 1536 wrote to memory of 4768	1536	DEMCA02.exe	117
PID 1536 wrote to memory of 4768	1536	DEMCA02.exe	117
PID 1536 wrote to memory of 4768	1536	DEMCA02.exe	117

C:\Users\Admin\AppData\Local\Temp\680dcaf2909202ee8771c3d88d1995de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\680dcaf2909202ee8771c3d88d1995de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\DEM70EA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM70EA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\DEMC7E4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC7E4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\DEM1E80.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1E80.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\DEM748F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM748F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3336
      - C:\Users\Admin\AppData\Local\Temp\DEMCA02.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCA02.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\DEM2040.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2040.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1E80.exe

Filesize
14KB

MD5
3dc7c1df7fbea284e688f64bd76c63c1

SHA1
b1f9906bd0cdfd183dd8ad3481c8df44b12c7b41

SHA256
dc2576ef5e62b4b3b5f8b42b5225b848eacc8f97a468cfe575e188fc2c42288d

SHA512
0ff077109219bf4eb09e2de1282f269d46ae7d666152abc21325354b0c02e4bc0dfdd581bde1c62e8b42636f012a2ab7e783a8804af3d4638cec7b8cf3662f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2040.exe

Filesize
14KB

MD5
d85ff69b2e11ff72fa24d55e234a2cbc

SHA1
fe3e8d206d1af8b54d7f444f2d45ed49db495b77

SHA256
d9b987ad98e3b80ea5c6b6567905a00a000889526dd37ee73206f22ec0418dac

SHA512
3a40c0e254ef86566b0f6cde0efd3981442b8695daa41822d03b9a1c5282880f7c02f508b79954a64303bd1a6fe7b7c8d9b368d847235d7167f0011820375c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM70EA.exe

Filesize
14KB

MD5
34a88d38606c5c690295ea68c4b9e734

SHA1
927827651993615edaa77e572b8bd0f5997fb6ef

SHA256
5d2897936d3763c9220001e8961fc6b69f53232b2b51fb06cb53f697210e963f

SHA512
b5b756d4933f3f87b95147cd08affa31703cc7d163fed23b995e3b1a5cf7feba2ecdadce8b04e63cd2d95604305ee0d8cb19dcacd0e9b3df1eb0b86a87757faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM748F.exe

Filesize
14KB

MD5
1b1fc9f4171ea38e014acf4bd836058a

SHA1
44cdc2792df57e6293fca54d9f9b458a71c00fd2

SHA256
f52e516ce9b63998d64d41f14b07d431be2a0db8d44983ca9d89aabc0025dea5

SHA512
a0dc0dd78859a441b1101f3d9e437bed429dbffbdc75da07d4891b1ea29e980f133270427fa4a81af5a5925f166bdc9cdb2de9e948c08de61b0d615e07a871d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7E4.exe

Filesize
14KB

MD5
cc8e6833be53d44cbad82be67446baaf

SHA1
959ecdbc175771735bca554c4817a19fe0e24cef

SHA256
d0df5b40e436b056dbad80d0f5491a56215bdba36126c1a6882e6190c566f513

SHA512
9fce60bdd2b7c598ec0a05ddc213b4676f45ff1e803722b6a70b361097a91cb9164b03b6554a2f075b98e634ce9a983288e83597355a96cc0f9ab6f0715499a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA02.exe

Filesize
14KB

MD5
6ee70dd26fb0c224bdd45d69a0541066

SHA1
1f96b310461099d2400ca16629399c13008945a8

SHA256
59a31d4e61e4dd990e4b0db47ed416baa61c8dc109212a17ad6695c34c19f880

SHA512
9fa1fd71f5e37a54ca11454d18635458f71f916aeadfe428ad7eada62f2158c1d4908c1732228d8962826d14c20f6a9b17958f1b621a04aa4a9d7e6213b656d1

Download Submit

Analysis

Sharing