0db28235d04adcc9a9ac5c700ba85985c3ce8312390e94d588404756feb6d1f1

General

Target

6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe
Size

14KB
MD5

6a75e303a9f3164de37fea71fcc61c7c
SHA1

77e61eede75b8c544b824f24a33e946cb26d3bf3
SHA256

0db28235d04adcc9a9ac5c700ba85985c3ce8312390e94d588404756feb6d1f1
SHA512

d30f504be45a41479565f4e78fcc24e0272a1098820cf96a20f29fbf2c492f95698600f542e8d0e54d39e5936814d60099f3bfbffac3e36e503e8c8233a9f071
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhw:hDXWipuE+K3/SSHgxy

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEMEEB2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEM953C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEMEC16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEM4235.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DEM9873.exe

Executes dropped EXE 6 IoCs

pid	Process
6012	DEM953C.exe
1392	DEMEC16.exe
5292	DEM4235.exe
5980	DEM9873.exe
2540	DEMEEB2.exe
5948	DEM4453.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4453.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM953C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEC16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9873.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEEB2.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 6012	3728	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe	96
PID 3728 wrote to memory of 6012	3728	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe	96
PID 3728 wrote to memory of 6012	3728	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe	96
PID 6012 wrote to memory of 1392	6012	DEM953C.exe	102
PID 6012 wrote to memory of 1392	6012	DEM953C.exe	102
PID 6012 wrote to memory of 1392	6012	DEM953C.exe	102
PID 1392 wrote to memory of 5292	1392	DEMEC16.exe	105
PID 1392 wrote to memory of 5292	1392	DEMEC16.exe	105
PID 1392 wrote to memory of 5292	1392	DEMEC16.exe	105
PID 5292 wrote to memory of 5980	5292	DEM4235.exe	107
PID 5292 wrote to memory of 5980	5292	DEM4235.exe	107
PID 5292 wrote to memory of 5980	5292	DEM4235.exe	107
PID 5980 wrote to memory of 2540	5980	DEM9873.exe	116
PID 5980 wrote to memory of 2540	5980	DEM9873.exe	116
PID 5980 wrote to memory of 2540	5980	DEM9873.exe	116
PID 2540 wrote to memory of 5948	2540	DEMEEB2.exe	121
PID 2540 wrote to memory of 5948	2540	DEMEEB2.exe	121
PID 2540 wrote to memory of 5948	2540	DEMEEB2.exe	121

C:\Users\Admin\AppData\Local\Temp\6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\DEM953C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM953C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6012
- - C:\Users\Admin\AppData\Local\Temp\DEMEC16.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEC16.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\DEM4235.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4235.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5292
    - - C:\Users\Admin\AppData\Local\Temp\DEM9873.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9873.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5980
      - C:\Users\Admin\AppData\Local\Temp\DEMEEB2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEEB2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\DEM4453.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4453.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4235.exe

Filesize
14KB

MD5
aded4d1cadb891963ad294688f123d31

SHA1
33ff8483b7a19ac915a31e530f012fe950251b42

SHA256
cccc807d6b3fd2461fffe79aa45c80ef07d0d231b3c8975d98a04bdb4bcc7866

SHA512
6136f0d9c7bf29c755d933bbc3003752a721fde192234e1291bcabea28e379d93fc4f8c0b2389db6581c4a29a704437767831c5eb9784164aef30a7ef1cc9d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4453.exe

Filesize
14KB

MD5
50644419b8e5213c0d002ef80e827ee4

SHA1
90ee0dd6669f778cc0e25fad4d8bdfae285be485

SHA256
91ad88c2d4e6015ed5d1c268fdbf575b995c21055c8420e3d89c6da8fb23cfb9

SHA512
98d278d21f2c7989b15f47adbcff4fb12f2d68ef57ae0465d4ba68811c00671cacabc369be5cf47a582e5fa57c0b665a8faea72c2cbf9bc4fca7c93c449453b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM953C.exe

Filesize
14KB

MD5
b494df6dd3ec1117818f723627c85131

SHA1
851a19dd830141c6537c816a5766f891064e2ffc

SHA256
8f390e6f86b5f3f903ddc0341bf439cbdcf3bd6560eb776a86f7f3937ab0f3fe

SHA512
da1c82e6d9b0285fb486a54c6b98892f365fc4fac284dd063e1702fe8c53b7ecf92778038e1ba685d6c41ea8b585e6ab349e7f3ee13c9d1c22e4fa9742d6c2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9873.exe

Filesize
14KB

MD5
544b350d24fe422742b07cad6b277aba

SHA1
fd920b2ec424a07daf7ae991745ee97ef0d71599

SHA256
3818d190e4aa332d8f2813291e763c121d4de0a957aab2f21eed11489a14c6f2

SHA512
d64aedc58dcf774cb971131f484f429242bd2a2d03563f2ec0296f708f659f071e4dcce2571ad7c61e6bf63f66bfac736a9e117cab160423902067eb5e3675e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEC16.exe

Filesize
14KB

MD5
e4484f52b879967d16df0f15e22cbf14

SHA1
bb0e20abcaec62582d0664bb1fd740dbeabbb74d

SHA256
e97279e20c2d46aab08efa38836b805eebeb4245c8f1592f174ee63e306eac1b

SHA512
302e95c0f9f2529f5fc24de70f4a7712c2c32f8ffba4e6438a419e1e180bbff0b7934b6a004160ccee7151463514ee7a6a2446cfa5e5691e31e80d21547a5d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEEB2.exe

Filesize
14KB

MD5
f2b65ffe440b27e1af0f9c272779bd18

SHA1
65d981dacd57a317a18981d7481012602d302408

SHA256
72ee3e4246553586d2c004759313969fae57f34fbe832db0b27948260d927771

SHA512
6be64a0a561811ea323fc48c829b80a4a723aef4382ea3faf117604cb1118375f1ead81b58f83dbe64c58c8eba4d28b75df8c7615984a4ba3b888660cfcfc642

Download Submit

Analysis

Sharing