c5dd06bd644b18281fb1a83de17a7271cacc509aefb23c22604d54b8336a106d

General

Target

6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
Size

14KB
MD5

6f2144faca22863ea5b92ebc6af77e14
SHA1

cbc04bfec881f63ca60ede00ad12e87d1dd27a96
SHA256

c5dd06bd644b18281fb1a83de17a7271cacc509aefb23c22604d54b8336a106d
SHA512

850f03d135ece20c49d253cce90a7cd582877b4545380df41f0e3c28865964c2b839796f6daa52a5e7085797b86c89fc15bec6d02e88b61a7efbdc127104faa1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0m:hDXWipuE+K3/SSHgx9

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEMD29D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEM78BA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEMD002.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEM2630.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	DEM7C9D.exe

Executes dropped EXE 6 IoCs

pid	Process
404	DEM78BA.exe
1380	DEMD002.exe
4052	DEM2630.exe
4912	DEM7C9D.exe
4940	DEMD29D.exe
772	DEM2929.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78BA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2630.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7C9D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD29D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2929.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 404	3076	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe	96
PID 3076 wrote to memory of 404	3076	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe	96
PID 3076 wrote to memory of 404	3076	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe	96
PID 404 wrote to memory of 1380	404	DEM78BA.exe	102
PID 404 wrote to memory of 1380	404	DEM78BA.exe	102
PID 404 wrote to memory of 1380	404	DEM78BA.exe	102
PID 1380 wrote to memory of 4052	1380	DEMD002.exe	109
PID 1380 wrote to memory of 4052	1380	DEMD002.exe	109
PID 1380 wrote to memory of 4052	1380	DEMD002.exe	109
PID 4052 wrote to memory of 4912	4052	DEM2630.exe	112
PID 4052 wrote to memory of 4912	4052	DEM2630.exe	112
PID 4052 wrote to memory of 4912	4052	DEM2630.exe	112
PID 4912 wrote to memory of 4940	4912	DEM7C9D.exe	114
PID 4912 wrote to memory of 4940	4912	DEM7C9D.exe	114
PID 4912 wrote to memory of 4940	4912	DEM7C9D.exe	114
PID 4940 wrote to memory of 772	4940	DEMD29D.exe	116
PID 4940 wrote to memory of 772	4940	DEMD29D.exe	116
PID 4940 wrote to memory of 772	4940	DEMD29D.exe	116

C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\DEM78BA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM78BA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\DEMD002.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD002.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\DEM2630.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2630.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Users\Admin\AppData\Local\Temp\DEM7C9D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7C9D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Users\Admin\AppData\Local\Temp\DEMD29D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD29D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\DEM2929.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2929.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2630.exe

Filesize
14KB

MD5
3978b0fc3383729e5a780a5892abc5cc

SHA1
fd2d21a2c41337bfb450613b22dbaf2e1e6fd2ef

SHA256
73dfe843bf856dd61028ff490be065678e284b5f8cb563c18d08991fd66db17a

SHA512
563c799009ace41613e66b74037218dabe2d03a51c4a3bc94f275c8cd2d527a20782ae937936178f0627681c9ca652ec5e772a9daba6570810efed5e452fd1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2929.exe

Filesize
14KB

MD5
2f499c0cbaab3d71e74a1a231e5f397e

SHA1
a5337dc14aadfb6e402de47e8ec66ba6596fce97

SHA256
74769839b330780def5afe71a6ad52110cc576b68d0f1f1d0a621a2ecb77aec9

SHA512
65baa88ff0a7972aacd6dfce18b3e1072ceed01247f8d65b4ea29122b6d93809d192dc84d6320c01f9a985bb7deceb1a6d8ca0bb791c4c1f688574fcf3135d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM78BA.exe

Filesize
14KB

MD5
b5aa069461df56571842d31927bd1a51

SHA1
fdc4435d32d3ac5c448b71f93b8fbde098498a06

SHA256
0842792ffdde5d84a87d20686f1c8a5908e5c0ff32c4b30652f381cd4843ef81

SHA512
94e38b0943395099d828a3057f8f5f48e1d2c17d705f5b5310fd3b9c979aa1bbeaa0774cb8ae8c1af933a412ceb2a2400a6997a969c9b40eb673b3ec93f85ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7C9D.exe

Filesize
14KB

MD5
f779eab8548a51b4392deaad130d5320

SHA1
8c5229c4812532a3749008b86129d01d2e64c031

SHA256
be5acbb325d21bb691edc1ac6494893ba5f0e883b719040420f19b0895fffb52

SHA512
1486cc533497444c598f3703946abb30453f23c10e09054db4e02072326f626cc30bf9f955958794c880040454e0800c6eb9ae755d67552c6bffd286061f76ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD002.exe

Filesize
14KB

MD5
fbcd42e9df90fd0ad172e5197fdcc3fb

SHA1
a5806b2e78c81e42e1c7c6b4b0b165373884528f

SHA256
c466c20e1e42f0ef0ebf39228b3490bbd90e36d48c4e9b5545a7ffc319c55f00

SHA512
9cc4f5f0b507d122439a33ae4a8e5ede46e1d4dc2c1226ec1b50bbed2d213150d07fe2e0811dda8964b676883847f25f09e02e14323431ecaad37e1491059d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD29D.exe

Filesize
14KB

MD5
dd66af060fe327134607a2d1f3fa8257

SHA1
7266d0ce5b945241f753785480d59be050ade974

SHA256
3fa177de46a437035ba6d84bd2aae7be49873ca5949244e1cbe26416b4115347

SHA512
d4702f98228b8d84e938f0163918ec0db7b2712a15b300cb29c58eac3a156fbbee822aede26b7c7192d8946d390a8ea7f0489a8323c237c11a1e1f530437af08

Download Submit

Analysis

Sharing