9ead0f018f36b74089aeb744169e5f2bc04e522fcc005e291bedf3c57f48cb66

General

Target

7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
Size

15KB
MD5

7414195f40555e41659f46399e6368e1
SHA1

519ba935c1d454ba4e75804d507ad10f48408a8d
SHA256

9ead0f018f36b74089aeb744169e5f2bc04e522fcc005e291bedf3c57f48cb66
SHA512

df38f01dc61a1099a9f2d7952059375a764b1704dba16d1334c24cf6479d1e2c4f581c41b556c84c665613afe22127e63e74bf566cf7dc8edb21eda369625134
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2HE:hDXWipuE+K3/SSHgxmKEk

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEM4358.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEME714.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEM3EF8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEM95E2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DEMEC8E.exe

Executes dropped EXE 6 IoCs

pid	Process
4152	DEME714.exe
1568	DEM3EF8.exe
1528	DEM95E2.exe
776	DEMEC8E.exe
544	DEM4358.exe
2544	DEM9A81.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3EF8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM95E2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEC8E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4358.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9A81.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4152	2924	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe	96
PID 2924 wrote to memory of 4152	2924	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe	96
PID 2924 wrote to memory of 4152	2924	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe	96
PID 4152 wrote to memory of 1568	4152	DEME714.exe	101
PID 4152 wrote to memory of 1568	4152	DEME714.exe	101
PID 4152 wrote to memory of 1568	4152	DEME714.exe	101
PID 1568 wrote to memory of 1528	1568	DEM3EF8.exe	103
PID 1568 wrote to memory of 1528	1568	DEM3EF8.exe	103
PID 1568 wrote to memory of 1528	1568	DEM3EF8.exe	103
PID 1528 wrote to memory of 776	1528	DEM95E2.exe	106
PID 1528 wrote to memory of 776	1528	DEM95E2.exe	106
PID 1528 wrote to memory of 776	1528	DEM95E2.exe	106
PID 776 wrote to memory of 544	776	DEMEC8E.exe	114
PID 776 wrote to memory of 544	776	DEMEC8E.exe	114
PID 776 wrote to memory of 544	776	DEMEC8E.exe	114
PID 544 wrote to memory of 2544	544	DEM4358.exe	116
PID 544 wrote to memory of 2544	544	DEM4358.exe	116
PID 544 wrote to memory of 2544	544	DEM4358.exe	116

C:\Users\Admin\AppData\Local\Temp\7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7414195f40555e41659f46399e6368e1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\DEME714.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME714.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\DEM3EF8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3EF8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\DEM95E2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM95E2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Users\Admin\AppData\Local\Temp\DEMEC8E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEC8E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Users\Admin\AppData\Local\Temp\DEM4358.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4358.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\DEM9A81.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9A81.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3EF8.exe

Filesize
15KB

MD5
9db2003e2e59a7c3fe67f59fb4207d8a

SHA1
f23be6077970c36bae63798136357d46be53fece

SHA256
2dddf6b23b92c00cf89c609f8cea50c2e5627413216cb85e42cec2f33040600c

SHA512
e674337a9a8728370cc7be957b6874e9585c291a6ee3a5b26bdb8cd34af92af832bfd07f63423bbc0d9414a2cbd94013b8309406874ca71f9a87879a47b77493

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4358.exe

Filesize
15KB

MD5
9175bd0e4b73c8b8231996a9f2606d38

SHA1
7c20278751454e466df7c4690f2e50ad39e766c8

SHA256
9aac67990ef03652a0f8748643d3097e29c90cb7f337d8f3b8665cda94649061

SHA512
e51018e42aa01575ce83891014e7a38796f444e6bf796336de09b2da1a9ffc3d52a05139ab68037996a42c9545a2b275b4c99b353bdf1e912ba6e175e2e1720e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM95E2.exe

Filesize
15KB

MD5
d12600c90a482e50dcae12e2eae51da0

SHA1
775ec3fe41822104ac9b1de63643e414166ca138

SHA256
30f9105159b7dd84bdd43b44019b228e2e95c02b27507921d462b7abe5571cd1

SHA512
b5e2c4f3c15805224b02a388dacb7850ff399e1e362325b0770b9a49ed7a22fb4c4e99caeb7ebfa6f3f60d518a295f459e63c156db69320e8195e7a652c71304

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9A81.exe

Filesize
15KB

MD5
bc1a6939e95171a35e764aefba853873

SHA1
e75238e4ed5b35cfa21265950d6fd64c127bb881

SHA256
76a9dc4a60d5ef86413492117a972a498b9a96840e859ef6bdd767aabec53412

SHA512
d04670b79fa283f13bc022d8be97995be88a166c99ecfdca8cc7f61bff1e754a14bd2d60074cf673fc8cf23afdf903ddbe43eb9c04abbce3d52efec7bb852185

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME714.exe

Filesize
15KB

MD5
760ae74fcd7f6538bc570bd97d7de1de

SHA1
fcae7a0dafdf9c5dee323d917194a0d04075505c

SHA256
d43fb84f7e42cc45a98c372a3373324c4570bcdc3402be1dc2a75a3d3d93ef53

SHA512
0b54ae0ad4597f12fdef93feef2ad0340cb8d9bced910b9db60917d343346158258afc31e1df40116c86e19608f54ced3ce6c0b44537a9b1b6f5e52c4d056588

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEC8E.exe

Filesize
15KB

MD5
e5eb619da7e50e2976832ab01769c426

SHA1
c969e5d96b400264101f97d54c9cfbf5eb442144

SHA256
032ed2ec0e9f0b3976df89ee714d71384db25b556ef59b084a8fb85dab2354de

SHA512
86454cfb5f2498f4c3e536246b057037cf7ac2a0b9ef41c9a2260125507ede83a9f268352eb46cd4b87a78639c8c3a7b11b4b01e5dc17710697f0ce09501fea5

Download Submit

Analysis

Sharing