b0b1e4c19d83e28b2ee2fd347d7047a090d7a03b33c3cfe57ec540841b9c18a9

General

Target

77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe
Size

14KB
MD5

77ed125edd6928df9f4d00aca9126624
SHA1

638713255e43437fa7ce91f24426f1fc195b43a5
SHA256

b0b1e4c19d83e28b2ee2fd347d7047a090d7a03b33c3cfe57ec540841b9c18a9
SHA512

f3bc70fc1549580fdaf2a5edda5afa185d89ff5ab417c9d6fc8e21caf296511af54716eaa12ea84c8135bf2be4cd106a84e2de9f9809b2e790aa4bb96d73e638
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl5:hDXWipuE+K3/SSHgxml5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM436D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM996C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMEF7C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEM9645.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEMED1F.exe

Executes dropped EXE 6 IoCs

pid	Process
228	DEM9645.exe
2204	DEMED1F.exe
636	DEM436D.exe
3572	DEM996C.exe
3836	DEMEF7C.exe
2464	DEM4627.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMED1F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM436D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM996C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEF7C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9645.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 228	1972	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe	96
PID 1972 wrote to memory of 228	1972	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe	96
PID 1972 wrote to memory of 228	1972	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe	96
PID 228 wrote to memory of 2204	228	DEM9645.exe	101
PID 228 wrote to memory of 2204	228	DEM9645.exe	101
PID 228 wrote to memory of 2204	228	DEM9645.exe	101
PID 2204 wrote to memory of 636	2204	DEMED1F.exe	103
PID 2204 wrote to memory of 636	2204	DEMED1F.exe	103
PID 2204 wrote to memory of 636	2204	DEMED1F.exe	103
PID 636 wrote to memory of 3572	636	DEM436D.exe	106
PID 636 wrote to memory of 3572	636	DEM436D.exe	106
PID 636 wrote to memory of 3572	636	DEM436D.exe	106
PID 3572 wrote to memory of 3836	3572	DEM996C.exe	116
PID 3572 wrote to memory of 3836	3572	DEM996C.exe	116
PID 3572 wrote to memory of 3836	3572	DEM996C.exe	116
PID 3836 wrote to memory of 2464	3836	DEMEF7C.exe	118
PID 3836 wrote to memory of 2464	3836	DEMEF7C.exe	118
PID 3836 wrote to memory of 2464	3836	DEMEF7C.exe	118

C:\Users\Admin\AppData\Local\Temp\77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\DEM9645.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9645.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\DEMED1F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMED1F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\DEM436D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM436D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Users\Admin\AppData\Local\Temp\DEM996C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM996C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\DEMEF7C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEF7C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\DEM4627.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4627.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM436D.exe

Filesize
14KB

MD5
7cc52b5f5be7924b05d90962abef8a54

SHA1
fa951e443e52e903e30b5dc1054ae384e7cbf995

SHA256
a6d14f29e31f43fe5cadbdf49188d106d6970e9d876b0d86ed5ea8c277c22747

SHA512
d1a73244806cb844d59b94d55f466cfb57d93c9d3e7c90632410dd19442c7c429949a81494dcbcf6317ac77937ac076c3c844e6e0e72e0c80f0b9c6a1f1c0cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4627.exe

Filesize
14KB

MD5
42b4a65cd31ab154ebd20bf71617f238

SHA1
d3108a22da0ea3aa67ebb9c0ef48475c4ce7865b

SHA256
af7aeb94c37fb0c4e9fd39c1b8cca621524826126aa7ffe751d7531af5fc7b05

SHA512
a5cf50b3453f5c426d12a31c1a22d4cf8464ad5ad276d95a612ef21aa112a83ed0ef51a01f1665f9f157afb6f00f6007847fb63ddada6c2c2be383b8fb067339

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9645.exe

Filesize
14KB

MD5
91cbcf3c9eafda663ae6f25fe0b946b7

SHA1
d62ff3688ab9391c9972cb9417c142b321c845e8

SHA256
a5f9d585548cffdd3ecab6536c0f33065eea76db423f485486f0d6071b7886fe

SHA512
30328a3d5aa011ecefaaa9099973635de247ad736a8b40a8bbe4dae8023bfa996d7484d2329baa4ba5f2fc626f25d26b790ee3449ee5f97f8096e85e86fb58be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM996C.exe

Filesize
14KB

MD5
dad03ae6209dd2e715ff8497fd42eff1

SHA1
4e20be9d357eb5c0f94b4bcb9dbc1975ee62ff23

SHA256
148015d438361ae330efd3ece813b885564b984322c7ee1274e8fa959950c3b7

SHA512
2214a9e8453ed835b138c06b21fc4a3a9ca8b72ef352a5347765b6865b7b24ce92540c8c73e731ef3ffdaa5363a9eb38acd656d72cf666e909b41fee2e0a1890

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMED1F.exe

Filesize
14KB

MD5
2b0d6461cd0b6ae6ad8371fbc86a57a9

SHA1
91cc63aeaac675defe4de1fd41618423141ec39b

SHA256
27087f7b165f3fbfe8a2500dd99d88de8966ad6ded5a13eef1503c6010db9bda

SHA512
d2d60e9a441ed9fa4c3b4ad09e0e3a6dd84f168e6de7ae785459bdb19d2510927dc263e48996e65f24c65f191fc3de2d7b7aeb2419ed94407390654710c4fa58

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEF7C.exe

Filesize
14KB

MD5
ee8c7893d874910cfe4f547d1feb10e2

SHA1
a4177c6074202e122ec8857c5889a26b33277499

SHA256
56fd32ac9cffa78dfaee04aa557c5fef8b1f19f3606cbe40ed3acd7e972af47d

SHA512
357e25c751ebdd2165d6b50fc51ac905914885d1207ec95c83dc16495ebfeec440ceca245d5cd3f47d5a93d34df07b8ed90721186c3da79f1adffd618ec5f66e

Download Submit

Analysis

Sharing