d26ce06f2da095814bc52da6eb8cf16bdaff2924a7fe73f36de6d25c995cdf02

General

Target

780ca4efe6a6e96c4d5c88914a078a24_JaffaCakes118.exe
Size

13KB
MD5

780ca4efe6a6e96c4d5c88914a078a24
SHA1

efb45d2992719952599b7b5f5c5842bebe065b07
SHA256

d26ce06f2da095814bc52da6eb8cf16bdaff2924a7fe73f36de6d25c995cdf02
SHA512

b76213d50db8031c0e69458dbc7063eb6b7bab5847eff6d1c4c4f948b643c5200cc197f88b23c21a2788f5a6b3e7993c30137cafe55f180b57a902a313ccd79c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhC:hDXWipuE+K3/SSHgx0

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	780ca4efe6a6e96c4d5c88914a078a24_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMAAA7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEM153.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEM57DF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEMAE1D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEM3DE.exe

Executes dropped EXE 6 IoCs

pid	Process
4636	DEMAAA7.exe
1952	DEM153.exe
1748	DEM57DF.exe
2864	DEMAE1D.exe
1148	DEM3DE.exe
3956	DEM59EE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM57DF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAE1D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3DE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM59EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	780ca4efe6a6e96c4d5c88914a078a24_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAAA7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM153.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4636	2424	780ca4efe6a6e96c4d5c88914a078a24_JaffaCakes118.exe	95
PID 2424 wrote to memory of 4636	2424	780ca4efe6a6e96c4d5c88914a078a24_JaffaCakes118.exe	95
PID 2424 wrote to memory of 4636	2424	780ca4efe6a6e96c4d5c88914a078a24_JaffaCakes118.exe	95
PID 4636 wrote to memory of 1952	4636	DEMAAA7.exe	99
PID 4636 wrote to memory of 1952	4636	DEMAAA7.exe	99
PID 4636 wrote to memory of 1952	4636	DEMAAA7.exe	99
PID 1952 wrote to memory of 1748	1952	DEM153.exe	103
PID 1952 wrote to memory of 1748	1952	DEM153.exe	103
PID 1952 wrote to memory of 1748	1952	DEM153.exe	103
PID 1748 wrote to memory of 2864	1748	DEM57DF.exe	105
PID 1748 wrote to memory of 2864	1748	DEM57DF.exe	105
PID 1748 wrote to memory of 2864	1748	DEM57DF.exe	105
PID 2864 wrote to memory of 1148	2864	DEMAE1D.exe	115
PID 2864 wrote to memory of 1148	2864	DEMAE1D.exe	115
PID 2864 wrote to memory of 1148	2864	DEMAE1D.exe	115
PID 1148 wrote to memory of 3956	1148	DEM3DE.exe	117
PID 1148 wrote to memory of 3956	1148	DEM3DE.exe	117
PID 1148 wrote to memory of 3956	1148	DEM3DE.exe	117

C:\Users\Admin\AppData\Local\Temp\780ca4efe6a6e96c4d5c88914a078a24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\780ca4efe6a6e96c4d5c88914a078a24_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\DEMAAA7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAAA7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\DEM153.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM153.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\DEM57DF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM57DF.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\DEMAE1D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAE1D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Users\Admin\AppData\Local\Temp\DEM3DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3DE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\DEM59EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM59EE.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM153.exe

Filesize
13KB

MD5
02b63a8ef71d7783d165994e89e1ce8a

SHA1
7d919e97e37c3e0fa15dd8b3967bf9da17214daa

SHA256
cfc04592b5901c241705f2e8ee347435dff406c14b8dad8fbca7491c169f2ece

SHA512
a8f1d30c0f4db9c793d3b821cd3b48d01f75fe19092a73d44cfe2c8e5e56db7d9d26fd058972b17f4d9db3aaf769f73f3146bfcc71444dec6fa36da84c822971

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3DE.exe

Filesize
13KB

MD5
6e99e0aab2fd14bea1f1c417dda98e9c

SHA1
7f50e6590d6d1719d6b037876938263b4400a564

SHA256
0ae8b8c186cc35dbcafd5acd54ab318f9eff046d33e228830a681d0cb3e594b6

SHA512
dbd8f02772e8557dc5e2b03ce7bb0fa9629320302d15e2bc31a903a362eec2b6ddc91719843338c7993ffd5ce3d7815756a69c73fc92894c6d0b9efbee9795e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM57DF.exe

Filesize
13KB

MD5
706cf811ce99471bbfde8e38afdf25d0

SHA1
369e5492f5ebdf6f427e3d0fb2a75dc4b6aaf52a

SHA256
36aacfa7f234c6ad57336f237443e06b8b552af46ce90440a699632a37376383

SHA512
f7ba3e85b82c55b0c9f9f6db50c88ab3b8172504118857195a54016fccbcd1a668c9cebffc40e671119574dfb427d9fb2540d8caaec60e908f64796bf880deed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM59EE.exe

Filesize
13KB

MD5
a85a77a5534a271d0477860c2f63024f

SHA1
45ed216e06064327df5a836c4200f8906d92fefd

SHA256
278def1e3c898c8a0d25bc1c700b79c5847585fba02a74a90961dee57980d0ae

SHA512
57119010db4e5cb2d62a2ec3952bbc2bb33bf7b83c802acb68a1d75033030710a9b3a42facd40e42d9d212c3f91a6220f899b2f0c05f0b52f34dbb58669694cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAAA7.exe

Filesize
13KB

MD5
6be0055bc303fdc4c3513ee910290abd

SHA1
3721af413979c67fb4e5b3190d3d783bdbb58059

SHA256
2a5c7a9ac61dfa07f037ae9ab6fc3727908fd8315822ca4e40f5512362636e90

SHA512
ee82e22d87a840b509cc7d0e79562d7fc2400d8b85e57747858ec4ed80ae84130ce4baa44f6c4d755a1cabc18912f7229ee3d45f05f0d6adcba5d4337e40c917

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAE1D.exe

Filesize
13KB

MD5
6f491c67977375c6d83023052f72dea9

SHA1
7b7effc08e36038c69a53e455f482a50357ecd53

SHA256
d0c56f58934166efbedb460a2d41b8e694caae3caa4477cd6c229c94ba769ad7

SHA512
d0d5cb61ef74183d30ac9dfb8d5b410e1e1d34343bddf30dc65a86a958015472bc54afbbd9900b9ace7ab5766a64bb3f60c87d0d1d4307658149260bfc016cb1

Download Submit

Analysis

Sharing