06561f54de1ce9e77ff17382731ce71ee516ae5fc2417de5bb42e8b7fb0e9cf1

General

Target

8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe
Size

14KB
MD5

8463685ce8efb742c9a9e316cef62bc4
SHA1

9294354bb2456a5e93db41caebd2cda95750fa61
SHA256

06561f54de1ce9e77ff17382731ce71ee516ae5fc2417de5bb42e8b7fb0e9cf1
SHA512

236380e7c84637ad171aa8d2fc7a1fadddd0afc6be70b727116c54286296cdad5ee703e23fac66703bff7960a8975e0fcea5f35719bf359b46c1dd6182d5b0bf
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJElo:hDXWipuE+K3/SSHgx5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMAAC7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM1B1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM57FE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMAE0E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM48A.exe

Executes dropped EXE 6 IoCs

pid	Process
4664	DEMAAC7.exe
3520	DEM1B1.exe
756	DEM57FE.exe
992	DEMAE0E.exe
4728	DEM48A.exe
4316	DEM5B07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAAC7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1B1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM57FE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAE0E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM48A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5B07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 4664	3084	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe	95
PID 3084 wrote to memory of 4664	3084	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe	95
PID 3084 wrote to memory of 4664	3084	8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe	95
PID 4664 wrote to memory of 3520	4664	DEMAAC7.exe	100
PID 4664 wrote to memory of 3520	4664	DEMAAC7.exe	100
PID 4664 wrote to memory of 3520	4664	DEMAAC7.exe	100
PID 3520 wrote to memory of 756	3520	DEM1B1.exe	104
PID 3520 wrote to memory of 756	3520	DEM1B1.exe	104
PID 3520 wrote to memory of 756	3520	DEM1B1.exe	104
PID 756 wrote to memory of 992	756	DEM57FE.exe	106
PID 756 wrote to memory of 992	756	DEM57FE.exe	106
PID 756 wrote to memory of 992	756	DEM57FE.exe	106
PID 992 wrote to memory of 4728	992	DEMAE0E.exe	116
PID 992 wrote to memory of 4728	992	DEMAE0E.exe	116
PID 992 wrote to memory of 4728	992	DEMAE0E.exe	116
PID 4728 wrote to memory of 4316	4728	DEM48A.exe	118
PID 4728 wrote to memory of 4316	4728	DEM48A.exe	118
PID 4728 wrote to memory of 4316	4728	DEM48A.exe	118

C:\Users\Admin\AppData\Local\Temp\8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8463685ce8efb742c9a9e316cef62bc4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\Temp\DEMAAC7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAAC7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\DEM1B1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1B1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\DEM57FE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM57FE.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Users\Admin\AppData\Local\Temp\DEMAE0E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAE0E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:992
      - C:\Users\Admin\AppData\Local\Temp\DEM48A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM48A.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\DEM5B07.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5B07.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1B1.exe

Filesize
14KB

MD5
61236f7aa3807c3bf10704bb346f93a5

SHA1
62a96d1ddd1b7c4d14382fde33f822a525341463

SHA256
189f87a0128f96a8d91fe15fdfb74e9ff067019d9ce1a7341359f55925b9c998

SHA512
cd704e06c39dec32af177dcded738cf8dfee2d8b6b301957003ec2b06cbc0aff2665ddfe857826c623aba663c956e37cd2285ca89a301ae1cce54b2f526be2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM48A.exe

Filesize
14KB

MD5
e17a87b37dd12ffd2b212d2dd5cf0496

SHA1
365fa9a1796f0998debaf54fc1abd99ab38460a9

SHA256
067a4b39e5daa0986d86fdf5759ebd7e6d9d2af418b53b8524b0d1a64a124898

SHA512
6878a2eac0e99ed199a5d115c59d537da8471cbfff184eb051330e2dab5138db42551f2b3ff5c4217d47be2ea062ea8a5d8c86971c177196bdff60f80681ea1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM57FE.exe

Filesize
14KB

MD5
f4b4554d952e6058cc55065bb341da11

SHA1
dd7808c0ae5c2565b467c3be969323327b7d1663

SHA256
113804347b23bced87737d4a242d7017bb84f3f3db9d5da29b014021ab329b90

SHA512
c496318667512156c01873514c2ec0e69f0fbbb633f04b829048a0ae3c7526f6c77340b7351f0bdc7897bca831013ee6f7cad7291cd79a8054bb339c3083dcf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5B07.exe

Filesize
14KB

MD5
adbfcbd06ab0c28f67e9ece8dcd5d76f

SHA1
71b218ef78769216a8ee1957825519e964c5c120

SHA256
9c2ea07d0a29df98a657ba399d15c50523fa2610091d8aca702773cdd993933a

SHA512
76f76769be65c81f35bcd831d810cd9ac5b0fd048434fe51dd5a684cde808ce15029ecf700792c6bccc26d4d868f23819cb56536d1d88bb75df6c523fed3206e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAAC7.exe

Filesize
14KB

MD5
888362a58ab1d91210c259f22d02ef11

SHA1
3cad0189d88b715270dd7c305f8a186338fe9384

SHA256
165eda649fc106fa79ee601b0fc80ecc4a983803cba8f0aab7e17a7cbfa63c03

SHA512
672c82d0ed9f5ac29294e8d874aec094793a7d035fb754cc7472b217fa0bb9ddf765da9a8a00e6d36c18dc191e5768c54a8322f4d788c690007ed91d1a9b042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAE0E.exe

Filesize
14KB

MD5
b5dbe8a0f6ec344c2bff973c83716492

SHA1
ad4daadb1c56815a3c32031e20318fc515381f1b

SHA256
364753b7f5800f5c3082c43ac032518812bd9f687ad08ffd07b0ee5095e6a643

SHA512
c80c5e6a614f5c2f472224e5c1dff9c47b7f9de322b77f2b0a5d6c28ed2df00ff9af977de8a09a0ff4d8da38ce7ebbdc957984391855a2818e57eb4e6b687f7b

Download Submit

Analysis

Sharing