5f26590dc3d7a7896d2945a7d2e0f817f32aefe858412474470a9c2c0eb60501

General

Target

8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
Size

14KB
MD5

8525ae55508a05a66bd491339c654110
SHA1

93c1cdeb4e5994bf78d5a250c447e0dbe01b7cf7
SHA256

5f26590dc3d7a7896d2945a7d2e0f817f32aefe858412474470a9c2c0eb60501
SHA512

742e5033c0c2730f8766e07cd9238ae0dbee9006a54a40118c70939bb9cc872d7211f0459894b944ea858f9da481107f577e6d39e7f2ef02541cc096a1bf2d96
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhvu:hDXWipuE+K3/SSHgxlu

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMB253.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM853.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMAFC8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM635.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM5C63.exe

Executes dropped EXE 6 IoCs

pid	Process
4924	DEMAFC8.exe
3232	DEM635.exe
2072	DEM5C63.exe
3636	DEMB253.exe
1944	DEM853.exe
2880	DEM5E91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM635.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5C63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB253.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM853.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5E91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAFC8.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 4924	1244	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe	97
PID 1244 wrote to memory of 4924	1244	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe	97
PID 1244 wrote to memory of 4924	1244	8525ae55508a05a66bd491339c654110_JaffaCakes118.exe	97
PID 4924 wrote to memory of 3232	4924	DEMAFC8.exe	109
PID 4924 wrote to memory of 3232	4924	DEMAFC8.exe	109
PID 4924 wrote to memory of 3232	4924	DEMAFC8.exe	109
PID 3232 wrote to memory of 2072	3232	DEM635.exe	111
PID 3232 wrote to memory of 2072	3232	DEM635.exe	111
PID 3232 wrote to memory of 2072	3232	DEM635.exe	111
PID 2072 wrote to memory of 3636	2072	DEM5C63.exe	114
PID 2072 wrote to memory of 3636	2072	DEM5C63.exe	114
PID 2072 wrote to memory of 3636	2072	DEM5C63.exe	114
PID 3636 wrote to memory of 1944	3636	DEMB253.exe	116
PID 3636 wrote to memory of 1944	3636	DEMB253.exe	116
PID 3636 wrote to memory of 1944	3636	DEMB253.exe	116
PID 1944 wrote to memory of 2880	1944	DEM853.exe	118
PID 1944 wrote to memory of 2880	1944	DEM853.exe	118
PID 1944 wrote to memory of 2880	1944	DEM853.exe	118

C:\Users\Admin\AppData\Local\Temp\8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8525ae55508a05a66bd491339c654110_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\DEMAFC8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAFC8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\DEM635.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM635.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\DEM5C63.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5C63.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Users\Admin\AppData\Local\Temp\DEMB253.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB253.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3636
      - C:\Users\Admin\AppData\Local\Temp\DEM853.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM853.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\DEM5E91.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5E91.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5C63.exe

Filesize
14KB

MD5
d972acfd3761da13b0fe7c7e12bf0a4e

SHA1
1221bdbbf23b6deecf039a983180ab0f0b6b9f2b

SHA256
d02884bc7ecc0f4c305ab91bccf91cfbd4fbb32b1c6a0487efcb546994cf3bb1

SHA512
1a9080d8879605af433d089f27cefb9fff4243a872119cf0a53ed49a436fe1b23cb094646eae52bec38c3fa1f70ba074c362f8f6e065014adaadbfde6bbdeb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5E91.exe

Filesize
14KB

MD5
829e07e3aab1426efcbfe522b3cf366a

SHA1
501924d47e39574999c9b209dd3b217c85cfda56

SHA256
f88ede01d59245e3e31142e6863b5eb8a00f509abdbf9bd5f07eddb3de31d11f

SHA512
351200ae832c979e3802caa50b64c30e2735401ee4c004692f466c7ba2b03a21ea00adae6b0a42ac32b7fb293c2732cedbe083c3b5358cf46a09392beaac820f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM635.exe

Filesize
14KB

MD5
6977afdf4eba5c82c05c7b7aed5e91a9

SHA1
2a3c136694c94797b0d3dd14a79f535b646acd19

SHA256
5a4c5642d2cd92e50ee889602d5638d731259ab84aee11cc595783f2f3e4fd95

SHA512
ec589dd67d2bc7582f2c43d977a96518219f89a6e8d271aa1cca59e1fcd5f898915fbf0eee76f55b6c5f130bcb8a2b4ab57293a6ea3416694e1ae9df2c58e02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM853.exe

Filesize
14KB

MD5
b3d26cb4bc99b0997c7c5a040080f850

SHA1
478c51cedd8c3fc941258ca0c1ea0be801f12da0

SHA256
fae1a7e5cbabbd1fef011a24abb3053f176f4e7720757b6fef456c62a0baa6e5

SHA512
1d552465890daa2f6687fc95f8c0a85940ab3ddb95d2bca39c8dfce8d71a27f896866037d335f5b20e7c4697319e8a3db27a46b2d2eed7f0cec4301d9d5e3eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAFC8.exe

Filesize
14KB

MD5
289c9fe68da39190b75d473b2cc4e3c7

SHA1
b0e62a79f7d887575649574cf40d9401d72d4b1f

SHA256
092d7c56beb214fb5c22d69a65c3ba42966bd37e03ffeec854e0c08319818414

SHA512
caeaa2a53101b56bfbd7012b0b1b63e972e468c1431d8d1ef1f429c34a5805252893b4083bf1a41d8f3d60d3e5afe4fecfcfa5344c19f59510f8ba957aaee7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB253.exe

Filesize
14KB

MD5
fde084652b12d4494186d369bb00d24e

SHA1
64214f31dedea277f256a658ad07451ad357ef56

SHA256
b9f67fe691b30b377123cee9f17db7a1b84ee00d8c7b60cf161b9e7be9bd2e70

SHA512
b58466960e1a6451a00b0908d1457bd60a81d2b66690c250ede07c426486cda7b245deb447fbbed8c35996c6cf0cfb1883b5f5ce9a484e141452a16fdc57798b

Download Submit

Analysis

Sharing