90fdc770207c928acbd0ca0ec55169e703f41c77166cbea7b8bf33232560e1b0

General

Target

8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe
Size

15KB
MD5

8c9d302712a038b86289881a5a88e426
SHA1

bdc3b75970d0650138201853eb591f1730598ee1
SHA256

90fdc770207c928acbd0ca0ec55169e703f41c77166cbea7b8bf33232560e1b0
SHA512

4320f5dbfe6c10adb2953adf9ad6c3d50314aa097ef78a72905fa4903170722e6647d4e6af2f8e1550f8fef13eae177c8717700d92f4f14f51636b062266594c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx9:hDXWipuE+K3/SSHgxmHD

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMB699.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM5DFE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMB48B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMA6B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM6099.exe

Executes dropped EXE 6 IoCs

pid	Process
4868	DEM5DFE.exe
3124	DEMB48B.exe
3032	DEMA6B.exe
4820	DEM6099.exe
4424	DEMB699.exe
3648	DEMCC8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB48B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA6B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6099.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB699.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCC8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5DFE.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4868	4544	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe	94
PID 4544 wrote to memory of 4868	4544	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe	94
PID 4544 wrote to memory of 4868	4544	8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe	94
PID 4868 wrote to memory of 3124	4868	DEM5DFE.exe	100
PID 4868 wrote to memory of 3124	4868	DEM5DFE.exe	100
PID 4868 wrote to memory of 3124	4868	DEM5DFE.exe	100
PID 3124 wrote to memory of 3032	3124	DEMB48B.exe	103
PID 3124 wrote to memory of 3032	3124	DEMB48B.exe	103
PID 3124 wrote to memory of 3032	3124	DEMB48B.exe	103
PID 3032 wrote to memory of 4820	3032	DEMA6B.exe	105
PID 3032 wrote to memory of 4820	3032	DEMA6B.exe	105
PID 3032 wrote to memory of 4820	3032	DEMA6B.exe	105
PID 4820 wrote to memory of 4424	4820	DEM6099.exe	113
PID 4820 wrote to memory of 4424	4820	DEM6099.exe	113
PID 4820 wrote to memory of 4424	4820	DEM6099.exe	113
PID 4424 wrote to memory of 3648	4424	DEMB699.exe	115
PID 4424 wrote to memory of 3648	4424	DEMB699.exe	115
PID 4424 wrote to memory of 3648	4424	DEMB699.exe	115

C:\Users\Admin\AppData\Local\Temp\8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c9d302712a038b86289881a5a88e426_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Local\Temp\DEM5DFE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5DFE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\DEMB48B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB48B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\DEMA6B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA6B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Users\Admin\AppData\Local\Temp\DEM6099.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6099.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Users\Admin\AppData\Local\Temp\DEMB699.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB699.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\DEMCC8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCC8.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5DFE.exe

Filesize
15KB

MD5
d85a398b522ad78321f533901c417397

SHA1
ec9d65fd38830fdc2da05e14fa5892b59b253928

SHA256
5380ec9ac305a4b4c397daffc604d79559a65b5550b23daa59e6152be7e79974

SHA512
8530ff336d0339d26020ffd360be49b558b067007d6b26f27f38ba90dd4fb116440e2b64c2ccf6d3bf6d9490db9a906bc90fd274986be28144229d53a254fd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6099.exe

Filesize
15KB

MD5
36262ae575b68a5e25e82414c773cdfa

SHA1
ed28471d0650ee91cfaeb6b0d467bc549f39de16

SHA256
48d5e4e9956dfba2510758e884b7e2412ae19ddc34a67bfb1e8d0a1d69fbdf6c

SHA512
4f1c3288557dcdf7a267132b6405afcc67344c0805b9b45a1a4f66467d7dc6d4eee1e132cd202ad6af7d545b07efa90146d93ff32282782a99f70d6220066e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA6B.exe

Filesize
15KB

MD5
1fe82c4c56b27b56e90466a9df8cca27

SHA1
f685afb96d31edc81c693ad4eca609785d048955

SHA256
c59717040ca3b16d5bb65e4ff767696f9db4e8e5f6ed8c0976bfb5ed8bc8397e

SHA512
80d2bb432c85b0b1b423f54ee2b2cc4be5890d00b8e5cb79a7fa19b22304dab23c3ec3c60ff24d8ba926db4763bcb733be1fb4b7d20ed340fff833076aae4c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB48B.exe

Filesize
15KB

MD5
8f71b5ae310161f7fc0adfb7c7cda87d

SHA1
ea6f57b32328ce8a29ffdf6fbccba6f79459b334

SHA256
e541380405d4890f8d4abc0848f1d91315f7d37e44b19a0901572cfe0073ded4

SHA512
3a47ac928b0f866d00404f4cc4f40c5db9b53a8a98bdddd5de868fdbb2b677cf9c8178b4f5539bf34d38315f5bb65cd224c5dbafa74ece18aea1a694d0a372a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB699.exe

Filesize
15KB

MD5
d1de928d27c40ab4baa3a12eec74d2cc

SHA1
7297977dc9f0da0bc2e891b5c8007b2cbf6cd23b

SHA256
09e6f037b8cafc66041fc4161dce7cfb2eb696aa3ca118861db1b38ff28317d0

SHA512
ce6d047b42d94df034645d446dd3c5d9cf0c0a612cbc30b86d798d29c3e47a20abf1b75238b830f6823b900b5f1adca33a04bd8692eb22a0eb121fbcb0bc7ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCC8.exe

Filesize
15KB

MD5
052df92aa86dd408128352f9d50bce11

SHA1
8f813ba883f7cc343048c9191058cb08bdb21cf1

SHA256
89baf145f04b31a1fa841af2aaedff167735e749aa41c5643690589f8b2a1327

SHA512
6af0e4287cda27a5482ebe323c39276cb4342470a8857bf346378df2de12d309e9b38845971a36c98d113ffbf96a00a8094d2e61b201630136053405b9b7a31e

Download Submit

Analysis

Sharing