75f99829f4fbc88a68dd9b5c3aa950f4e3b03d6d272b2588abae02f5453e5904

General

Target

8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe
Size

14KB
MD5

8d10d9f0a277588bd04e433850620e5b
SHA1

b4a622d23b186d09928fdcf3e90cb396c6d14661
SHA256

75f99829f4fbc88a68dd9b5c3aa950f4e3b03d6d272b2588abae02f5453e5904
SHA512

be6c95e3381f53cc83934e93680bb77c2089049ff89887b78992b2aaf1f9824c2902e2bed3e50e21a1f082975989de76cf4f432fafe0d5ab804fd64c2d711581
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5M:hDXWipuE+K3/SSHgxl5M

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM6B2D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMC1C9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM17F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM6DF7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMC464.exe

Executes dropped EXE 6 IoCs

pid	Process
1532	DEM6B2D.exe
1280	DEMC1C9.exe
616	DEM17F8.exe
960	DEM6DF7.exe
1996	DEMC464.exe
3088	DEM1A35.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6B2D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC1C9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM17F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6DF7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC464.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1A35.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 1532	4172	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe	95
PID 4172 wrote to memory of 1532	4172	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe	95
PID 4172 wrote to memory of 1532	4172	8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe	95
PID 1532 wrote to memory of 1280	1532	DEM6B2D.exe	100
PID 1532 wrote to memory of 1280	1532	DEM6B2D.exe	100
PID 1532 wrote to memory of 1280	1532	DEM6B2D.exe	100
PID 1280 wrote to memory of 616	1280	DEMC1C9.exe	103
PID 1280 wrote to memory of 616	1280	DEMC1C9.exe	103
PID 1280 wrote to memory of 616	1280	DEMC1C9.exe	103
PID 616 wrote to memory of 960	616	DEM17F8.exe	105
PID 616 wrote to memory of 960	616	DEM17F8.exe	105
PID 616 wrote to memory of 960	616	DEM17F8.exe	105
PID 960 wrote to memory of 1996	960	DEM6DF7.exe	115
PID 960 wrote to memory of 1996	960	DEM6DF7.exe	115
PID 960 wrote to memory of 1996	960	DEM6DF7.exe	115
PID 1996 wrote to memory of 3088	1996	DEMC464.exe	117
PID 1996 wrote to memory of 3088	1996	DEMC464.exe	117
PID 1996 wrote to memory of 3088	1996	DEMC464.exe	117

C:\Users\Admin\AppData\Local\Temp\8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d10d9f0a277588bd04e433850620e5b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Local\Temp\DEM6B2D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6B2D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\DEMC1C9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC1C9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\DEM17F8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM17F8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Users\Admin\AppData\Local\Temp\DEM6DF7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6DF7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Users\Admin\AppData\Local\Temp\DEMC464.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC464.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM17F8.exe

Filesize
15KB

MD5
16a6975b3a95723afba8dd1c93bc338d

SHA1
90a1088fa79359cca09b306d87e0a94055cb395a

SHA256
9a398950c5616906ed128e0c010c007fb2447c784508ab5cae40d5fef02f445c

SHA512
fca0a2dd730d6b442dade6480541de6bf1e169329031e068de5cf44f525da91b2ae20d31027512e2189266c9704b1e2aa2d77f88ccdba3b3654d8dd24a94bd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe

Filesize
15KB

MD5
05fb47cbaf9e497a8ac5d4a1dcece05b

SHA1
a8ce0943abfe800068d115e713cd8e3aa799302a

SHA256
14d4eb635f641c9259f24f7d5a1db5f8c85bb9913cafa4633c9c4edfc5182988

SHA512
337ff0eeec19f5b196ca653a288e82bd370959e9e403dc7b315c92c5281a189f6746ec63f1e17330282926001b002d466f2996958ba872e8d6c6ccc8c4753646

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B2D.exe

Filesize
15KB

MD5
9c9d6d11b4c2992bb4c3e5b36f09a85a

SHA1
3f0a2410dca5a44fe69d601df72c5768370b7054

SHA256
7731d87daeb6aab4f1762f8beb11c945a706ec27b0c6e9deb40975e3369763e1

SHA512
4e7241f6deecf6aa11178627a781128e6b2164313de679c9caf51195751844f4d3fc769937ffa755efa900f631ce3e3b7a992224c5f20dd587bb9df235fed2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6DF7.exe

Filesize
15KB

MD5
98d2eeff3b07fedb5740b22be15cf54e

SHA1
20a2c14b94e00b9240ce866436a00b62ad0cf5d1

SHA256
ab65dc4b1825344395e720275ff546b81bcdaecabe241725506c695f24aca112

SHA512
68e1e3be85a626316f9c6fff978322183a7ba421ffdbc64769594fcf4826445868e128266546bea72f39019a9061f4d4d8e2bfad83c11ddffd353c7c7d8c7154

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1C9.exe

Filesize
15KB

MD5
aeb2a967377501e0328b690481ac1e62

SHA1
c4f7898af4573cf482d7af17178b8681a85b6e2f

SHA256
0df4e327a744e292576ecd801b4582ba604c68ac674d5e5b4434c105dd49303e

SHA512
bc40a46052462e1849a746a4ed9f90c889b8c64d179b6d82610279a791d7c6439a5c9eb5a485d8404436db74c70e4d8cbe18d471d6b6aaf7db8ad4ea3b11cdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC464.exe

Filesize
15KB

MD5
846b9455b8b93f0da0013b9d3fc49908

SHA1
97afc9c370bbaaf1a8b03e18eb73bf13e788eb90

SHA256
d7da7807c74dd766cdaaf7f1a87b24c35a2f30cedb11bf3f2b99fd4a697df53e

SHA512
974527397175ee6ea9f8339d7dd5f7ca5a2de0864e15e2e126c3e33715f2d9b799fd513abbd3ba9e1ab04f04d9095669fa58c78f5c2b1e5b40bd8accf5bd867b

Download Submit

Analysis

Sharing