21f8ace4806e564d9dcfcae5294ebaeb93bb03da384f6051d56d78ac0ff5072e

General

Target

8e96843dde27df3b1be6b81166812c0f_JaffaCakes118.exe
Size

15KB
MD5

8e96843dde27df3b1be6b81166812c0f
SHA1

bcb8d274737f97584b7ac6f0ad1aff4dcab5fabf
SHA256

21f8ace4806e564d9dcfcae5294ebaeb93bb03da384f6051d56d78ac0ff5072e
SHA512

3667d9de7a3707211e13e3e451028a474b7daec861d58860d399ffced2d6a0f1d39c07b7beb876b4c118b7593adfa81834525b9bb1c2eef43b7b73b1e163a5d5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlQ:hDXWipuE+K3/SSHgxmlQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM735B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMC9E7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM1FE7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM75C7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMCBA8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	8e96843dde27df3b1be6b81166812c0f_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
1324	DEM735B.exe
2148	DEMC9E7.exe
3680	DEM1FE7.exe
3264	DEM75C7.exe
2520	DEMCBA8.exe
2148	DEM2198.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e96843dde27df3b1be6b81166812c0f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM735B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC9E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1FE7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM75C7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCBA8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2198.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1324	2840	8e96843dde27df3b1be6b81166812c0f_JaffaCakes118.exe	95
PID 2840 wrote to memory of 1324	2840	8e96843dde27df3b1be6b81166812c0f_JaffaCakes118.exe	95
PID 2840 wrote to memory of 1324	2840	8e96843dde27df3b1be6b81166812c0f_JaffaCakes118.exe	95
PID 1324 wrote to memory of 2148	1324	DEM735B.exe	100
PID 1324 wrote to memory of 2148	1324	DEM735B.exe	100
PID 1324 wrote to memory of 2148	1324	DEM735B.exe	100
PID 2148 wrote to memory of 3680	2148	DEMC9E7.exe	103
PID 2148 wrote to memory of 3680	2148	DEMC9E7.exe	103
PID 2148 wrote to memory of 3680	2148	DEMC9E7.exe	103
PID 3680 wrote to memory of 3264	3680	DEM1FE7.exe	105
PID 3680 wrote to memory of 3264	3680	DEM1FE7.exe	105
PID 3680 wrote to memory of 3264	3680	DEM1FE7.exe	105
PID 3264 wrote to memory of 2520	3264	DEM75C7.exe	115
PID 3264 wrote to memory of 2520	3264	DEM75C7.exe	115
PID 3264 wrote to memory of 2520	3264	DEM75C7.exe	115
PID 2520 wrote to memory of 2148	2520	DEMCBA8.exe	117
PID 2520 wrote to memory of 2148	2520	DEMCBA8.exe	117
PID 2520 wrote to memory of 2148	2520	DEMCBA8.exe	117

C:\Users\Admin\AppData\Local\Temp\8e96843dde27df3b1be6b81166812c0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e96843dde27df3b1be6b81166812c0f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\DEM735B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM735B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\DEMC9E7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC9E7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\DEM1FE7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1FE7.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\DEM75C7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM75C7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3264
      - C:\Users\Admin\AppData\Local\Temp\DEMCBA8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCBA8.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\DEM2198.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2198.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1FE7.exe

Filesize
15KB

MD5
ab473d31e3770515a18cd6d978af8d9d

SHA1
60861d35d16512fc3f39043ef5eaf3f1652c56b5

SHA256
02760710254b62565c84db41a2a218d9d9365555822173a3af45c90cff53f9e1

SHA512
51f923ff853f697e2530aa03ba7b7d27020e305938cdaf77cae98e64147f05fa28d686697bcf39786e9c0481543510b3a5ed4d26f3566fdb9a36edbf2aa6b211

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2198.exe

Filesize
15KB

MD5
b8305d78ff0b7d8a8922612f44e2e0f0

SHA1
6e03ef25dc8c1b2b6f8fb1a4b49e5463cb1835cd

SHA256
cbb4ed73c4557b03836c77415d70b8f47d58a8dd6649ab6d7255a86fded03b0a

SHA512
200ab2cac5f06b921ebdc85a88182560ddf227e29dbbecc9be63847ee3fae3e1139a6832e430ad9e9e42248a571580444e93acb1c87fdaea8102363c1c7caace

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM735B.exe

Filesize
15KB

MD5
d1d4bb8988797caceef2f820f288cdaa

SHA1
c0581586838869bdfcedcad6c8907f7026bc03a8

SHA256
648e9f844efdcfbce3c01204eed7a208553dab82e287b26ed94c70a9573a2f44

SHA512
16a4e0aeffe527d34c355b6371ed03709ac77849723398b88c8320ef487d841f82603dd94a39173b463befdc32768a05494ece2666291f5cc7a4b71d7cd2259a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM75C7.exe

Filesize
15KB

MD5
424bf38317062b254166348f5eeec022

SHA1
cd9934877da83971fba4607798f0705cde3655c8

SHA256
e43be2ffecab39db39ec2acffbe52b16cd67e712156fcf12ac9cfaeae7cfe4e1

SHA512
778c12dc0f9d9e6a308d0a39c2a4466a4927c42eeba0910bfd67abf2b9e99895b8402d1dd7989d4c019639fb281e8b1d2d6a201dbbd5dc06c8fc35c00c9a3b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC9E7.exe

Filesize
15KB

MD5
fa6c5ff7d2f5d5c9253d4d990b91026b

SHA1
a3d82c45656e7b4e8f6ffa2d0107f75ca584bb72

SHA256
4043efb84a69514076c44e901a097b21cea5f80472a2e4f5b8abdd0ee0241f82

SHA512
68662b354b59ff944c651d4b953022d76c7047d05347d932a54139f88c2f58d3a93afb9324ef1a1863dd1ebdd08eca1a16f3950155365c907fcec048d194849f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCBA8.exe

Filesize
15KB

MD5
96f7a1cfdd3eb34166489f20c9f1058c

SHA1
518de566594e26eeade3c6cd5d12d56c9064780a

SHA256
2a7193e762cb9bc7654a420fb7cc2aa975bb239a55cdf23a3762eff7fb725744

SHA512
61347fb2e70d064353d92a3c31b3978699d1bc4aae610084586121523fb96da8b67818958ff911fd97a07e3d227dbaaf28e4c1f54a029f8b9889fe949d077f93

Download Submit

Analysis

Sharing