f223752a100e6e0ac4dd05bf708187d9d3d17adee506588f893ae98c1730561d

General

Target

a52cbcd778432b91d8abe85f56e2ea51_JaffaCakes118.exe
Size

14KB
MD5

a52cbcd778432b91d8abe85f56e2ea51
SHA1

7b64c7ffa0965f9ca80d8e573231642ca9f60757
SHA256

f223752a100e6e0ac4dd05bf708187d9d3d17adee506588f893ae98c1730561d
SHA512

80a41eadc6a044b24ab964e2bc5827908554560e78f88d661d457c867911c12c25425d30a06852d3854da7e0557ba35ad442463f27b9c8f4ca08813652760b99
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlX:hDXWipuE+K3/SSHgxmlX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	a52cbcd778432b91d8abe85f56e2ea51_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM7F80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEMD66A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM2CD7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM8279.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEMD7FC.exe

Executes dropped EXE 6 IoCs

pid	Process
3460	DEM7F80.exe
4524	DEMD66A.exe
4108	DEM2CD7.exe
2980	DEM8279.exe
876	DEMD7FC.exe
1356	DEM2E0B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2E0B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a52cbcd778432b91d8abe85f56e2ea51_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7F80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD66A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2CD7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8279.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD7FC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 3460	4104	a52cbcd778432b91d8abe85f56e2ea51_JaffaCakes118.exe	96
PID 4104 wrote to memory of 3460	4104	a52cbcd778432b91d8abe85f56e2ea51_JaffaCakes118.exe	96
PID 4104 wrote to memory of 3460	4104	a52cbcd778432b91d8abe85f56e2ea51_JaffaCakes118.exe	96
PID 3460 wrote to memory of 4524	3460	DEM7F80.exe	101
PID 3460 wrote to memory of 4524	3460	DEM7F80.exe	101
PID 3460 wrote to memory of 4524	3460	DEM7F80.exe	101
PID 4524 wrote to memory of 4108	4524	DEMD66A.exe	104
PID 4524 wrote to memory of 4108	4524	DEMD66A.exe	104
PID 4524 wrote to memory of 4108	4524	DEMD66A.exe	104
PID 4108 wrote to memory of 2980	4108	DEM2CD7.exe	106
PID 4108 wrote to memory of 2980	4108	DEM2CD7.exe	106
PID 4108 wrote to memory of 2980	4108	DEM2CD7.exe	106
PID 2980 wrote to memory of 876	2980	DEM8279.exe	116
PID 2980 wrote to memory of 876	2980	DEM8279.exe	116
PID 2980 wrote to memory of 876	2980	DEM8279.exe	116
PID 876 wrote to memory of 1356	876	DEMD7FC.exe	118
PID 876 wrote to memory of 1356	876	DEMD7FC.exe	118
PID 876 wrote to memory of 1356	876	DEMD7FC.exe	118

C:\Users\Admin\AppData\Local\Temp\a52cbcd778432b91d8abe85f56e2ea51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a52cbcd778432b91d8abe85f56e2ea51_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\DEM7F80.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7F80.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Users\Admin\AppData\Local\Temp\DEMD66A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD66A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\DEM2CD7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2CD7.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Users\Admin\AppData\Local\Temp\DEM8279.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8279.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Users\Admin\AppData\Local\Temp\DEMD7FC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD7FC.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\DEM2E0B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2E0B.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2CD7.exe

Filesize
14KB

MD5
1b3ec2d02b6d946b8bf3d1cfb88f1742

SHA1
1ab1fcc6a3eaa7e186ffa94e53cc9f9478224cde

SHA256
5c60269fea07498bf0892bc4da739d95edda8c1a31f70905ef023bcdeac3385b

SHA512
b055f16eed34ae1d9993ca47ea82a64e92dde6f9fb6fa0a4a57d556112e9e0cc701c0a0221073b7f3da9f72ddae1d0d1d255733ac401bf0413a00f417d130e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2E0B.exe

Filesize
14KB

MD5
738943b8e86d7d65f25127257dad6b12

SHA1
d1261297a29e815499f47cb738da22279fca875f

SHA256
e5df4c73fbfcdf755a05871fb1ccd4da544170b46c43047a8faec389cd3bfe20

SHA512
4b2c59760140ec2f8658c4f715a3d642ac09458c8476d715c67b00117a41a3e4b68e5059f65a4e7091dff604b60c278e44fd70de16d63159981b77da42e8c120

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F80.exe

Filesize
14KB

MD5
0c81d6f07dbe28209b88bbfbca00c263

SHA1
bfbc4907294445f17d6ced896a706ead72b7e188

SHA256
41824afe0b3c7ea6d77a010485d3f9243cac426b5a54e2336744ef441a94401b

SHA512
bd668f966646d6fa0cdaedbca2b8c32f887a3fe0908160d0fd3f86499c50b4e78f82fda9d0c9c9e6d7337aede67a45a34dd66c5bfa25cde2101b884fcdbdcac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8279.exe

Filesize
14KB

MD5
48667d3fdc60083be6d793f28fd1d6b7

SHA1
0749f37eb7dc4965472cf13e7bdb8ec79610478c

SHA256
6f5b015cd6a9f4a4fcd4bb205e83e6d7fb43190eaac2a69e6e547fa6aad5cc8c

SHA512
51f99247dd477487d3e915b64c4efd6a0cfa394a9bf5443f5219f161bb6ca870160c73065e550dc2737a9347e5395e787151d5c1be5daa829668fb176cef4ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD66A.exe

Filesize
14KB

MD5
ced56d3a93d19787ae3f9419e7902e75

SHA1
cfa329d397f141b7f310a9abe4f47dc16e26a71a

SHA256
f95c201e7fc06e44d935888f38a204021532c64bd40d1bf2b8e5108674db34e1

SHA512
ae8295be888ff98c1f41ec24509b04188410616fa5ff947d7aa6c67b9074bd3ce143b97cd25b19a770e95a3f52581cc57389bc24b4920d1f3354c17089788bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD7FC.exe

Filesize
14KB

MD5
3acd6555c836b3768833db4824942133

SHA1
16cb7cc8d98f99e2dad864994a601b5714d0c3f5

SHA256
b6167c629a6aabe6443abe44432be465e9449ee665bb58110957a48a5ef08581

SHA512
ee23431783b45f27c80febd55d07053a032f14588522b05029248ad02b6b12498aaf143d82c0b44594e5a3731c06e509a38fef3f20e5ac28458bfde726ffdf0e

Download Submit

Analysis

Sharing