f1e2da6079d1701943e03bf6b177df35c13211f8b9f6dfea92aa6832183c97f2

General

Target

a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe
Size

15KB
MD5

a70c8dd4639b25a4545f397d1233fad7
SHA1

fb82e4f16ec047dc4ec4b13632408e8a1f0db2d1
SHA256

f1e2da6079d1701943e03bf6b177df35c13211f8b9f6dfea92aa6832183c97f2
SHA512

024fdc137b1111b063ea68e0a91de2239e98ead29e124988b54facdae33554d0c5b1a50ccdc271ee2b6cd4234baa6e9acd519cb2979841959adc7650a0cfe2ef
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2HR:hDXWipuE+K3/SSHgxmKEx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM6755.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEMBE10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM144E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM6AAC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEMC138.exe

Executes dropped EXE 6 IoCs

pid	Process
3200	DEM6755.exe
4516	DEMBE10.exe
4668	DEM144E.exe
1540	DEM6AAC.exe
3320	DEMC138.exe
2340	DEM1776.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM144E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6AAC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC138.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1776.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6755.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBE10.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 3200	4208	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe	95
PID 4208 wrote to memory of 3200	4208	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe	95
PID 4208 wrote to memory of 3200	4208	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe	95
PID 3200 wrote to memory of 4516	3200	DEM6755.exe	100
PID 3200 wrote to memory of 4516	3200	DEM6755.exe	100
PID 3200 wrote to memory of 4516	3200	DEM6755.exe	100
PID 4516 wrote to memory of 4668	4516	DEMBE10.exe	103
PID 4516 wrote to memory of 4668	4516	DEMBE10.exe	103
PID 4516 wrote to memory of 4668	4516	DEMBE10.exe	103
PID 4668 wrote to memory of 1540	4668	DEM144E.exe	105
PID 4668 wrote to memory of 1540	4668	DEM144E.exe	105
PID 4668 wrote to memory of 1540	4668	DEM144E.exe	105
PID 1540 wrote to memory of 3320	1540	DEM6AAC.exe	114
PID 1540 wrote to memory of 3320	1540	DEM6AAC.exe	114
PID 1540 wrote to memory of 3320	1540	DEM6AAC.exe	114
PID 3320 wrote to memory of 2340	3320	DEMC138.exe	116
PID 3320 wrote to memory of 2340	3320	DEMC138.exe	116
PID 3320 wrote to memory of 2340	3320	DEMC138.exe	116

C:\Users\Admin\AppData\Local\Temp\a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\DEM6755.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6755.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\DEMBE10.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBE10.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\DEM144E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM144E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\DEM6AAC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6AAC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Users\Admin\AppData\Local\Temp\DEMC138.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC138.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\DEM1776.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1776.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM144E.exe

Filesize
15KB

MD5
aea17b5a37c9a9bd51b4c2159f768cb1

SHA1
8e6784588fcac4652eeab423984de2467d65b870

SHA256
86719b4207fb195831b8b0733e3651813aead8837b856d8a23903ae6a56310b2

SHA512
7abb24369a74a3610b5b58b939b4bb2359848d02a0575fbbdcb041c48d3b8c07c9d4f10f280273f198b1d656df49861c2106d14c45daf8647b1036cdad62c0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1776.exe

Filesize
15KB

MD5
a0dd302dc74844aec0ac6ed6afb441d6

SHA1
fc997af27dd789490c4b5324bfbce05469ef3178

SHA256
24a1fb626c203cd6cd4b2489797e7532db2954ae1a5b100fec45f72c377cc11f

SHA512
f17820b24522c0303300245be60b1fde1bcf8b6a8c4b614bc07c39b92c3004621164eb785c00f519aa520c76424e81323d67957733f894d1f82899093847057b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6755.exe

Filesize
15KB

MD5
ffe3032a2502b1d9bb71f616adb76ce7

SHA1
50876cfb1377c947e801a50597c9482cf7dc7056

SHA256
4002423b89c24957aa721f49b74ef3dd9ea141ea8e6ded4f47df7da1c9debc78

SHA512
d6de40125b739807f8cf6edfe596cef79c010111610c0099aea5dd88bcb330f7037ceab0f59970da74248581605b01d7b7584ea0215feebd11884441ad71dc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6AAC.exe

Filesize
15KB

MD5
e0986d6529eaae4b144d94f59ce9ca55

SHA1
2419b1633922b3585290face4b97fbfae81c1edd

SHA256
9f24e1488621c097e8c5cb71e792550ce548e6e5e5f1a53d8060c63687337a72

SHA512
c7d38a4940528c45c32d11c7799c28e219323f55261654d5918be34486f5a5d3cbf8395b2d3e07a614b5a08ae200eacb4a82a54c5a646a3f7a5120742d9be14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE10.exe

Filesize
15KB

MD5
b65801c7f2c466ca79741b21cfdd0da7

SHA1
1d34c3f4b3ad014e1b58e843fd731a400d631414

SHA256
cb1e4a3fd444b7f702fded94d63d7507cde678df5d045aff8f8390145025545f

SHA512
a7f90bf743d32a84589dce7cecff4a119b7e3531d62c07432dc0c36421e61b17da5231dc7a6a62f9e884b407fa645c194a625dd4f8647a5100423c51bc2e6716

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC138.exe

Filesize
15KB

MD5
7cd4d637389ebd496433e4d68a194e94

SHA1
39665c751f3ff0f690197b52cad66f17583b1f43

SHA256
b7abca764ca974e3559c27b429d4190384ab7d9252ff6c03afc662ca40d5a46d

SHA512
c7864b4fbc8ff7dbc3526873ea133d2dc4cc808316d2bc8db19af475c6e77af78148f3a89054e55b49d05d13bd9537daaf44e86dc8da1811fe1d0553d0bab7d9

Download Submit

Analysis

Sharing