fb2fe060667566ffc162ba609be240251d42e3d50fda5b9aa543cd74ba5880bc

General

Target

b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe
Size

14KB
MD5

b0bd37795c70a73d0ae768e65e910a31
SHA1

834bd5be729b11d985f0bfe11a003a31851ac5b3
SHA256

fb2fe060667566ffc162ba609be240251d42e3d50fda5b9aa543cd74ba5880bc
SHA512

bf0b5a8a0aeb9cb75d4a5dee125dd691400a38faf1b2818cf73499621f53f3504ca6944c151311b54103275f07bc13a7640b8cbc8c6aeae14f7390aa5a0f03e5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY52S:hDXWipuE+K3/SSHgxml

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM6DE8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMC3F7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM6B3D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMC1C9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM17F8.exe

Executes dropped EXE 6 IoCs

pid	Process
3496	DEM6B3D.exe
1792	DEMC1C9.exe
1196	DEM17F8.exe
452	DEM6DE8.exe
2044	DEMC3F7.exe
3272	DEM1A06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1A06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6B3D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC1C9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM17F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6DE8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC3F7.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3496	4988	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe	96
PID 4988 wrote to memory of 3496	4988	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe	96
PID 4988 wrote to memory of 3496	4988	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe	96
PID 3496 wrote to memory of 1792	3496	DEM6B3D.exe	100
PID 3496 wrote to memory of 1792	3496	DEM6B3D.exe	100
PID 3496 wrote to memory of 1792	3496	DEM6B3D.exe	100
PID 1792 wrote to memory of 1196	1792	DEMC1C9.exe	103
PID 1792 wrote to memory of 1196	1792	DEMC1C9.exe	103
PID 1792 wrote to memory of 1196	1792	DEMC1C9.exe	103
PID 1196 wrote to memory of 452	1196	DEM17F8.exe	106
PID 1196 wrote to memory of 452	1196	DEM17F8.exe	106
PID 1196 wrote to memory of 452	1196	DEM17F8.exe	106
PID 452 wrote to memory of 2044	452	DEM6DE8.exe	115
PID 452 wrote to memory of 2044	452	DEM6DE8.exe	115
PID 452 wrote to memory of 2044	452	DEM6DE8.exe	115
PID 2044 wrote to memory of 3272	2044	DEMC3F7.exe	117
PID 2044 wrote to memory of 3272	2044	DEMC3F7.exe	117
PID 2044 wrote to memory of 3272	2044	DEMC3F7.exe	117

C:\Users\Admin\AppData\Local\Temp\b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\DEM6B3D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6B3D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\DEMC1C9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC1C9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\DEM17F8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM17F8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\DEM6DE8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6DE8.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Users\Admin\AppData\Local\Temp\DEMC3F7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC3F7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\DEM1A06.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A06.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM17F8.exe

Filesize
14KB

MD5
24bd07853a059537615b42947a7117d4

SHA1
7c39e33d7cba7cf3c10b283fbfbcc215de9fbf32

SHA256
3cabc3866e9c52537b701b42bd09abf125fc94e8d527095a65027e08b4962b9e

SHA512
e9c2d3efff099b6545e6eb828461b5fb8ad37fd35c026fc63220eedaff8ec4392c68f34899dad72def50ced14b9e529b5d40c46d85bdc6ba9bcf2e285f9bc5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1A06.exe

Filesize
15KB

MD5
5342b74ffdc5374d40875fa5f0369ab9

SHA1
91ef06f527a63dac1af5818d53050866cda330d8

SHA256
eef6679297c33b6a1d7e57e0edf1711f8deca599ff1d4624b732b21f4eb4c9e6

SHA512
4e1f3c04f7a7479564960d1aafd0f1fce6b52ad59b195ccfc023602f2c35edbf0ce968faefdbc5d85bcde32635b204f9f194a98e242fc11d4a2bb39d749cbc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B3D.exe

Filesize
14KB

MD5
e950d376caf019683befff50e12f0287

SHA1
25ca1281ba8e5343a17934ab63be233d80328055

SHA256
e562a5696c304f51d4ef7e64d8be36a297ad69dd88fd32263384d340abb498db

SHA512
f6c4595cba43dadf116e528f73c8e96ea40772a25046720aac94eed761e473467fb80c4d41935b01832233b531b2a4c02bc2a837592a05a46a252d859c091564

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6DE8.exe

Filesize
14KB

MD5
c6f93a0e97e13e70db91875c798ab5b0

SHA1
73ef733659442ec33ced390a836463a188066450

SHA256
9ebbb93c246993bffa31b0f0524d637738e51939d912d3d1ee6194809aea25ce

SHA512
adb40d3e9e19a4ece79608a18a18a606da4d2609fe1507a736e9916ddba62f732f93ee9fe934f7b559a14ae0c72a87375ef44ee4893002b4e317af1d580a85e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1C9.exe

Filesize
14KB

MD5
451ead19b97ebd4abe3f9b5c6f76ce4c

SHA1
6f79ce9604ced755bbde50dbdb1687fbcff4c9b4

SHA256
1d5b96ab38b5a24bef434cb0256e0c83f5c8b85e96d0b26e40bb3d43f3f84f90

SHA512
b15019da9cdf44b9a5723917284909452ac24410bc9790f0beaa103f7f8ab40a56dc60a42deb4ffda97a6f658a656f0103a02778e9cf6d35510729a502062806

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC3F7.exe

Filesize
14KB

MD5
d83e9d9196276973f59124c3f6b23775

SHA1
96f427a7f153456ebc881d15bcdfcace17e97f8a

SHA256
dfa004722a85cc6cf4b0d36bc9ed86af62b979514c9b685af38b9f11d5282370

SHA512
5ae60c5869b8db5116c74525d6df80a7e4b89ed82666bb386e4eecc114a1e0b9a87bf5d0462c879695f5fd3ef5e05294bc0a01b588e5f54781b49dcd71603c81

Download Submit

Analysis

Sharing