4f153c2632f0d91886154f8925710a6968fab07cc5c4ee137c99d8a529a3978d

General

Target

b29cbcfdd0530454f7ae5c6fc57767b8_JaffaCakes118.exe
Size

14KB
MD5

b29cbcfdd0530454f7ae5c6fc57767b8
SHA1

0a1b625a3334d94ef3b90367bb4d96fbcb11bf15
SHA256

4f153c2632f0d91886154f8925710a6968fab07cc5c4ee137c99d8a529a3978d
SHA512

998b3c3aef6769aacbc012e3bfc4cbe782a19b0b8d598831ac6b01b0f6e6955cb0d0792a9beed762a87aa8066757cbff987dea86de9178734573495a98e17da5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pji:hDXWipuE+K3/SSHgx49i

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	b29cbcfdd0530454f7ae5c6fc57767b8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM7A8F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEMD0EC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM26BD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM7CBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEMD27E.exe

Executes dropped EXE 6 IoCs

pid	Process
2848	DEM7A8F.exe
3448	DEMD0EC.exe
3228	DEM26BD.exe
3436	DEM7CBD.exe
2248	DEMD27E.exe
2744	DEM28AC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b29cbcfdd0530454f7ae5c6fc57767b8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A8F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD0EC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM26BD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7CBD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD27E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM28AC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2848	1912	b29cbcfdd0530454f7ae5c6fc57767b8_JaffaCakes118.exe	96
PID 1912 wrote to memory of 2848	1912	b29cbcfdd0530454f7ae5c6fc57767b8_JaffaCakes118.exe	96
PID 1912 wrote to memory of 2848	1912	b29cbcfdd0530454f7ae5c6fc57767b8_JaffaCakes118.exe	96
PID 2848 wrote to memory of 3448	2848	DEM7A8F.exe	101
PID 2848 wrote to memory of 3448	2848	DEM7A8F.exe	101
PID 2848 wrote to memory of 3448	2848	DEM7A8F.exe	101
PID 3448 wrote to memory of 3228	3448	DEMD0EC.exe	103
PID 3448 wrote to memory of 3228	3448	DEMD0EC.exe	103
PID 3448 wrote to memory of 3228	3448	DEMD0EC.exe	103
PID 3228 wrote to memory of 3436	3228	DEM26BD.exe	106
PID 3228 wrote to memory of 3436	3228	DEM26BD.exe	106
PID 3228 wrote to memory of 3436	3228	DEM26BD.exe	106
PID 3436 wrote to memory of 2248	3436	DEM7CBD.exe	116
PID 3436 wrote to memory of 2248	3436	DEM7CBD.exe	116
PID 3436 wrote to memory of 2248	3436	DEM7CBD.exe	116
PID 2248 wrote to memory of 2744	2248	DEMD27E.exe	118
PID 2248 wrote to memory of 2744	2248	DEMD27E.exe	118
PID 2248 wrote to memory of 2744	2248	DEMD27E.exe	118

C:\Users\Admin\AppData\Local\Temp\b29cbcfdd0530454f7ae5c6fc57767b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b29cbcfdd0530454f7ae5c6fc57767b8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\DEM7A8F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7A8F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\DEMD0EC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD0EC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\DEM26BD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM26BD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Users\Admin\AppData\Local\Temp\DEM7CBD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7CBD.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3436
      - C:\Users\Admin\AppData\Local\Temp\DEMD27E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD27E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\DEM28AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM28AC.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM26BD.exe

Filesize
14KB

MD5
d2d891a3a30c4f2695af4ffe08e963c7

SHA1
6dd2eedd951cf1978b05f6097104f7ee918995b1

SHA256
0ebf2fd580f77dc5fa653766aa06e30b58e44935ddc72dd133fef3dcbda61f07

SHA512
9faacdeb0a417abb4b01aa72a827bf5d1d9026cc6e320a0abcdb2cece92fd66a794f7772052e1fdb65b62e1cd97d6ca2fcdbb81ee85aff4e813f636995d87ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM28AC.exe

Filesize
14KB

MD5
0a9eef2ca0ebd7b90338b6ce2a8ecb9c

SHA1
a289c22cec1904e4c24078bc283bb9cb40d316d4

SHA256
3f41fc6a566a98260f80b61c68dbeb6bc2cfc8a7fb077e692352e5867412a009

SHA512
d06841f4d5b03263aebfd9f8353adb2d82d72fd4d20bd46aae9444d1263ae2270e74a0cbae3c7e2d41d9bddc94ad750028acf29e20b00a59816d589dcbfc3ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A8F.exe

Filesize
14KB

MD5
9ba4b406100fc13bcd4950de539b8d23

SHA1
f4b799cf474bc2d6150ebec4d755c0d4c1c16428

SHA256
b45c291fb993ba3d16df09ef798ae60d96494b3fbb2768f7074c6ce9b64db5e3

SHA512
3c2c164a44475b492b10e91f407f2141503f8a8f6fd59b17b23a7378e8de506e23ac7cf0486385467bbd8270f646b5aa8edf5cd97217e1c0ec879dcf38f8d0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7CBD.exe

Filesize
14KB

MD5
7b95721afaad2cff182d2b455597662e

SHA1
fa7790590eccd93a1fc4ca1cfc6d43b9312fed81

SHA256
2804089a377ab2a242587fdd82ba4025a2a64b0bc7334bb1e00264a071a72bcc

SHA512
147949e2ff658a3ab65c4d8b5d095c8a399ca919b1147df1ed4e2d1a8451ef13db8b6e770f28db8c9aca7ff2f45cb813437ad45bb1da6346b67fdc3b48016ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD0EC.exe

Filesize
14KB

MD5
160f1805a856ea9d2715d51307b4e4e2

SHA1
aae566cd78fb5896e10945f38c0f97bca45f610f

SHA256
22aa793c6def2847c02590c7461fed685c46908abd9f730f66a6cc9eee7fad4a

SHA512
22551eec615b24debe95b03048a004e15af850f557e524c1b35e6b7cfedd38c2cd1457203a552ca466e2f5f63f5a57acabf6dcc2b063518f7fd2d0492a6ff4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD27E.exe

Filesize
14KB

MD5
4aeb46c80ac1cf8a62e5b0ea4ac1ceca

SHA1
78512a25aa40db90dde65cadae5e1d1785549917

SHA256
4182e708caab313aebd801a17444be177d0a1748e5d2f91e2d29d3bf83d5a24c

SHA512
4f93be84c3c2cbdc339950f6bc106fb02cabfc53edbd1a07ff94c11b58173f0d293a8d57f2a4f01a8f65b250c255d92c588406c96f020f5a97c102df70a29d36

Download Submit

Analysis

Sharing