8125aaff2ea6e46a43a9eed3db341fe8ed97373e34eae60e1619bc61fbbd4751

General

Target

ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe
Size

15KB
MD5

ba9f40b1d2fad8457615c91c21bdfd0e
SHA1

a9118a3ed6a2853eb8fb3947047a60ba36abe3ca
SHA256

8125aaff2ea6e46a43a9eed3db341fe8ed97373e34eae60e1619bc61fbbd4751
SHA512

d67a3d9ab77377bf30bd2f492c1885ad48ac7a33551f6ece838569fdd10965103ef16f4a4fb80786d9e5d2f902718248c720bbad7ea93e5aae669df352f34821
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEHr:hDXWipuE+K3/SSHgxWr

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEMBA76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM1160.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM679E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEMBE2B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM14A7.exe

Executes dropped EXE 6 IoCs

pid	Process
3256	DEMBA76.exe
2336	DEM1160.exe
2940	DEM679E.exe
1180	DEMBE2B.exe
1112	DEM14A7.exe
2416	DEM6B53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBA76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM679E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBE2B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM14A7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6B53.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3256	1120	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe	98
PID 1120 wrote to memory of 3256	1120	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe	98
PID 1120 wrote to memory of 3256	1120	ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe	98
PID 3256 wrote to memory of 2336	3256	DEMBA76.exe	105
PID 3256 wrote to memory of 2336	3256	DEMBA76.exe	105
PID 3256 wrote to memory of 2336	3256	DEMBA76.exe	105
PID 2336 wrote to memory of 2940	2336	DEM1160.exe	108
PID 2336 wrote to memory of 2940	2336	DEM1160.exe	108
PID 2336 wrote to memory of 2940	2336	DEM1160.exe	108
PID 2940 wrote to memory of 1180	2940	DEM679E.exe	110
PID 2940 wrote to memory of 1180	2940	DEM679E.exe	110
PID 2940 wrote to memory of 1180	2940	DEM679E.exe	110
PID 1180 wrote to memory of 1112	1180	DEMBE2B.exe	121
PID 1180 wrote to memory of 1112	1180	DEMBE2B.exe	121
PID 1180 wrote to memory of 1112	1180	DEMBE2B.exe	121
PID 1112 wrote to memory of 2416	1112	DEM14A7.exe	125
PID 1112 wrote to memory of 2416	1112	DEM14A7.exe	125
PID 1112 wrote to memory of 2416	1112	DEM14A7.exe	125

C:\Users\Admin\AppData\Local\Temp\ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba9f40b1d2fad8457615c91c21bdfd0e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\DEMBA76.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBA76.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\DEM1160.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1160.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\DEM679E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM679E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\DEMBE2B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBE2B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Users\Admin\AppData\Local\Temp\DEM14A7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM14A7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\DEM6B53.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6B53.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1160.exe

Filesize
15KB

MD5
51ed3c5f9377d67327eae58e55d2b573

SHA1
260c8c2078fc9a6cdd7459bfbbf210e46cd33c59

SHA256
beb99caf9dad6d4a84df883ee3cb398b09569750f2d9d6020e2b4a823dbc8d23

SHA512
3c1a422789eee2dc36464850f117245d5037a4d130cf010d80b6fe2c12ca7044102e56d38a4a3d88f6a56af34b1fbe13c203a8ec608bf25a7ae4a51ed00e4820

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM14A7.exe

Filesize
15KB

MD5
df1a453ffbd04a7bacffa3c65f251119

SHA1
fc438beccdae72d0ec013af39667b88b626770d0

SHA256
ff995fad77f032e3ee02458000d704063ec849869d693ab926fcf7bca0fb9331

SHA512
275b8e0fc728f8d9b5c1889000e5eccf0e24ee89e11f5d11db0b08236bb9a899ebecda33bab10bb7fa879fe0c5de4f2cccb51324bc12cd0624942842f8d21534

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM679E.exe

Filesize
15KB

MD5
debb9ca701b072de50998cc04470c342

SHA1
3ea8eb131d8a2b4bc29756f13476d21b519b4973

SHA256
f1cb1b9439cf6b074248cf8d9aaf7c582c514e2624e344ed9f5bfda164a20dad

SHA512
d41ff2e3a1ab045b09e7c5fb0719392d59b7400478aec6cb9187d2c27229f3ce3ce4a140190436454acd1fddb5dccb1e2057b19e2d0e2faa513519678f80e59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B53.exe

Filesize
15KB

MD5
e64f6d9e9994b92a4c542ad6be7550d5

SHA1
c43e3b0b62083c041c9c169cafe361b8f3918d65

SHA256
070eed0a9f81d8463967de931cd584441fe09aab9a62f2fabdca2e4b9b76c1a5

SHA512
5e96323d90081a6e81a9e63adc9245bf36ee1c271fe0745fbe6715868b6be7bb5d715b457f8e4b1241b28aeb717a586c617adeac94d7bb5054abbfa2a487c07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA76.exe

Filesize
15KB

MD5
fa49c8c10799abfd26d8e866d152c0b5

SHA1
41b1aaa71bd7fe93f31c1ac026ed0b281ed1cc52

SHA256
2b9e73494198931fb7e04dbd65dbbc742bbbf1cf5456218339bf12bec5ad1491

SHA512
e8ecd53483e89f1e5cc88660245d8cf43e9a3b0922bd8ab324b5553bd828b0877837e68734a91af95dc64bfdf412c0a89e3a19f3189eea91a83323f40f927ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE2B.exe

Filesize
15KB

MD5
225ac31a42a5a805b5fa34ad3fe19ac0

SHA1
0408dd087c26fba02b38d0e7606354d08ac23e01

SHA256
ecf4ad86eaae228a4602b59138470fdee31feec651f131a806f9bab243d11054

SHA512
a43516f1cc5c15a38829f8b6f3e2977714d56e47eab954acae1c7f465bd0063bf6e18aa8c1cca56259056b73cc27c206fccd5d79a51115676579bc805470eff8

Download Submit

Analysis

Sharing