b4c0314f6770de6628320fa5a94bf3bfa2ae45de92855a7cf5b779b9ec456dd4

General

Target

c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe
Size

14KB
MD5

c1db69663ea261de5d2b73d56cbac089
SHA1

85b40bf985f91e88d4598e5b3bae659468676e9b
SHA256

b4c0314f6770de6628320fa5a94bf3bfa2ae45de92855a7cf5b779b9ec456dd4
SHA512

03a922d68789c06ba3f27a3587ca211ed1e5db248012c3391008a96108632415617eedd4bb4e75510494dba9836951cb001ce6d250c84b9ff0ba39a0914e72e2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbZk:hDXWipuE+K3/SSHgxmWmbu

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM7C15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMD2C1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM28B1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM7EFF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMD53D.exe

Executes dropped EXE 6 IoCs

pid	Process
1864	DEM7C15.exe
3468	DEMD2C1.exe
2516	DEM28B1.exe
1328	DEM7EFF.exe
3904	DEMD53D.exe
1644	DEM2B4C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7C15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD2C1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM28B1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7EFF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD53D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2B4C.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 1864	3252	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe	96
PID 3252 wrote to memory of 1864	3252	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe	96
PID 3252 wrote to memory of 1864	3252	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe	96
PID 1864 wrote to memory of 3468	1864	DEM7C15.exe	103
PID 1864 wrote to memory of 3468	1864	DEM7C15.exe	103
PID 1864 wrote to memory of 3468	1864	DEM7C15.exe	103
PID 3468 wrote to memory of 2516	3468	DEMD2C1.exe	105
PID 3468 wrote to memory of 2516	3468	DEMD2C1.exe	105
PID 3468 wrote to memory of 2516	3468	DEMD2C1.exe	105
PID 2516 wrote to memory of 1328	2516	DEM28B1.exe	108
PID 2516 wrote to memory of 1328	2516	DEM28B1.exe	108
PID 2516 wrote to memory of 1328	2516	DEM28B1.exe	108
PID 1328 wrote to memory of 3904	1328	DEM7EFF.exe	110
PID 1328 wrote to memory of 3904	1328	DEM7EFF.exe	110
PID 1328 wrote to memory of 3904	1328	DEM7EFF.exe	110
PID 3904 wrote to memory of 1644	3904	DEMD53D.exe	116
PID 3904 wrote to memory of 1644	3904	DEMD53D.exe	116
PID 3904 wrote to memory of 1644	3904	DEMD53D.exe	116

C:\Users\Admin\AppData\Local\Temp\c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\AppData\Local\Temp\DEM7C15.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7C15.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\DEMD2C1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD2C1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\DEM28B1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM28B1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\DEM7EFF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7EFF.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Users\Admin\AppData\Local\Temp\DEMD53D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD53D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\DEM2B4C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2B4C.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM28B1.exe

Filesize
14KB

MD5
ef3c2ae56795d874bb6ef29fdf3816ca

SHA1
b086e7357964978bb03c2d69b56e6964ca74e8b1

SHA256
49bd1b7773252a1ea3b27bdcd6a56250c81bd6ce7c2b348177c25d9cb47e6a90

SHA512
9e936563ffe40b716dcb5349bb4810947e7991c86ba17dfc82921900c66a47b511b9a29cbe3cbf1956dd20e473af8d4ab66f78698d604ac1e79d40269434f3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2B4C.exe

Filesize
14KB

MD5
24609520ee3fc4ab676a10f1c992de35

SHA1
0b3423a0f39210aef262ef8e918d01049b37d65d

SHA256
28a5e04121262ace40b988e71d94b4467f242c0f2fb726cd8e24b6d9f77f890a

SHA512
8c0b223cc6622add3b28361e5b0c49e92aca719e38b5b46d16a022560c589317117d097d5f29c43a800b65c07d9abad14ca75a4583cb93931cd65fb20f6215a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7C15.exe

Filesize
14KB

MD5
935e623312728317702edea3d8129e1e

SHA1
df65839ae9f79a6227e7cdfe4ef3d317209fd2e5

SHA256
c467f749b453b6673af900a6744e20ae24dbe16b1a0525457fbbe14f2c84e2fb

SHA512
9ef2a1f9790a42a15e78aef1b8f6645b404be64b5363ddb3d3f500e8cc925fd0e097706cbdd7323b4dc158e04ca59a49037c3db71bec1141a96870b599e36bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7EFF.exe

Filesize
14KB

MD5
db58fb101c29359fc1d669f77eb5edbf

SHA1
fb0ee8e8989a4e75f386cf9c7099835b718ca885

SHA256
52c65fab3f59727632ce7882f3fd233c436a6f6bf1a765b405548e83a3640fb8

SHA512
78cad5939137f3a58ce4f87a9168f76651906bef805fe8b963fbc5f67240edce05d4258d2baf1950bdee20a69e21e1a26a21335cbab626925a0cbc7182121c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD2C1.exe

Filesize
14KB

MD5
6fdebec2d8ba7c554fc9a83a21f3fe3b

SHA1
c8e69ab4748a6902cb57655e13c398b2bca42698

SHA256
eda5f48a21a831a29256d371ce2a472651638ce3af72c58c7130b870f6ed3fdd

SHA512
ac88a8cfb74ab0e3c0cf80c6ef34acd6a46c6afeac3ab693a58bd534a34f6cda02b973ebad43fc5246f83c2bfacc19edb82586528b20277c756239bcab6a3f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD53D.exe

Filesize
14KB

MD5
3346868c30676ffe28f7b7fe321b2c30

SHA1
dbf0e76af78555401f537e0b97ec5f14ed3b9e25

SHA256
128de2b60c2710afca1029ab5ab23aaf3af1467e167b5cc1d8908fc1a9eba0d5

SHA512
9b6aba5a8703d90d8339316c3ef062cb71d6b77ed29af94e75f3ef2cb24a7f6e7524239b94d132f754c78c4d03389e7d17aeeddb6a5faa0a788d781a5bd053fd

Download Submit

Analysis

Sharing