1730317f3ddf55d364e16a17c635cd42bdc8bb4187a550a4c0ecdf59ee1c51a9

General

Target

c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
Size

15KB
MD5

c8367169b75166b43f8cdc9464ada72e
SHA1

a90d22340bc0147537003f4776991964920b6ff8
SHA256

1730317f3ddf55d364e16a17c635cd42bdc8bb4187a550a4c0ecdf59ee1c51a9
SHA512

e4a7af837fe793af3d2e2c89bcf8708ee92dd41946ea9cb2cb97b1e2cb69f9b789f0370d07128fc046ae3f6d9c33475c7fc15a6ef8d670edb48c146f9e0c120e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5JB:hDXWipuE+K3/SSHgxl5L

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM9D69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEMF3F5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM4A43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEMA042.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEMF652.exe

Executes dropped EXE 6 IoCs

pid	Process
4988	DEM9D69.exe
3304	DEMF3F5.exe
3024	DEM4A43.exe
2800	DEMA042.exe
4852	DEMF652.exe
540	DEM4C70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4A43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF652.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4C70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9D69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF3F5.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4988	1476	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe	96
PID 1476 wrote to memory of 4988	1476	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe	96
PID 1476 wrote to memory of 4988	1476	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe	96
PID 4988 wrote to memory of 3304	4988	DEM9D69.exe	101
PID 4988 wrote to memory of 3304	4988	DEM9D69.exe	101
PID 4988 wrote to memory of 3304	4988	DEM9D69.exe	101
PID 3304 wrote to memory of 3024	3304	DEMF3F5.exe	103
PID 3304 wrote to memory of 3024	3304	DEMF3F5.exe	103
PID 3304 wrote to memory of 3024	3304	DEMF3F5.exe	103
PID 3024 wrote to memory of 2800	3024	DEM4A43.exe	106
PID 3024 wrote to memory of 2800	3024	DEM4A43.exe	106
PID 3024 wrote to memory of 2800	3024	DEM4A43.exe	106
PID 2800 wrote to memory of 4852	2800	DEMA042.exe	115
PID 2800 wrote to memory of 4852	2800	DEMA042.exe	115
PID 2800 wrote to memory of 4852	2800	DEMA042.exe	115
PID 4852 wrote to memory of 540	4852	DEMF652.exe	117
PID 4852 wrote to memory of 540	4852	DEMF652.exe	117
PID 4852 wrote to memory of 540	4852	DEMF652.exe	117

C:\Users\Admin\AppData\Local\Temp\c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\DEM9D69.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9D69.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\DEMF3F5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF3F5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\DEM4A43.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4A43.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Users\Admin\AppData\Local\Temp\DEMA042.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA042.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\DEMF652.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF652.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\DEM4C70.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4C70.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4A43.exe

Filesize
15KB

MD5
e692d1d947186ff151fdb581979ce2dc

SHA1
1eecdd54b048a34d29ca4850d115289748e9fbeb

SHA256
00a4c0c7a644522c9c484be397dd7c73c178339dce8f0067e2ce1e8c3dd75794

SHA512
21d99d354ec8517d3c4b6d03c44923e43cae3e9f797cbd1e59db9a286f0433a17b0c7fc47c7514fcd25413196f98ecf6577d8c7a57c8e09b54a14da7fc151de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4C70.exe

Filesize
15KB

MD5
107139c8c0b6047888f0bc01731ab045

SHA1
fc109789eb68cd4ee3377477332534da75449fb3

SHA256
f28c455ce5c16457ff1a699e9cba2a0acf78a54facf8eb2e49c080a356334e86

SHA512
4dc667f0e9e73c158977a478deeec9c6d865e16ff788004cca3bca3e07f1f2c016dd2eb73a707a4aa70546c30a4d7a55a3aaca734a3a046489828caaf44f6644

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9D69.exe

Filesize
15KB

MD5
57a9caaadb52f1a83ff1e2e5cfd74c81

SHA1
5fc643b0aacad98bb9bdc1e00c1dc64de9e32c89

SHA256
0bafaba891801400f979d372e411f37fb5e8a534225581378b25b46c34f0f5a5

SHA512
bbdc17e7c16cd2ff4d6619dab4b7c38bd71e88446e71c17bf537990c41320b085df499df6ebc80e994db721d8b326f15c50ba0e9b9dea895841d913c2c2225e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA042.exe

Filesize
15KB

MD5
21fd3a741d8e0850ecfe5aac74283811

SHA1
22e84623ef0e07c8d9447ea62988f18c7c5c0006

SHA256
572e449cba2028e41abfd1b092067b94358fde94b1484a75228500a0cf868284

SHA512
1f516d1cbb0d45d7e260d4edc61ec9ce8e2c036f316a99f96ce155e0c3e1a8fc697649c68b1eb8843365685ad63add101bca56a871cc8c42625050b4b8c05ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF3F5.exe

Filesize
15KB

MD5
3b8133ed062cd05357081661b30c9cb0

SHA1
5b458e269c181801c23636989d7623d9c243a3aa

SHA256
051343e8032281b3c3549115a5ae155c1f59cc97dfb4cc2037f422368e65ebdb

SHA512
1e5d466c0ac50a9ea4c91eba1b5095ca667ad5c57c0e70214915c709cd66e9926daef489fdeb6c2eac15a4f87d7a0ee572c28c714297e568332d47e7a0610571

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF652.exe

Filesize
15KB

MD5
49509179ed89f4b02375ec9f02ccd833

SHA1
55f9ebcd3f0ad94f6a98283afc16f02e1f650541

SHA256
b501b24fdb4e68c88bba39909d32d6004e5909c3baca2f958f37f14f1a4c0a16

SHA512
1eaaf193609aa1b8f504641090787ae07bd8f11273458ba3de5c1b297ffe75142c7c0aac9d37770bc13c6c72bbeabcf630dad706076fa76af99b73d38dd4456f

Download Submit

Analysis

Sharing