beff6663477809d0d4396b7324315ab4347bcc3a589dc8159065469d97a113e5

General

Target

d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe
Size

15KB
MD5

d08cb2d1c9ac7ca15a3cf22fa3e4c8c9
SHA1

7e4983d30e8ea2262c3b5a93c94a206aa9390a95
SHA256

beff6663477809d0d4396b7324315ab4347bcc3a589dc8159065469d97a113e5
SHA512

35cfeaa39a5594dc7f7f591e8768d9aab90b2b3add285392e01a98fc09e480f76a2f238e21bb2190b312e34ad560bd97d83eb7a163d3eaed3950a80afbddb899
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2Hc:hDXWipuE+K3/SSHgxmKE8

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMA19F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMF8A8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEM4F44.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMA553.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMFBDF.exe

Executes dropped EXE 6 IoCs

pid	Process
1328	DEMA19F.exe
2960	DEMF8A8.exe
2964	DEM4F44.exe
2584	DEMA553.exe
2852	DEMFBDF.exe
4848	DEM522D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM522D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA19F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF8A8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4F44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFBDF.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1328	2208	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe	95
PID 2208 wrote to memory of 1328	2208	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe	95
PID 2208 wrote to memory of 1328	2208	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe	95
PID 1328 wrote to memory of 2960	1328	DEMA19F.exe	99
PID 1328 wrote to memory of 2960	1328	DEMA19F.exe	99
PID 1328 wrote to memory of 2960	1328	DEMA19F.exe	99
PID 2960 wrote to memory of 2964	2960	DEMF8A8.exe	101
PID 2960 wrote to memory of 2964	2960	DEMF8A8.exe	101
PID 2960 wrote to memory of 2964	2960	DEMF8A8.exe	101
PID 2964 wrote to memory of 2584	2964	DEM4F44.exe	103
PID 2964 wrote to memory of 2584	2964	DEM4F44.exe	103
PID 2964 wrote to memory of 2584	2964	DEM4F44.exe	103
PID 2584 wrote to memory of 2852	2584	DEMA553.exe	105
PID 2584 wrote to memory of 2852	2584	DEMA553.exe	105
PID 2584 wrote to memory of 2852	2584	DEMA553.exe	105
PID 2852 wrote to memory of 4848	2852	DEMFBDF.exe	107
PID 2852 wrote to memory of 4848	2852	DEMFBDF.exe	107
PID 2852 wrote to memory of 4848	2852	DEMFBDF.exe	107

C:\Users\Admin\AppData\Local\Temp\d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\DEMA19F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA19F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\DEMF8A8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF8A8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\DEM4F44.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4F44.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Users\Admin\AppData\Local\Temp\DEMA553.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA553.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\DEMFBDF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFBDF.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\DEM522D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM522D.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4F44.exe

Filesize
15KB

MD5
79a7db0cd1ebb6068fb30cdb104e8cf0

SHA1
58a9b67edfe1c5cfd1b92297ff7d78d87ddbde15

SHA256
063053776d33bb25f768f26a895db7b4d4e35d705bf9bae2a22527b6f4d8f092

SHA512
706a059f7a1637fa626375aa9f76e7bd60e7ae3ef3b8f6dc8555774b8c2a64912edcd9e99cd5fc2b349b085ae00ab71901ae906135a24095f6e6bed470fec85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM522D.exe

Filesize
15KB

MD5
7520eb172da6fa4c69178984ecd3972a

SHA1
90f15388c8b7951057a6370d9ef64720b54539e4

SHA256
96067e0e9fc08d00f7cab97deaa6fe7325c441e8b894e8479650e6509df75af5

SHA512
5f6994689faffa2af8db1276c59541c5c94d489bcf325fe38888af0a64611dea64bd31962fb17e286c5e67280decb95de36ba7bbb52dfa4a00ea9e0ad4a8eaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA19F.exe

Filesize
15KB

MD5
6f2dedf8a46469eacd4987e6b7c30932

SHA1
481aaaa165076a8346ac148e7e7e29f6681afb53

SHA256
d92ebdfbb90a30fcbb4fe47862c2655dd884892d1c5a393b56fb69511113a612

SHA512
d46ff916e3dd49e706de78045e64202ec9aeb8dbb647688c1d13ff29adb5ee90e7ca6f151b6df128f490d065d66bf33472249b42404223e805e52bebf3b5e0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA553.exe

Filesize
15KB

MD5
4437284c660cd1fa3623c136a45ac5a9

SHA1
3dbfadafcca3f8738fb92d00ef68b441fc888164

SHA256
7caa3d7b892c3d9f86dfa61c87e871f73e05d3d3a049ca5918be782f603ad143

SHA512
a2d3851f0539267792d723ef21927acfaa4dac261e5b279119159fd1f1f4cddf48942ec65d924c5f905a03600db3aadc89115e8e23fcb1468953efe87d205a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF8A8.exe

Filesize
15KB

MD5
1ef36166bc976428172b72ad53038ef4

SHA1
479292fe4e0698b9e8071f52f2122b5c1a922d3d

SHA256
801bcd3891ca3f7338389bde34d54da2c5c3ab99a4d98e796049824b69a9736c

SHA512
aa6f1119913a52b88df53a0bb9de32e858ce24b3c260b8b369bbcb90d52db9dc31cf33f5d8737301c5efabf3fd1338564dc1422082d084a27782b80f59be720d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFBDF.exe

Filesize
15KB

MD5
50a5312086c21a82ffa9d5e0cf4d2acf

SHA1
cf27ffbf5c879aa4e018be9fc8f96382fa23a9a1

SHA256
e31b94635128dec40d8ff64fc128e10ceda28380b7d3d087d6e4a264801937a5

SHA512
0f7040c46d5f6f153fd16a022e70b28b0e7b6eb4971b71caa3d74b39cfa04c3cc4a6926c00bb906a18bc1efeb817d6a443dc0c4e4871cad42c821f6250bbb243

Download Submit

Analysis

Sharing