33243365f62724030bcee32fb4499dd7b0b8482e1bef62120b52e84cb1b8619e

General

Target

d47787cf92893be66e4f298d8a2886de_JaffaCakes118.exe
Size

14KB
MD5

d47787cf92893be66e4f298d8a2886de
SHA1

6d6ab2a80863ec5812b7edecb1c103d28efaedd6
SHA256

33243365f62724030bcee32fb4499dd7b0b8482e1bef62120b52e84cb1b8619e
SHA512

4f1dbce05a8e1e2db71c07ee1681e0a1332b03f0320f0b769c732bc0a1912bb1e30e1cc21a30cf11dd7126d9ae71e352014c52b1c4d332dfe8c0f2f083f25a15
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRs:hDXWipuE+K3/SSHgxQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEMF306.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	d47787cf92893be66e4f298d8a2886de_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM9A4C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEMF0A9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM46A9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM9CC8.exe

Executes dropped EXE 6 IoCs

pid	Process
2844	DEM9A4C.exe
2500	DEMF0A9.exe
2600	DEM46A9.exe
2096	DEM9CC8.exe
1216	DEMF306.exe
1412	DEM4934.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4934.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d47787cf92893be66e4f298d8a2886de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9A4C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF0A9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM46A9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9CC8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF306.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2844	2736	d47787cf92893be66e4f298d8a2886de_JaffaCakes118.exe	99
PID 2736 wrote to memory of 2844	2736	d47787cf92893be66e4f298d8a2886de_JaffaCakes118.exe	99
PID 2736 wrote to memory of 2844	2736	d47787cf92893be66e4f298d8a2886de_JaffaCakes118.exe	99
PID 2844 wrote to memory of 2500	2844	DEM9A4C.exe	103
PID 2844 wrote to memory of 2500	2844	DEM9A4C.exe	103
PID 2844 wrote to memory of 2500	2844	DEM9A4C.exe	103
PID 2500 wrote to memory of 2600	2500	DEMF0A9.exe	105
PID 2500 wrote to memory of 2600	2500	DEMF0A9.exe	105
PID 2500 wrote to memory of 2600	2500	DEMF0A9.exe	105
PID 2600 wrote to memory of 2096	2600	DEM46A9.exe	107
PID 2600 wrote to memory of 2096	2600	DEM46A9.exe	107
PID 2600 wrote to memory of 2096	2600	DEM46A9.exe	107
PID 2096 wrote to memory of 1216	2096	DEM9CC8.exe	109
PID 2096 wrote to memory of 1216	2096	DEM9CC8.exe	109
PID 2096 wrote to memory of 1216	2096	DEM9CC8.exe	109
PID 1216 wrote to memory of 1412	1216	DEMF306.exe	111
PID 1216 wrote to memory of 1412	1216	DEMF306.exe	111
PID 1216 wrote to memory of 1412	1216	DEMF306.exe	111

C:\Users\Admin\AppData\Local\Temp\d47787cf92893be66e4f298d8a2886de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d47787cf92893be66e4f298d8a2886de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\DEM9A4C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9A4C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\DEMF0A9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF0A9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\DEM46A9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM46A9.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\DEM9CC8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9CC8.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\DEMF306.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF306.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\DEM4934.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4934.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM46A9.exe

Filesize
14KB

MD5
0738ff68116645e3ae723755e1618b01

SHA1
69273a2ddc022ed81a18935c22b4a26ad0819fa5

SHA256
b8387633a4505c4e214de5f5dc7b92802a09a9982dd8280baac880c9fd4ea40e

SHA512
29b6d21f990aa75fb3f1f90f62e85d410f6b8619000778c456a80f88d3f92599dfaf5f3fb23df3173a5b3caa7825e15e18735cfed06999330417e95b4e4d454c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4934.exe

Filesize
14KB

MD5
b7e399a3a92f82db2aa222bdd25caa9b

SHA1
4116642bd7f246fdad0bce0e0f8ea3f6e10a8295

SHA256
a898773dbc02992a750a162d9d14399ddbf078a3df0910295a8c1aaa11cdff08

SHA512
35ff53faea5776ceaf996fe7458575dadcd10c643e16ef2a542d7dd9e73c32a3a8a6d12fc39f58ea2b6d7837ea0be2e1b50ca33ba68227a048b5fd405700f825

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9A4C.exe

Filesize
14KB

MD5
4fae0cf53eec25098df8d0433db4e4e8

SHA1
c1e674d13d9b4e789cfbcbd8c3c81e2ad30896fe

SHA256
a88b5e391387897e7e6816b1763f46b7082144637052f0824ef1b7148c56dbdd

SHA512
756abead5df3a39efc51832eac78abdce38d35b4e06f01dd2ff01b1f5c213be58b3bc9719cfdd3965d106e0b5ab635106b237786c009f0e6e5e20aed4a4cfc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9CC8.exe

Filesize
14KB

MD5
f14cdebf9619c2809edaec4fd9c655de

SHA1
a45be6d9f9fa8124dfe13bb1cbb9d5be3c8a3bc9

SHA256
2cba525af8ce0f9322b916b1c97756a71a76e25d6090f8decdfa5068d4290fa3

SHA512
a419bcf599d508ad4a576ac42d42967c6431fcccfda052f16691adfe2da36a90c6913d36484d742cf172c380f994e8b59c2f3421f503f721b8dce747cbfbc47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF0A9.exe

Filesize
14KB

MD5
50292d5b5167c18988f530c17b8683ca

SHA1
3f59368bdd854f6a6f0610e75469033605ae870e

SHA256
e30c2b594999f4f55d947097b9406603d28b737518749c7295f596231b6a6988

SHA512
e85e1f2668054ee31e1a874bb01ef8bac28684c26f8a07b9d476effd54e34f4a6c0c09a2de7af40c966a42495d7bae530ab4471aa273ae60048b374c71b7706a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF306.exe

Filesize
14KB

MD5
d40b424d81f572adfa1b67656e5ab797

SHA1
758a4837fd8a37ac2a161ae15797f6298a483200

SHA256
cd109e1257b36d53c0de0f9debb051d131c2b04d2c9a51a199a855ff95a9e8b3

SHA512
e85bdbc699803be828c2f891c7a232bd217513d834bcd87789dce33c30542cb527aded52eec56f5971d0e244dddd827c6fbb7d77e1ed79bd7ae23488f1d33fb9

Download Submit

Analysis

Sharing