967826854ab0e5d0a53ef9e4ee83ba97cb908651744ba10e369a99c76330f67b

General

Target

da058ca6868e8b88d5abe99bfd43e742_JaffaCakes118.exe
Size

14KB
MD5

da058ca6868e8b88d5abe99bfd43e742
SHA1

48f24ef442a77e6e1a998d484152ae1238380391
SHA256

967826854ab0e5d0a53ef9e4ee83ba97cb908651744ba10e369a99c76330f67b
SHA512

ab21d34faeffb9ebf15868e48c87cd7790e439478b0fbeb7aeff04d15a341b9e254487ca67bb643a91f470f39cb49771f4da08e81e886bb72cf1114212989e27
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlz9:hDXWipuE+K3/SSHgxmlh

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	da058ca6868e8b88d5abe99bfd43e742_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM8ACB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEME196.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM3822.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM8E41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEME46F.exe

Executes dropped EXE 6 IoCs

pid	Process
2552	DEM8ACB.exe
3728	DEME196.exe
2472	DEM3822.exe
3472	DEM8E41.exe
2948	DEME46F.exe
2976	DEM3B0B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8E41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME46F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3B0B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da058ca6868e8b88d5abe99bfd43e742_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8ACB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME196.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3822.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2552	4608	da058ca6868e8b88d5abe99bfd43e742_JaffaCakes118.exe	95
PID 4608 wrote to memory of 2552	4608	da058ca6868e8b88d5abe99bfd43e742_JaffaCakes118.exe	95
PID 4608 wrote to memory of 2552	4608	da058ca6868e8b88d5abe99bfd43e742_JaffaCakes118.exe	95
PID 2552 wrote to memory of 3728	2552	DEM8ACB.exe	99
PID 2552 wrote to memory of 3728	2552	DEM8ACB.exe	99
PID 2552 wrote to memory of 3728	2552	DEM8ACB.exe	99
PID 3728 wrote to memory of 2472	3728	DEME196.exe	101
PID 3728 wrote to memory of 2472	3728	DEME196.exe	101
PID 3728 wrote to memory of 2472	3728	DEME196.exe	101
PID 2472 wrote to memory of 3472	2472	DEM3822.exe	103
PID 2472 wrote to memory of 3472	2472	DEM3822.exe	103
PID 2472 wrote to memory of 3472	2472	DEM3822.exe	103
PID 3472 wrote to memory of 2948	3472	DEM8E41.exe	105
PID 3472 wrote to memory of 2948	3472	DEM8E41.exe	105
PID 3472 wrote to memory of 2948	3472	DEM8E41.exe	105
PID 2948 wrote to memory of 2976	2948	DEME46F.exe	107
PID 2948 wrote to memory of 2976	2948	DEME46F.exe	107
PID 2948 wrote to memory of 2976	2948	DEME46F.exe	107

C:\Users\Admin\AppData\Local\Temp\da058ca6868e8b88d5abe99bfd43e742_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da058ca6868e8b88d5abe99bfd43e742_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\DEM8ACB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8ACB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\DEME196.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME196.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Users\Admin\AppData\Local\Temp\DEM3822.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3822.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E41.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E41.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Users\Admin\AppData\Local\Temp\DEME46F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME46F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\DEM3B0B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3B0B.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3822.exe

Filesize
14KB

MD5
ad34b310387f779eb841f5dd08b5b7ed

SHA1
029d86be41adec5f949a67045b7230e9b43cb77f

SHA256
f03794672f1602cc396300da86a87753287427d01a07c5b1c82c3cf4347a8bfe

SHA512
bf616f3be62aca54a88db3ddc3dcbd643b03f316c3954e27f0dc6ac4f5e484614832a39579283a70ab5b7a36ccf318f055c2fa61bfd1ac2f7da0cfcc9bb6c131

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3B0B.exe

Filesize
15KB

MD5
817516feb6f1d1e29b1d9a9bce6ea082

SHA1
4dee39a5171a390a1b9fd56b7e5a2b784197db3b

SHA256
66ea2849f6f060d05623babfc416a235c6618f138c84ff9ef15f106afa5cec1e

SHA512
3bfdd5af4ff5c14cadf14ed0808dbd191e85a774d2d43f0b123f4495f4e98b39b420689caba39f44565fa9616ba5fbefcdb4bcace7c2403f9d8043210234c70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8ACB.exe

Filesize
14KB

MD5
ca4ab646bf9bc8093dd091732d518af5

SHA1
1fd45ac6ecefadcdeab763d8095fae069c646f1d

SHA256
219e6dd37bb6715f6529b4deff1af44a61a4b6a721786b392fb46d2d54076f6b

SHA512
1cecef865e4a50980b3cc4cfa1c0d28e7cb3a74b1479c09e9a6e6486c7f0b5b1aeee7e753228685adbe60411b2c76b3405502b81de87f7ea9a382f6c20c8de08

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E41.exe

Filesize
14KB

MD5
2b1dc7a0c72d6134bd2a687fb0244df7

SHA1
f68bef079e6f289f413372beb907e33b19eea123

SHA256
10b6ba92db98cf1192c7b09afc704f2611f5ec1e6520dd3469f374f0560b56db

SHA512
0c6d3fb2a7258c38d06ce6d9cef4abd624eaba85b2bd8a7513f32b5fcace8076cce974d6b6ec8ebf8ee247327feeca2abca56589292663193718aee2f1fbf875

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME196.exe

Filesize
14KB

MD5
6d9ae240c5104373040d4a489514afeb

SHA1
e478278ea1c9ef00025dc941159799d46b37275b

SHA256
c75a0051fe934d6af44b7bcc701179af6fb7c9969b32e5321445fa62a239549c

SHA512
e02f2db4d3a3b808d0c8e3c19a6175f474f4059cf6010999f316848bf85a0d71fdc02d4d0d4a87deb384a6f193787e3abce269b9fa9ef1482a5a2b63d2c72627

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME46F.exe

Filesize
15KB

MD5
86b3a1a11fa42e6b22600a3182faf1b6

SHA1
04b52fefbfc41b61d524711235e41b2911c9333d

SHA256
e5c657b1f95783d8b0c8a46b2c7178087adf3a714611cbec2da722c64321d29d

SHA512
db9306bfb471e581294ed4871d7cb0180d6109cf63603ec99773ead85950e656d74cf82bb7b11633f7972256c919bab45035f6fe4309cb2b1d9fdcc3faec3eb5

Download Submit

Analysis

Sharing