e66f6ab3e0630d6880bb5e21e7b8a7b6eebfea17465dec7821cdc363cbbb84d0

General

Target

dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe
Size

14KB
MD5

dbb85b9244959b5360d72fc0346fdcf6
SHA1

f6c336be718869709391893ee991e8c61c66db61
SHA256

e66f6ab3e0630d6880bb5e21e7b8a7b6eebfea17465dec7821cdc363cbbb84d0
SHA512

f7e209a421cdd340f64b47677c41bb14d427c59d73700dba5734daaf67a6e804a364d20127bfd5b7fdf148aa8a9f492c10bdc59cdf7a3f213014132fef7e5efd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/wj:hDXWipuE+K3/SSHgxm/4

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM5CB1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMB33E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM96C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMAFF7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM693.exe

Executes dropped EXE 6 IoCs

pid	Process
4500	DEMAFF7.exe
2152	DEM693.exe
3520	DEM5CB1.exe
4488	DEMB33E.exe
208	DEM96C.exe
5052	DEM5F4D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM693.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5CB1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB33E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM96C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5F4D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAFF7.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4500	3604	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe	97
PID 3604 wrote to memory of 4500	3604	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe	97
PID 3604 wrote to memory of 4500	3604	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe	97
PID 4500 wrote to memory of 2152	4500	DEMAFF7.exe	101
PID 4500 wrote to memory of 2152	4500	DEMAFF7.exe	101
PID 4500 wrote to memory of 2152	4500	DEMAFF7.exe	101
PID 2152 wrote to memory of 3520	2152	DEM693.exe	103
PID 2152 wrote to memory of 3520	2152	DEM693.exe	103
PID 2152 wrote to memory of 3520	2152	DEM693.exe	103
PID 3520 wrote to memory of 4488	3520	DEM5CB1.exe	105
PID 3520 wrote to memory of 4488	3520	DEM5CB1.exe	105
PID 3520 wrote to memory of 4488	3520	DEM5CB1.exe	105
PID 4488 wrote to memory of 208	4488	DEMB33E.exe	107
PID 4488 wrote to memory of 208	4488	DEMB33E.exe	107
PID 4488 wrote to memory of 208	4488	DEMB33E.exe	107
PID 208 wrote to memory of 5052	208	DEM96C.exe	109
PID 208 wrote to memory of 5052	208	DEM96C.exe	109
PID 208 wrote to memory of 5052	208	DEM96C.exe	109

C:\Users\Admin\AppData\Local\Temp\dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\DEMAFF7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAFF7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\DEM693.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM693.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\DEM5CB1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5CB1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\DEMB33E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB33E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Users\Admin\AppData\Local\Temp\DEM96C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM96C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\DEM5F4D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5F4D.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5CB1.exe

Filesize
14KB

MD5
8d7e81445b92f30c0af30ed432a4a90a

SHA1
adcfae1d6a56aa44d6310f5a4e1a6032e717f767

SHA256
6a535f3f4fed19f2cabd28e48581ce836b30a7f5c6a5f29d89a2f92c375d70e3

SHA512
5a7eaa4ebede9872530f8b7739047dc635b60dbd28eba47f304320ace30499bb78bf148521b6a6a41b7e4d3dddb1bf4d411f78cfd50525e969930c1cea8756fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5F4D.exe

Filesize
14KB

MD5
af013d098d4505172aba742d6288a15a

SHA1
05fd5c7260bca847b1c7b934dafd610f0050da9f

SHA256
3763e539cb5bc5ada3192f49d4cc9b460b54f8e64bf109f94b70c86b8a54454e

SHA512
bfdb5cee99bfddce2c65d435c9d829b98f966a16518148198f673917357cd209db3e3c6d5c473465ca89180519ef5ea5035184f904eac945b743d0e019db8f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM693.exe

Filesize
14KB

MD5
28f03125c9d8a269515e782da88bc78b

SHA1
42d9077eeb7edd8c0516304d9b21bdc536a1ec13

SHA256
7ea71d6d65332f44658c04e6feae29806fd2893c6ccbb426a4f03f8ff03ca973

SHA512
f9809392008f0732b32d7b007a15b8c0d068a13a38628d7bc3136da6d8fd67f3a8fd83774e64bb47d0aacbdbfb4315d84624deb5537548053f937a592141e345

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96C.exe

Filesize
14KB

MD5
e28bfc94e04c6f16ce2c7bd5a6370bcc

SHA1
bcf699c675dd82b6b34f43cd3b3e41be7a1232bb

SHA256
b95c17e61d12b7110b26cb216ed6d3f2b1d1078bd03f02f4d10ec51ca6b63a05

SHA512
c52733b5f30909568c7c579b1cae142a982f84b66e71dc2162e031a1ef09be327560cb004e3f5071c1f66eb43681e31ce8661642a07da3b17ff1e05692430f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAFF7.exe

Filesize
14KB

MD5
b67d00e6fcb8992acb73085f85bf1fd1

SHA1
09cf9bf943586c6a655b0eda2567b0f0c2d3fb5b

SHA256
4f3ccf5b688fcee7288fcb5a8256b0388465ba0eb870c0682c3cef4183e81b6e

SHA512
e261e23dc4ef0ad4ada7e785ba9041cf290991534463581598cd186d893e26bdef39abbf2800173e314407bb5774d299a6cdb18624211c19b36e2082af4385a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB33E.exe

Filesize
14KB

MD5
be8baca44042f18171032455acf5c71a

SHA1
5f2d292f760e0bf9ade4111f9cc615ab2d98e3a3

SHA256
36d055e60f1a98e2fc4c1bd06f02c98806827424a6eaa038c3439455bd74d39c

SHA512
db865c839694523209d04d828bea0ceb13ea9b9a31e31771e0108a749def8729b56f2df6993de01c8d41466f342c1197860cbe9969a731ba5e8d606ef2e04c0d

Download Submit

Analysis

Sharing