3ec4cd537105c489e5bd2081636d8684978b93e79cf1a6819280fbacc35dd9df

General

Target

eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe
Size

14KB
MD5

eaa4ecdc85b5a1ec8f0252323c3e8c81
SHA1

6afcd5689e41a8323990094507d5b5ad46f0fa32
SHA256

3ec4cd537105c489e5bd2081636d8684978b93e79cf1a6819280fbacc35dd9df
SHA512

efbea2b84fd7d57b6d4f398659b75f7be58950f3a4bf3365bd236dcd0ccec39c340b30787b8b0255f557708b1ea53c0beff1412323a694e6e3e4f4c3bb94dbb0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJGl:hDXWipuE+K3/SSHgxmwl

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMA037.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMF6D3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM4D02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMA301.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMF96E.exe

Executes dropped EXE 6 IoCs

pid	Process
4676	DEMA037.exe
4120	DEMF6D3.exe
4908	DEM4D02.exe
2656	DEMA301.exe
4012	DEMF96E.exe
1492	DEM501A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4D02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA301.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF96E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM501A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA037.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF6D3.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 4676	1680	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe	90
PID 1680 wrote to memory of 4676	1680	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe	90
PID 1680 wrote to memory of 4676	1680	eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe	90
PID 4676 wrote to memory of 4120	4676	DEMA037.exe	94
PID 4676 wrote to memory of 4120	4676	DEMA037.exe	94
PID 4676 wrote to memory of 4120	4676	DEMA037.exe	94
PID 4120 wrote to memory of 4908	4120	DEMF6D3.exe	96
PID 4120 wrote to memory of 4908	4120	DEMF6D3.exe	96
PID 4120 wrote to memory of 4908	4120	DEMF6D3.exe	96
PID 4908 wrote to memory of 2656	4908	DEM4D02.exe	98
PID 4908 wrote to memory of 2656	4908	DEM4D02.exe	98
PID 4908 wrote to memory of 2656	4908	DEM4D02.exe	98
PID 2656 wrote to memory of 4012	2656	DEMA301.exe	100
PID 2656 wrote to memory of 4012	2656	DEMA301.exe	100
PID 2656 wrote to memory of 4012	2656	DEMA301.exe	100
PID 4012 wrote to memory of 1492	4012	DEMF96E.exe	102
PID 4012 wrote to memory of 1492	4012	DEMF96E.exe	102
PID 4012 wrote to memory of 1492	4012	DEMF96E.exe	102

C:\Users\Admin\AppData\Local\Temp\eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa4ecdc85b5a1ec8f0252323c3e8c81_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\DEMA037.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA037.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\DEMF6D3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF6D3.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\DEM4D02.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4D02.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\DEMA301.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA301.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\DEMF96E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF96E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\DEM501A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM501A.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4D02.exe

Filesize
14KB

MD5
69f8910cefc62193864ae132d20f3a53

SHA1
7ec2a1906ace43d2c9304967753bcfc3f3673d6e

SHA256
c8585f4b7e6f827d6a58c374b3d08d557076dc06b534132b24e2a016ad30c492

SHA512
311090e727d86eba656ac9dc857cf70d69a28e7637aa804c478f92efe6ca721f4bbb9e4050c3ec238e4751c51463d607b1adc37e11c793141f621a6a450e8141

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM501A.exe

Filesize
14KB

MD5
b17c7a6912c7f160db262cef31564e7e

SHA1
90200a9902cd7b9b8cb1d356f63d984495a51bf7

SHA256
2e00a1559d8e112d48d0d3054ce79847e626bf176b6f4e8d7cbb17f4b3c53aae

SHA512
e9db9e94bef163136bc5aba4ecf2025d8bc9976d5fb7dda89e251590c67a328ac8417fde626fc81f34b3cdd746f05cfb93414945df76f79fa5bfb3b34a7cf3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA037.exe

Filesize
14KB

MD5
6d4b1be6cc5ea1a566029b8270e990b0

SHA1
031ac7922fbd85a80719e69a3c856190c78ecac5

SHA256
1d297e497005ed3a8e7a9618e582710673b1db8355786fb3915028fb01f1060d

SHA512
dffe4e320784026cc2e6b8d8f9484cd29b4fe7e22fb3af65ce229a02ffc6e84487e473aece652e4711eecec00f7c6bb4ae7ed95ce555a789a5c214573471a04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA301.exe

Filesize
14KB

MD5
5abcd64bbc6172301fc48c926f9822c3

SHA1
454f2b7e2f33ad2a1490a060914a4b09e15a738e

SHA256
9ee4518af356cee0f9971029b2f6e1c0b516da361352c83be6bed7d57fa81dad

SHA512
59a7b71010e7ed153f97d5f060ea12d3037e7936b22fe154ba002fa7a19df3f2cc9e9532d81808fd972f1335b94b5f060f81f9cf3656db3be6690fbbf1820f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF6D3.exe

Filesize
14KB

MD5
b7f326a06ab2148d17e2871105a60edf

SHA1
f59b028366703f33e13e606f5e9f6a82164ba389

SHA256
6c41b55f99af261317a8331d6e41eb543aa5b838659eee5443d4b6b9aa6e38b6

SHA512
97601f1411213e7870e4b0df01bf64ebdae01f07092ff23aad45138429696285016cab4812446b675fc93b2832b8605b95c2c087c5b16ae91e6d554de3d9f9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF96E.exe

Filesize
14KB

MD5
de5d811f2119d7e7bd923177a294b124

SHA1
76a3677fc1b2e56767d495bd0079632461276d7f

SHA256
090644867f68987eb2fea49d881a9f80043e66db6e45bd6c4494b7086fb64211

SHA512
c329935449148a1d9690fe0a9316d066d4fe49ebde8b2f3a3e07fca1af97f00bd6542deba5539b7b5a16589811f5ab279a21449a52c07ce4a4358d936863ea25

Download Submit

Analysis

Sharing