b3f7cf0373dd448b4bbd47d1bc21ca470697faa12053e061d873101b865ba761

General

Target

eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe
Size

15KB
MD5

eac55a7dba53a3ca40b4c83a7fcf4923
SHA1

bb3100a8d6ac07b8a5e4969853736b0dad511713
SHA256

b3f7cf0373dd448b4bbd47d1bc21ca470697faa12053e061d873101b865ba761
SHA512

18b582f04dc863686abedb8c764ee9811d4dac8352cf4e9f72f719eeb956535d1732eeb1ae620b0a33450e8942f982e48b7548ccdbdc3a8bddb04bfc4ec1e118
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYll:hDXWipuE+K3/SSHgxmll

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMBED6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM1524.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMBBDE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM1299.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM6898.exe

Executes dropped EXE 6 IoCs

pid	Process
1516	DEMBBDE.exe
1068	DEM1299.exe
2260	DEM6898.exe
2568	DEMBED6.exe
4492	DEM1524.exe
4364	DEM6B62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBED6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6B62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBBDE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6898.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 1516	400	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe	90
PID 400 wrote to memory of 1516	400	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe	90
PID 400 wrote to memory of 1516	400	eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe	90
PID 1516 wrote to memory of 1068	1516	DEMBBDE.exe	94
PID 1516 wrote to memory of 1068	1516	DEMBBDE.exe	94
PID 1516 wrote to memory of 1068	1516	DEMBBDE.exe	94
PID 1068 wrote to memory of 2260	1068	DEM1299.exe	96
PID 1068 wrote to memory of 2260	1068	DEM1299.exe	96
PID 1068 wrote to memory of 2260	1068	DEM1299.exe	96
PID 2260 wrote to memory of 2568	2260	DEM6898.exe	98
PID 2260 wrote to memory of 2568	2260	DEM6898.exe	98
PID 2260 wrote to memory of 2568	2260	DEM6898.exe	98
PID 2568 wrote to memory of 4492	2568	DEMBED6.exe	100
PID 2568 wrote to memory of 4492	2568	DEMBED6.exe	100
PID 2568 wrote to memory of 4492	2568	DEMBED6.exe	100
PID 4492 wrote to memory of 4364	4492	DEM1524.exe	102
PID 4492 wrote to memory of 4364	4492	DEM1524.exe	102
PID 4492 wrote to memory of 4364	4492	DEM1524.exe	102

C:\Users\Admin\AppData\Local\Temp\eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac55a7dba53a3ca40b4c83a7fcf4923_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\DEMBBDE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBBDE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\DEM1299.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1299.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\DEM6898.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6898.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\DEMBED6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBED6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\DEM1524.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1524.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\DEM6B62.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6B62.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1299.exe

Filesize
15KB

MD5
41d4994465154a6663fe56e4b411782a

SHA1
ff232aefb082ffde5c9dbda86c5b5567096fb652

SHA256
d0260fece4f4803b6c149f8fa83df7bbd7175eb6303651c8e5c7ee0d0d1079c9

SHA512
a83170b8e3285ad40b799a707c93a4e9586fb02f74ebcafe3cd5efc93241e8318d1815c11cf93ee661f345aaec80c5b2c6b27c6c015fc666ed0e780552c7090a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1524.exe

Filesize
15KB

MD5
a3bcccec918cec650596a9483fdd97d8

SHA1
8cb8625bbba4f7fd4161682874b22daf4696c064

SHA256
36af427f5447d0d78c0ab57cb0ca3c6f7a0fe4ac23d51b224c55bb9a3fd85871

SHA512
b91bd2a2c956564346d51610e679e1a5104deae9351a255806749b66f8605ecbeb9fdcc33c28f5d27884682b0c88f9cddac630471e5c24dc51ccca4cb0da29a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6898.exe

Filesize
15KB

MD5
2edf014b1fd2a94e78e265ab226384ab

SHA1
6d3d7851394d5fc82be8a91b21a1d4b3c0a5b0a5

SHA256
582bb3af4eb732b7a63c0cd776f045f348e5c0dc3d3b1ed707b4d2cd8b332cad

SHA512
7449679982d966795671c54b9b1867cb2554fd0b0ea062ccc56ee5ca2fb9bab91360413b2bbaa15ddd457321c63a281a3099cf1aeb013d5daf0bd7371606e6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6B62.exe

Filesize
15KB

MD5
52850446519e5afb2b71c2ebfff2908f

SHA1
54aa8dab46f4b85378ac6773644a3ef118d787b9

SHA256
a6e1e1d5858570981135f1d425a1f820b297e286fca95e59f640ae756a9f3870

SHA512
547a742f38caea7883fe59274537836b0427019ed1e5b91ad79931dab1c0f8f99f51c7c704f88741039f06c5daca766200efee6e3bfbc01ded5a7fb2d274e955

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBBDE.exe

Filesize
15KB

MD5
efcc7d8d6d13ef255e02149126983b32

SHA1
fb906cff4aa4ef6fa4088b436f9e26433e459060

SHA256
b825b1d657f691a36384634115c3bddcb3659c77be479f39647ad3b193072c00

SHA512
12b1afa300a426c1ca06563ad0bf760bd2a26fa2fa135c8a653e1402ba0c7163b89cac612c52293f781f76f0acd2b27e733d2cc81fa6436d822aaa9905d81176

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBED6.exe

Filesize
15KB

MD5
013c496b2a80d473d0468cacd51b8b02

SHA1
5374ba5d82bd6bde3bb8206b20cd42446e3e5382

SHA256
daade795f5b1d724b5346bf0489e6e2af9d2419ad9b8496d5341af0d36bbd0c4

SHA512
4b6e63f97621696532fbb997cc4ea17cd9cf0bffd245406f06ac70323243087aefc6501150103a4e9987c78dd7da55c9fb7d025fbb11d15c0323d5b3984fb323

Download Submit

Analysis

Sharing