2b22fe039d34145904cecd287751273775c4aa7a8fed803709f7885659304527

General

Target

eb4ca29d76d0a2bc23ef274053fe763c_JaffaCakes118.exe
Size

14KB
MD5

eb4ca29d76d0a2bc23ef274053fe763c
SHA1

a8d3f34836cc17aa62f310fe95550f59a2a3ad10
SHA256

2b22fe039d34145904cecd287751273775c4aa7a8fed803709f7885659304527
SHA512

345dfbc81dba5f44c036c7a20a6bce898b94fae244b1f8ada434fc1b22186259279bdc70d8ed7e166a7c0a44fb48741ebd85bd6bd2dfdc726f5d2d37abb9acab
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhWx:hDXWipuE+K3/SSHgxcx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	eb4ca29d76d0a2bc23ef274053fe763c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEMB621.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEMD1A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM6359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEMB968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEMF77.exe

Executes dropped EXE 6 IoCs

pid	Process
2304	DEMB621.exe
1632	DEMD1A.exe
3392	DEM6359.exe
5092	DEMB968.exe
1616	DEMF77.exe
2996	DEM6596.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD1A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb4ca29d76d0a2bc23ef274053fe763c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB621.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2304	392	eb4ca29d76d0a2bc23ef274053fe763c_JaffaCakes118.exe	90
PID 392 wrote to memory of 2304	392	eb4ca29d76d0a2bc23ef274053fe763c_JaffaCakes118.exe	90
PID 392 wrote to memory of 2304	392	eb4ca29d76d0a2bc23ef274053fe763c_JaffaCakes118.exe	90
PID 2304 wrote to memory of 1632	2304	DEMB621.exe	94
PID 2304 wrote to memory of 1632	2304	DEMB621.exe	94
PID 2304 wrote to memory of 1632	2304	DEMB621.exe	94
PID 1632 wrote to memory of 3392	1632	DEMD1A.exe	96
PID 1632 wrote to memory of 3392	1632	DEMD1A.exe	96
PID 1632 wrote to memory of 3392	1632	DEMD1A.exe	96
PID 3392 wrote to memory of 5092	3392	DEM6359.exe	98
PID 3392 wrote to memory of 5092	3392	DEM6359.exe	98
PID 3392 wrote to memory of 5092	3392	DEM6359.exe	98
PID 5092 wrote to memory of 1616	5092	DEMB968.exe	100
PID 5092 wrote to memory of 1616	5092	DEMB968.exe	100
PID 5092 wrote to memory of 1616	5092	DEMB968.exe	100
PID 1616 wrote to memory of 2996	1616	DEMF77.exe	102
PID 1616 wrote to memory of 2996	1616	DEMF77.exe	102
PID 1616 wrote to memory of 2996	1616	DEMF77.exe	102

C:\Users\Admin\AppData\Local\Temp\eb4ca29d76d0a2bc23ef274053fe763c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb4ca29d76d0a2bc23ef274053fe763c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\DEMB621.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB621.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\DEMD1A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD1A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\DEM6359.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6359.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Users\Admin\AppData\Local\Temp\DEMB968.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB968.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5092
      - C:\Users\Admin\AppData\Local\Temp\DEMF77.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF77.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\DEM6596.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6596.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6359.exe

Filesize
14KB

MD5
31da9924cb79b9b3795530df4129e2c5

SHA1
6f26be0dffc775071c5645fbcb803ce05bb6ff45

SHA256
b8cda51a679679e0422ebdd51e824cb1c6d9818655076826d0d6752ec61dbc3a

SHA512
e6b2c63ee62d1571f83f5d9e23b59210ba371d33f6a8690b2e8f6fc62191f307128c9bc697c7ecf9ce902e5d9c336ac14932f8ed2e4b35e7f985ff9c479446f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6596.exe

Filesize
14KB

MD5
7df724d582ded4d93e2eb15641ea55f1

SHA1
f17c54183bbbbebfdd78fddf6ee458a070f67248

SHA256
4a75209cc5d02492b261759458e27ee547f8e63a460f8b0fa8a566a18292da2f

SHA512
2d9d51908373f98f8c45053b426257fa6231cf3d1d2e06f943cd071d9f6d81604f4b580948b252b9088877bbf48553a1db720af763f7277baa3e34c61e8ea0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB621.exe

Filesize
14KB

MD5
892b3d9ea2e55e3d5d93f498c684846a

SHA1
356ec9b43527611796959452e6d50bac38537f12

SHA256
1d978a095a447a31769b93a6f8465dec42cfc46a3893f4d2368c728f39cf9279

SHA512
fc5e51c6f720618532408449fd7d12c335932c6017511824645359b154becd020de0b295f9d86d0453d06ef6780e85b2daf40e144510ab68c240f45a4f4fe0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB968.exe

Filesize
14KB

MD5
833e5a4c301a05325d9132640319c273

SHA1
f1327b8ca37218c764e0cd6ab894d7f88a864de2

SHA256
d37fc6f4aea8b4422d531e84b255e2fe77fed9dc9e5f4706791a23f73231923a

SHA512
16a036f0f4193797648b5addf344a31c529dd672b4db12cce345ef96302faa84d0d708ab3f1f3f8eb29b592367060071a9e988044cfe4f848409b94e9747a6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD1A.exe

Filesize
14KB

MD5
4076000397bceef26a189b4b82e8f298

SHA1
a38df1968edf7c369c9bef4c8f21f480cf547441

SHA256
3a1066483afc4c75ce6d67ba71b84c8a77382c6e9f725fc24abc5810170e1d92

SHA512
d74f42383c35179870b48449e259089f577943c23aaa4e7fa98171f0377f1ae5ae6bea5edb966edf88ff65d6ba4ccf859a96255b107ba47286830064892dc49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF77.exe

Filesize
14KB

MD5
64693afa625d3ed09e7c391a6a99a685

SHA1
78586fcc4332dfa1c92ba9c29ecf3e9d814d96d7

SHA256
8b6a95e4c7a0e6e67a6a81a00846c4d027093808c5fa37a493a54f28873aba93

SHA512
7b00ee960bd56b78f8cb9d433db40e131c6b0b75a05f4ebe2bbc6abab40c0516adee75b124e6c5d56334b4468cc14bf893322aa45312da1d6affe98204ec757d

Download Submit

Analysis

Sharing