f3cf351568ea15b9c2cba274682c5263c69442fd733dc6cb575d3dd70bbd6747

General

Target

fdcc334a91c4bf26441f6767522d25b2_JaffaCakes118.exe
Size

14KB
MD5

fdcc334a91c4bf26441f6767522d25b2
SHA1

0438f9ed3044caba52a855c6573f48d88b142496
SHA256

f3cf351568ea15b9c2cba274682c5263c69442fd733dc6cb575d3dd70bbd6747
SHA512

855068196e1b26a55e994f6736eef0ef253ecbf3019bb6f539eafbfa8c4957509f907eb5e7ab770e7fca670376c343594f3c8ac7c9fb31f4911d2fdb0b694325
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY41T:hDXWipuE+K3/SSHgxmyT

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	fdcc334a91c4bf26441f6767522d25b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM91A1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEME7EF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM3E0E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM93CF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEME9DE.exe

Executes dropped EXE 6 IoCs

pid	Process
3628	DEM91A1.exe
932	DEME7EF.exe
4524	DEM3E0E.exe
4344	DEM93CF.exe
1456	DEME9DE.exe
1288	DEM3FDE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM91A1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME7EF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3E0E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM93CF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME9DE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3FDE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdcc334a91c4bf26441f6767522d25b2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 3628	444	fdcc334a91c4bf26441f6767522d25b2_JaffaCakes118.exe	90
PID 444 wrote to memory of 3628	444	fdcc334a91c4bf26441f6767522d25b2_JaffaCakes118.exe	90
PID 444 wrote to memory of 3628	444	fdcc334a91c4bf26441f6767522d25b2_JaffaCakes118.exe	90
PID 3628 wrote to memory of 932	3628	DEM91A1.exe	94
PID 3628 wrote to memory of 932	3628	DEM91A1.exe	94
PID 3628 wrote to memory of 932	3628	DEM91A1.exe	94
PID 932 wrote to memory of 4524	932	DEME7EF.exe	96
PID 932 wrote to memory of 4524	932	DEME7EF.exe	96
PID 932 wrote to memory of 4524	932	DEME7EF.exe	96
PID 4524 wrote to memory of 4344	4524	DEM3E0E.exe	98
PID 4524 wrote to memory of 4344	4524	DEM3E0E.exe	98
PID 4524 wrote to memory of 4344	4524	DEM3E0E.exe	98
PID 4344 wrote to memory of 1456	4344	DEM93CF.exe	100
PID 4344 wrote to memory of 1456	4344	DEM93CF.exe	100
PID 4344 wrote to memory of 1456	4344	DEM93CF.exe	100
PID 1456 wrote to memory of 1288	1456	DEME9DE.exe	102
PID 1456 wrote to memory of 1288	1456	DEME9DE.exe	102
PID 1456 wrote to memory of 1288	1456	DEME9DE.exe	102

C:\Users\Admin\AppData\Local\Temp\fdcc334a91c4bf26441f6767522d25b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdcc334a91c4bf26441f6767522d25b2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:444
- C:\Users\Admin\AppData\Local\Temp\DEM91A1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM91A1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\DEME7EF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME7EF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\DEM3E0E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3E0E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\DEM93CF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM93CF.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\DEME9DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME9DE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\DEM3FDE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3FDE.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3E0E.exe

Filesize
15KB

MD5
ed5b2edea2d0c276c0e8944a1247f93b

SHA1
75e1936bd0efc5fb5d80d4ac064ef4ed9a1e774c

SHA256
694d4ec61bdc8f7b55a89c91707ef6e4eca99a5bc97f84b8accceeb67c4b003f

SHA512
5c872f471dde0f1700b0d09f59b3369b531e1a789667acb9689f2f84885dc0d506aeab6eb32e1ea319bb467426a0bfce2814914ca5433bb791e02afd6a41cd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3FDE.exe

Filesize
15KB

MD5
31c1549211ff20fd13cbfc85cef750bb

SHA1
690407e09250ee3131ad416fa7598a46ce6a5492

SHA256
7487c8e31d7930d4b38eb8f11d285dc5ef8917aadd5995955143d0f470a0b602

SHA512
c28a388831429246d5ab94e412b040fc3674f1139d0fc12733350c53487892f25920e405eee9c090a9771e8780d2a749fbff2aa89fef509b326106fe27a3b71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM91A1.exe

Filesize
15KB

MD5
1ffbe1477c5fb852b8011821e87703ab

SHA1
2fc35998ecc0c9fbfdf5aa958c2758c0f88c3697

SHA256
601bf62a9d4a5d1c1e50c83ac37c0a3cfac82cee43351d6d51dae3a18e3f34fd

SHA512
958b0defb4f077a2fed74d6e8834053ae7aa3f6df0bea7ac0f4c4007aeca32965a62a57fc5fa042cb045cc80fd23a587a7d9b4c870de6ec6485db5138f8c3735

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM93CF.exe

Filesize
15KB

MD5
a4541e5fd185a1c33ac44305739ef6f8

SHA1
6376ec7170bc7c1f2adbb207d07a009d14baa775

SHA256
46b1a84057ba38f7b5a54313e10e631ca0d9dc4af61b8be232aa1b3c6df7fdac

SHA512
cfb0c687d1320d92e9f64e4c60b4a02011652d8ec37e5dc3e18552ceda45b70eb2321ca9b9b83aac5ef525f02a746d7e03c1d523a5a8eac1a81c1688f4aab76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME7EF.exe

Filesize
15KB

MD5
86d2dba5bce24a53154a4d6ad5dc4288

SHA1
ffc4e17d65fa0f3f9d97cc923c857cf548a05fa4

SHA256
0b45b55ebe129bec7d31be9f5290d15835d126fc7d607bd2707c51cc9ab55a92

SHA512
0f528d7d9094d70c98eae1fa80dd6ea886f1e8dc592cb4443937d5f46e06195f22cec39d4040ce4480e20ed5dad29875c81a8fbb86e7d27a3b2d95ada4ead5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME9DE.exe

Filesize
15KB

MD5
cca0a12382babaeac40c5d8c33bf3c6c

SHA1
4b616da9276be83b1687c7fcef4c5c412727d37f

SHA256
259c93eabf5820bb5a901358d256cfadd044bf0c7f5f15aed64a23ddc2e72120

SHA512
eb427572966f7ec039076a9f941af5843b7e2e5eeff3ffecf63f899f21bd251806205daef2a1509e1c26fecbc8726403ec1faa8cc59d60c75b8ce380c9a0e75f

Download Submit

Analysis

Sharing