efedbd226b293f773ddad70155e5596a91ed501d65bacf6a78c7a38d8b4a46e3

General

Target

fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe
Size

15KB
MD5

fe03c9cd24f5b913a3ad5e732a86c7dc
SHA1

e803f9bce447000181095db7a5c4bdb6107be2af
SHA256

efedbd226b293f773ddad70155e5596a91ed501d65bacf6a78c7a38d8b4a46e3
SHA512

44b42fdd61f490d781b9ce5942d351a613bf9ae6dab7d2cb03c7cd160177ef7c18f9712adbcbdce740e26e04e89ea4e7380395e6840f98c2a9178425b56e9358
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEHt:hDXWipuE+K3/SSHgxWt

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEM2FA6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEM8604.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEMDC80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEM82AD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEMD978.exe

Executes dropped EXE 6 IoCs

pid	Process
4416	DEM82AD.exe
2472	DEMD978.exe
4908	DEM2FA6.exe
3432	DEM8604.exe
3384	DEMDC80.exe
2944	DEM32DE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM32DE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM82AD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD978.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2FA6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8604.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDC80.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 4416	3660	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe	90
PID 3660 wrote to memory of 4416	3660	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe	90
PID 3660 wrote to memory of 4416	3660	fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe	90
PID 4416 wrote to memory of 2472	4416	DEM82AD.exe	94
PID 4416 wrote to memory of 2472	4416	DEM82AD.exe	94
PID 4416 wrote to memory of 2472	4416	DEM82AD.exe	94
PID 2472 wrote to memory of 4908	2472	DEMD978.exe	96
PID 2472 wrote to memory of 4908	2472	DEMD978.exe	96
PID 2472 wrote to memory of 4908	2472	DEMD978.exe	96
PID 4908 wrote to memory of 3432	4908	DEM2FA6.exe	98
PID 4908 wrote to memory of 3432	4908	DEM2FA6.exe	98
PID 4908 wrote to memory of 3432	4908	DEM2FA6.exe	98
PID 3432 wrote to memory of 3384	3432	DEM8604.exe	100
PID 3432 wrote to memory of 3384	3432	DEM8604.exe	100
PID 3432 wrote to memory of 3384	3432	DEM8604.exe	100
PID 3384 wrote to memory of 2944	3384	DEMDC80.exe	102
PID 3384 wrote to memory of 2944	3384	DEMDC80.exe	102
PID 3384 wrote to memory of 2944	3384	DEMDC80.exe	102

C:\Users\Admin\AppData\Local\Temp\fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe03c9cd24f5b913a3ad5e732a86c7dc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\Temp\DEM82AD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM82AD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\DEMD978.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD978.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\DEM2FA6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2FA6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\DEM8604.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8604.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Users\Admin\AppData\Local\Temp\DEMDC80.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC80.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\DEM32DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM32DE.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2FA6.exe

Filesize
15KB

MD5
bcac21771ff7decf5444458d7cedb878

SHA1
5613a62d5bb755f2df8d08b3c6ed37bef86c8b0d

SHA256
265ea0bcd0b75e2c8beb2f5aaf7018e6eb2cbfd91864b40524e8e789c9f41f48

SHA512
674cf2163def906170f82bd2b2ee11853a857a6b9332d3b0a893abb785f95326ec65f48d48667924c0d30ee43300132c76e993890b5e2b1c5f626df661a1f689

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM32DE.exe

Filesize
15KB

MD5
ffaa162fc3f397a1a3267c4fe88f3d24

SHA1
5922b5fbf3c6bf6ec7f07d05fc1079a46b963696

SHA256
9de89ef2c77deba5fdb13d5d81458abe76f5f829fc29cade59437f84a3371088

SHA512
f31dbe421d4e3899b7daa64ad9e0f02aa1673bfb6963ba0c3520ca8cc1e89dcabe5848155ae833980dd7b4684074fd7c4f7f9b2fdfb552c68b7b9c00731f93b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM82AD.exe

Filesize
15KB

MD5
ed0926ef62a6cedb44d24c4e851ac848

SHA1
75946fb772d9269854264f5ad83ef71aa883d0a5

SHA256
e275bf5ff52d6b0860617c540cc9014853bf7496b4d87e352395a7b63b1394d2

SHA512
edd0248debe23ea1f1c1e44a865c2c2ca2051a86a9a389905ae5bf1aef1242e74abbae939dbd82ce3575c97e785747c509820204987692feb27019125f4e9389

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8604.exe

Filesize
15KB

MD5
05dd86c4e9a4e9031267668d088d8b68

SHA1
b081294c3688aa1c9d0e9c0c23cd90e9cfa84c8b

SHA256
dc7c3e330f79ae23c7cf15d7c7ce1a0d72c3e5d95f5258d91155073eed6ccdd7

SHA512
2dd062b4942e162d88ae18615e9c0a333df478536ac279e0f63126fdd0e96fcc1badef0d9c078e01e8fc79bea74e357b35b8e0b1faadcfe47554f73ef0a766a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD978.exe

Filesize
15KB

MD5
7bef96d486389e4ee43561dddc113b49

SHA1
89307377dd68ae0c8e0cde989d366c244e936ad8

SHA256
5ad6642d75138f04cd414ef53dc400f3c42bea5cb0133758f7b10ac9dd6e450b

SHA512
9e72435bb7f9aa350c4211d83c53e8c36a79850c30a0f32122a8dc38d77e5630a114e518969db2f0777da6397f3671706b0d7b389274438cb7b9186beaea86a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC80.exe

Filesize
15KB

MD5
66a2415860b4f609e193b6ef4b5f71db

SHA1
2c147c64a362844a4f18a338c54157203be555df

SHA256
8f315981c3c885582d22f4cdd20a45282133b164e4d716e6ff134f48e4afc789

SHA512
2a8ca1e09b86dedb218cf4db648b61564f4bd940890874755a62233a36f50fedce46788684ea65b8777e0883ae414fdbf139fb0d2b841ced31148a80ecb69410

Download Submit

Analysis

Sharing