531354099d4ead8b8074e8defcb41cead820d3813b6e16673e5630e88668d70c

General

Target

0288759aa61f29806421f13a15e58229_JaffaCakes118.exe
Size

14KB
MD5

0288759aa61f29806421f13a15e58229
SHA1

cc05dc0894b1fb6c8734cb442ddfb1b00008888e
SHA256

531354099d4ead8b8074e8defcb41cead820d3813b6e16673e5630e88668d70c
SHA512

21b9dbab3e4ea16f794e6946fd82fa32fe03f4eb991d2e09e7ec3c2eb9fbbed84cc4a1c97f690526ed92def0748477974839da64a3558264d069f6e5f1eabc83
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5e:hDXWipuE+K3/SSHgxms

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	0288759aa61f29806421f13a15e58229_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMC4F6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM1B72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM7191.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMC7CF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM1DBF.exe

Executes dropped EXE 6 IoCs

pid	Process
4956	DEMC4F6.exe
2844	DEM1B72.exe
1128	DEM7191.exe
4676	DEMC7CF.exe
3272	DEM1DBF.exe
2864	DEM73DE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC4F6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1B72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC7CF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1DBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM73DE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0288759aa61f29806421f13a15e58229_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 4956	2708	0288759aa61f29806421f13a15e58229_JaffaCakes118.exe	92
PID 2708 wrote to memory of 4956	2708	0288759aa61f29806421f13a15e58229_JaffaCakes118.exe	92
PID 2708 wrote to memory of 4956	2708	0288759aa61f29806421f13a15e58229_JaffaCakes118.exe	92
PID 4956 wrote to memory of 2844	4956	DEMC4F6.exe	96
PID 4956 wrote to memory of 2844	4956	DEMC4F6.exe	96
PID 4956 wrote to memory of 2844	4956	DEMC4F6.exe	96
PID 2844 wrote to memory of 1128	2844	DEM1B72.exe	98
PID 2844 wrote to memory of 1128	2844	DEM1B72.exe	98
PID 2844 wrote to memory of 1128	2844	DEM1B72.exe	98
PID 1128 wrote to memory of 4676	1128	DEM7191.exe	100
PID 1128 wrote to memory of 4676	1128	DEM7191.exe	100
PID 1128 wrote to memory of 4676	1128	DEM7191.exe	100
PID 4676 wrote to memory of 3272	4676	DEMC7CF.exe	102
PID 4676 wrote to memory of 3272	4676	DEMC7CF.exe	102
PID 4676 wrote to memory of 3272	4676	DEMC7CF.exe	102
PID 3272 wrote to memory of 2864	3272	DEM1DBF.exe	104
PID 3272 wrote to memory of 2864	3272	DEM1DBF.exe	104
PID 3272 wrote to memory of 2864	3272	DEM1DBF.exe	104

C:\Users\Admin\AppData\Local\Temp\0288759aa61f29806421f13a15e58229_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0288759aa61f29806421f13a15e58229_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\DEMC4F6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC4F6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\DEM1B72.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1B72.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\DEM7191.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7191.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Users\Admin\AppData\Local\Temp\DEMC7CF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC7CF.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\DEM1DBF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1DBF.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\DEM73DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM73DE.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1B72.exe

Filesize
14KB

MD5
ddab11e33b2e0187600994ad69925c22

SHA1
062bdf266707aeda5f5956f8afdca848453ea5c5

SHA256
a8c2d5f6fe50681163962df35d42ce5a26d16c9203342eda01761fc48383ac62

SHA512
4abde54f7048d9e18c8baf6d40ba4e860ac698bedba11b562b54ebf39efaaf2ffdf0877932f27903c21d5eb5139a911df6994bedd7dce659b9d2a746137e6054

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1DBF.exe

Filesize
14KB

MD5
4e4b79eeff6c539f9ba20d3cfe130de7

SHA1
f567ff9e8ef8ff30d32b22bbf6392c89e91de21f

SHA256
7838120af5754d23afeb2e44648ea9d6110d04a0e754705d635c4368524a00b8

SHA512
0ab5ddc3504885f359a2ed9693cf50634c82d873ef1de5dc875cdace885e19553940b8c221c8fdbaf3f7e94eb7ed0819c989b84399657d2da60011548b9e50ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7191.exe

Filesize
14KB

MD5
ae58f67e4ae365865a00a14a1018d602

SHA1
d671b6e3b279e0bbb36806bb3a247df704883246

SHA256
61f50c289ec83dd882bbce53c68236a7c6bda2605188efcac6e5712b0603d8ac

SHA512
f18bc9a4a227e8435822b2451a0dab29c66e42ceeda1b4fdcec9cdfc0bc8d4ba7dee4fe2b2cc3fc6a082175873b5ede54705ef24bb0686d53b90b9ae141f5bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM73DE.exe

Filesize
14KB

MD5
99bde24935c8b5e0f822d72f6f2d20cf

SHA1
bb29022f29689ff80e65b5273294bfe7ad3a44d9

SHA256
caf32d24a93d65fbacdaf4b7579eadceeb09bddd9e4f36c0263ff0dd8321930c

SHA512
aeea4cd10f5913199cb290e57139f103db3df730ffc2e2fb8107765e9e4dfc308144ef0ce716e2387ecc458d1af4e3350361de47ccaa2dea1162cac3e55e7e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC4F6.exe

Filesize
14KB

MD5
d05d3af167b5ea2827d82327dc42633f

SHA1
654e2d28663daf035087e32fab792bc08c6c9966

SHA256
c54954bb5e7eb274f6de0c27c7248d5775f8a15ae2e98448e57e3e3683df2ac6

SHA512
5c32d91ea589b2367275d7067af892c797171c91385b4dfc74bb7a06c415fbe9e08497343eb3b68b79de952962489de8fe4048c3c3ed0b7c3d299f571d5fb57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7CF.exe

Filesize
14KB

MD5
18e3d3d2be15ed4fe9af826dd142c82b

SHA1
2133810c9908ac521b0b368f9c7db85ee40f0e8e

SHA256
2f82c6ef79482271439dd67b4cc2977e1d70a4a936617ad093117470d5e40e11

SHA512
941e17a45a68ae41d9f468b4aa7db0f9247ac7c2bed9e4bc353af825e51a5bff2fb32f30f0fb9758c929872a9fc4941bbf6d6abbecc19b5bd2ed1fc453e06da5

Download Submit

Analysis

Sharing