c5a5bf9e193db3a4fdbd9ff6774820fda4129458c45b6ea03eb0c4d21bda1f1f

General

Target

04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe
Size

14KB
MD5

04a6ac56418ed58ff297726d369817ac
SHA1

06d5798be725620259492c7e18adeb59c3016014
SHA256

c5a5bf9e193db3a4fdbd9ff6774820fda4129458c45b6ea03eb0c4d21bda1f1f
SHA512

bd13080a3771b90dc111e4867d5c38dadb78a98c665eea28d83d69e4b4e52bfac83f8e979b539dc694faf5af8787e86fb983d2d5f4805050e3993bf76115754a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq:hDXWipuE+K3/SSHgxmq

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEM8C71.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEME34B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEM3A35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEM9093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEME70F.exe

Executes dropped EXE 6 IoCs

pid	Process
1680	DEM8C71.exe
1052	DEME34B.exe
1408	DEM3A35.exe
4928	DEM9093.exe
2248	DEME70F.exe
4888	DEM3D0F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME70F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3D0F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8C71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME34B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3A35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9093.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1680	4952	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe	90
PID 4952 wrote to memory of 1680	4952	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe	90
PID 4952 wrote to memory of 1680	4952	04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe	90
PID 1680 wrote to memory of 1052	1680	DEM8C71.exe	94
PID 1680 wrote to memory of 1052	1680	DEM8C71.exe	94
PID 1680 wrote to memory of 1052	1680	DEM8C71.exe	94
PID 1052 wrote to memory of 1408	1052	DEME34B.exe	96
PID 1052 wrote to memory of 1408	1052	DEME34B.exe	96
PID 1052 wrote to memory of 1408	1052	DEME34B.exe	96
PID 1408 wrote to memory of 4928	1408	DEM3A35.exe	98
PID 1408 wrote to memory of 4928	1408	DEM3A35.exe	98
PID 1408 wrote to memory of 4928	1408	DEM3A35.exe	98
PID 4928 wrote to memory of 2248	4928	DEM9093.exe	100
PID 4928 wrote to memory of 2248	4928	DEM9093.exe	100
PID 4928 wrote to memory of 2248	4928	DEM9093.exe	100
PID 2248 wrote to memory of 4888	2248	DEME70F.exe	102
PID 2248 wrote to memory of 4888	2248	DEME70F.exe	102
PID 2248 wrote to memory of 4888	2248	DEME70F.exe	102

C:\Users\Admin\AppData\Local\Temp\04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04a6ac56418ed58ff297726d369817ac_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\DEM8C71.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8C71.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\DEME34B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME34B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\DEM3A35.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3A35.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\DEM9093.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9093.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Users\Admin\AppData\Local\Temp\DEME70F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME70F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\DEM3D0F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3D0F.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3A35.exe

Filesize
14KB

MD5
1d89ad610d56767080b0676d274a9972

SHA1
b55154870c815e61470fc4795fa3c330404ba9d3

SHA256
c64567ac3ff89df3aacbd7ad3af8021a23078a178f95b6d79494a0316bf7dcf9

SHA512
a8434919c42093efbc77df08abd8f5558314364aefd2bc14081a3e0d702df946246a1bc4894fa104337412a8ed018de23684c49d6f3ffbb0b1013958bce95893

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3D0F.exe

Filesize
14KB

MD5
1f4120ad658fc8a2096519fa251d52b9

SHA1
de322f4fc26f781740a1ffd8d13c8a93bd4bb7af

SHA256
6250fd1be82d38c7b8e918c7f2c3fd9c0739147aabf3e8e655a0eb6bd37dfc10

SHA512
84cc4b37268c76e7c2616466b0227f9bee62ad76231177e110423205e09c572d16350c7051c50329158425253d8d02da6746d0ee49bcc29ad1b8b4cc73bfc1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C71.exe

Filesize
14KB

MD5
7093838a15067e815d104a2a428cf6d8

SHA1
e926d418c5a08cb563ded3ee02f9c35500dfa07e

SHA256
ff47a968447c477a6eaa6a61b7120fbd72cc66eac351372525e3118e53df4434

SHA512
5ad70a2a7ff17705fa3910d5d99b1697c9a7baf5d07044acb0be091cad1abbb5224f36fd64cf5805c57d03a88a07414edfe1fd93b575ebbcecfb88c14845265a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9093.exe

Filesize
14KB

MD5
011b9caacd12299580648ca444c9370d

SHA1
8a860335118c8ae12f3dedf499c23df6fdb81443

SHA256
9e318733f69e577c3aff719158b7bf951955ac4c2fcff1a9493f7509c26cd296

SHA512
9ed06d4d1ec6aa699a75cdfec3e86d097a987ac63adbb3aa6bb2138d1f9f35bd559be1ccdeb79d16e8c48e29aab776e9e951c3e18d200e2f69350e5af4b89cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME34B.exe

Filesize
14KB

MD5
df0775725304b3b795d75b1715992392

SHA1
aa2eb363fd97e69905ef4e91f3001878059b014a

SHA256
abe381934f1c8806c641517d6746c5167accac38a1d9a28a72ec822c757518fc

SHA512
726ec8389e903b88a69c6ebe9f7af42e462628e2b7ffc3ca6e82207c187225acc70b6fbef795f7eff6a2ce977b2325949c6684b0ac63b02d0134fb1e4bb2cf61

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME70F.exe

Filesize
14KB

MD5
f80f8e9301c3caaad27b5872666f8193

SHA1
c2999c0c08deac25c09c9a320a03ec9a34b4b5ba

SHA256
84487a64048e06b8aeaaa1423c927d657c3366d6b95e4699218fa688e6a96817

SHA512
5b7870e1455bcbdb714d1332b8deeacfacd8cf7dc58878da059b8e01ef7ac2effda31b3114d2ba91c8d1f9cc920c340b11720bbb99219024a123d105b0440ef5

Download Submit

Analysis

Sharing