Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe
-
Size
14KB
-
MD5
0842e59497d6172c8f478909aa4c1c91
-
SHA1
947164fdeee6adfea505b512cf8bbd0626878247
-
SHA256
4166a44f3e13dd539dbbfce1dcb5af47fac705f01fa864eb7dd1016beaaf8dc7
-
SHA512
7170af338e04fa31bc506f621abef3b4dbcd05ce3c40ac724689a0fbf92b8308eeea1f5657ed3ab9b67854b1cb10b93c04ea4feaa4d59bc3f6b36e1a2a4d0b96
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmba:hDXWipuE+K3/SSHgxmWmba
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEMAA69.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEMD6.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEM5762.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEMAD71.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEM3BF.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe -
Executes dropped EXE 6 IoCs
pid Process 2568 DEMAA69.exe 3492 DEMD6.exe 780 DEM5762.exe 3572 DEMAD71.exe 2356 DEM3BF.exe 4724 DEM5A0D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5762.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMAD71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM3BF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5A0D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMAA69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD6.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4544 wrote to memory of 2568 4544 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe 88 PID 4544 wrote to memory of 2568 4544 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe 88 PID 4544 wrote to memory of 2568 4544 0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe 88 PID 2568 wrote to memory of 3492 2568 DEMAA69.exe 94 PID 2568 wrote to memory of 3492 2568 DEMAA69.exe 94 PID 2568 wrote to memory of 3492 2568 DEMAA69.exe 94 PID 3492 wrote to memory of 780 3492 DEMD6.exe 96 PID 3492 wrote to memory of 780 3492 DEMD6.exe 96 PID 3492 wrote to memory of 780 3492 DEMD6.exe 96 PID 780 wrote to memory of 3572 780 DEM5762.exe 98 PID 780 wrote to memory of 3572 780 DEM5762.exe 98 PID 780 wrote to memory of 3572 780 DEM5762.exe 98 PID 3572 wrote to memory of 2356 3572 DEMAD71.exe 100 PID 3572 wrote to memory of 2356 3572 DEMAD71.exe 100 PID 3572 wrote to memory of 2356 3572 DEMAD71.exe 100 PID 2356 wrote to memory of 4724 2356 DEM3BF.exe 102 PID 2356 wrote to memory of 4724 2356 DEM3BF.exe 102 PID 2356 wrote to memory of 4724 2356 DEM3BF.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0842e59497d6172c8f478909aa4c1c91_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\DEMAA69.exe"C:\Users\Admin\AppData\Local\Temp\DEMAA69.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\DEMD6.exe"C:\Users\Admin\AppData\Local\Temp\DEMD6.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\DEM5762.exe"C:\Users\Admin\AppData\Local\Temp\DEM5762.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\DEMAD71.exe"C:\Users\Admin\AppData\Local\Temp\DEMAD71.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\DEM3BF.exe"C:\Users\Admin\AppData\Local\Temp\DEM3BF.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\DEM5A0D.exe"C:\Users\Admin\AppData\Local\Temp\DEM5A0D.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4724
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD57e9d9a38832e62c7e581ef0e6e23fc9d
SHA19bbad71abc9b8feee3b37993747d7ffea3e46cb9
SHA256e9a356cf6e2c370d25a1d7eeb333ab9aeb1a6f5f731e18ad0b368a6738095753
SHA51230b506b07ff0722baa573c07d27c50628dbf2f3f8800b5edd654f13b267ce007dc6aa4ec50d703ea50940532d99826e923513216fe8b39f29ea326285d02d697
-
Filesize
14KB
MD5be93bead05db49106749242ae43c030f
SHA14d4f5c984e696bc624587bca76c6f2c080f6d93a
SHA2565ed22794ac1a6c1f62aa487de73e186f8ae5bb228bd78e0fa6d4faec77d8bce3
SHA5121803f9d8f21821e1cb0102d4d0028a85abd1f2d19f9997644913a45394e56dca01b275095ebab6d3f1b4e3c2fbcf02097c3873622a97aeb5f7633b678e07170d
-
Filesize
14KB
MD56ed79cf9457ec02ad9aa0774fcd88153
SHA183065f8123d281b0fc6ff5b8f1b8c9533afa3375
SHA256c21324a2a9e68a09c49bd4e367fb7e10bb88a36549016372552e5a4a02d3a244
SHA51274e64a7f151c55b15bf83b58a6f50347559f57aea9b05db228e30a9b862bb80e19ef373220075f8fbb82ae2409327957749be749337a897a98a637d9c2cc6d07
-
Filesize
14KB
MD5292394c31d0347f0ebf68d44f7b1640b
SHA103f7e1bb757dc2602b4029da2acb3bb6cb3ac814
SHA2561e5683304e042529de07ef0bfc9c565089f514da00adf4f57fee0fce4be137d6
SHA5122bdef9a7f906eef51e270dfb0a4e2ac624160d602f4db1200d51425d2ba0d561a92b54979229c044e5ceca79ad2cad0cc8a89502a275cec5ef541541e98df0ea
-
Filesize
14KB
MD5c2037c797ed724436109f36540e439b9
SHA1f8059878c64c32b4d1d2a04dba57522df283581b
SHA256ee2c713959e3e33503bd6e207db0d61006e754a8d4c5f2e93c46da93ad154942
SHA51223d20a521c519182e257f02c3ca5db04a5b5342c7e31f17dba165fbd8103b745a125340e17a3e11f217a6325d74f28916d8ea9be6e2a95f3b6c432df7eec5a0c
-
Filesize
14KB
MD54d31ca5246aa9a29324e762470e86055
SHA11dd5c5bf7d9b26ba41a2be6ecb53ad2b18604da3
SHA256e5bf4e7603d7f9e92b142388d7436e78def7c3b4e79934e5f85ba561a76af36f
SHA512e240fa9a0bc968fc37ec123cf446d86b0b687ad30d45f450f5d056987e6e4ed0b1a8a7b71035e5d7a16af33805dc68202340fc532834bb267e76e5561fcbf1ec