54b0f53f5c6de527ce92be03467dde8bd4a7694c39c1290350121f4d8a2447c5

General

Target

09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe
Size

14KB
MD5

09b766597c897a0eb8ed58cca3bbed34
SHA1

6135a1013963463c62b1b361be40704bcc037176
SHA256

54b0f53f5c6de527ce92be03467dde8bd4a7694c39c1290350121f4d8a2447c5
SHA512

896c7713588682def338a78dc2730ffc4c9a44190499c397c51f3ca5a3dcab05976e84dc1fddde781139ffa9e8dfdbf8a2db0d308ae3221c7661afdbce0ad8ca
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyO00:hDXWipuE+K3/SSHgxmyOH

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM77FF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMCE7B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM247B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM7A8A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMD0C8.exe

Executes dropped EXE 6 IoCs

pid	Process
944	DEM77FF.exe
976	DEMCE7B.exe
2800	DEM247B.exe
4584	DEM7A8A.exe
888	DEMD0C8.exe
3260	DEM26E7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM26E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM77FF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE7B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM247B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A8A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD0C8.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 944	1760	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe	90
PID 1760 wrote to memory of 944	1760	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe	90
PID 1760 wrote to memory of 944	1760	09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe	90
PID 944 wrote to memory of 976	944	DEM77FF.exe	94
PID 944 wrote to memory of 976	944	DEM77FF.exe	94
PID 944 wrote to memory of 976	944	DEM77FF.exe	94
PID 976 wrote to memory of 2800	976	DEMCE7B.exe	96
PID 976 wrote to memory of 2800	976	DEMCE7B.exe	96
PID 976 wrote to memory of 2800	976	DEMCE7B.exe	96
PID 2800 wrote to memory of 4584	2800	DEM247B.exe	98
PID 2800 wrote to memory of 4584	2800	DEM247B.exe	98
PID 2800 wrote to memory of 4584	2800	DEM247B.exe	98
PID 4584 wrote to memory of 888	4584	DEM7A8A.exe	100
PID 4584 wrote to memory of 888	4584	DEM7A8A.exe	100
PID 4584 wrote to memory of 888	4584	DEM7A8A.exe	100
PID 888 wrote to memory of 3260	888	DEMD0C8.exe	102
PID 888 wrote to memory of 3260	888	DEMD0C8.exe	102
PID 888 wrote to memory of 3260	888	DEMD0C8.exe	102

C:\Users\Admin\AppData\Local\Temp\09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09b766597c897a0eb8ed58cca3bbed34_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\DEM77FF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM77FF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\DEMCE7B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCE7B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\DEM247B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM247B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\DEM7A8A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A8A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\DEMD0C8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD0C8.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\DEM26E7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM26E7.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM247B.exe

Filesize
14KB

MD5
7464ac311990706d5141c00e071c102e

SHA1
47a4ca98d11cdfbcd99d42349edc98ce7f042a6d

SHA256
f572a313ffc8b83d4587813b0863664527d89630bb6805e974bae2badb08fa5c

SHA512
975144c71f72d1983a2fa88b5ffd45e93063961effd94c9e60acd2bcef4e91591a5544d46cd7c2f41591f237955f98c2d1342ae8b074d1ae567fc607ad4b88e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM26E7.exe

Filesize
14KB

MD5
fb4022451627dddbab57558f9742f18d

SHA1
c0a3f1828ee6fc0f5eb80365162d674e426b4bce

SHA256
fc56019e012bf70340a72813281649237787375541cb8db7d2e03b3ea6452f4a

SHA512
fd4a669c1b5d0ac28a200d1a3112d9ac9994065cb3ecf4d5df610932c99f0753646e9c6491990931f94892523bee12e0a2d4b78fc63965284869e6d21a314477

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77FF.exe

Filesize
14KB

MD5
533241460820cbb57949280a299deda4

SHA1
3000db2d033049b69ad34fa44255849515d7eb20

SHA256
dc31a07bb81637a0bfa911d936171d408cf69eae0406dae00b2b05391dece36d

SHA512
259e4c541aff12bc86c49fdb631f78235e861d385db4706d5afe5053f229eda568a6b8561e28e30758d68f8500cf2f5974a923091a25c54648a2ff4cc91156a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A8A.exe

Filesize
14KB

MD5
fa8a5f36139023a229d4a7e4bc91fdb5

SHA1
d99aec7b823babd8cb3b670abc55c0216e2442bc

SHA256
6ddc352d887290acc1e515425b1852201a9e8722ee9a1b2af01b1bf12b91da89

SHA512
c440ee42b92f3e7a4da08eea8134451ebe8a84c724b542b73a18a4fe69fc84b4259db4466be8a6231b323b2e89e4e679d8438c373d53ccc4f4d508e2cf2ad183

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE7B.exe

Filesize
14KB

MD5
b73fad3d7517d981949f5268dacd1104

SHA1
eb8e35e4c95bb4d670a5e927381beb4eb1da1446

SHA256
792f27740cd722d99c3cd9743dcc569962dea940f0c3925159f00ece6c5fc8b8

SHA512
ddcad4bbdeff9d2728c898432e816424ae7776e57e03a1c9e0ea66e57dffe0daca0da1983c9608c5bf33f3c0482d667a9b6bf5913e9d76c35f44c69904e8941a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD0C8.exe

Filesize
14KB

MD5
307c0ca3be94da42151d058fa14b8875

SHA1
38204917151aed8fedcbbebdac479e1761498011

SHA256
f1146403f055b1efc87706bd29edc7e46876814a05e4d3645334ff8f92af3dee

SHA512
9aebd3b84f454fae4badd6ca9320be12a362cfbff7d45c20d45b73bd4fabaf832f83b74848adba83cb99b7682a238b50c75d585911dcc43ec28a8032b3d03f47

Download Submit

Analysis

Sharing