5a861a44030c9655c1cefb4038f12373fb827b575bb24a3a67edd9b153ab7f3b

General

Target

09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe
Size

14KB
MD5

09a5384ab701ea41c20b218e6356d5c2
SHA1

c42c2ad956f5d7703dac83107ea7511e5c6c20e8
SHA256

5a861a44030c9655c1cefb4038f12373fb827b575bb24a3a67edd9b153ab7f3b
SHA512

3a47ddb8184f92ae9e491f430cf8fa7eb0132187a276eac9d9c9f0ef3b036323b19849f9c8874c445099094d981af5cc31514d01bc69f3de3c6c66cb40ed6f8a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZU:hDXWipuE+K3/SSHgx3U

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMB8FF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM1008.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM6637.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMBC37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM1284.exe

Executes dropped EXE 6 IoCs

pid	Process
1296	DEMB8FF.exe
3904	DEM1008.exe
1928	DEM6637.exe
1776	DEMBC37.exe
3204	DEM1284.exe
1536	DEM6874.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB8FF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1008.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBC37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1284.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6874.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 1296	5020	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe	91
PID 5020 wrote to memory of 1296	5020	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe	91
PID 5020 wrote to memory of 1296	5020	09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe	91
PID 1296 wrote to memory of 3904	1296	DEMB8FF.exe	95
PID 1296 wrote to memory of 3904	1296	DEMB8FF.exe	95
PID 1296 wrote to memory of 3904	1296	DEMB8FF.exe	95
PID 3904 wrote to memory of 1928	3904	DEM1008.exe	97
PID 3904 wrote to memory of 1928	3904	DEM1008.exe	97
PID 3904 wrote to memory of 1928	3904	DEM1008.exe	97
PID 1928 wrote to memory of 1776	1928	DEM6637.exe	99
PID 1928 wrote to memory of 1776	1928	DEM6637.exe	99
PID 1928 wrote to memory of 1776	1928	DEM6637.exe	99
PID 1776 wrote to memory of 3204	1776	DEMBC37.exe	101
PID 1776 wrote to memory of 3204	1776	DEMBC37.exe	101
PID 1776 wrote to memory of 3204	1776	DEMBC37.exe	101
PID 3204 wrote to memory of 1536	3204	DEM1284.exe	103
PID 3204 wrote to memory of 1536	3204	DEM1284.exe	103
PID 3204 wrote to memory of 1536	3204	DEM1284.exe	103

C:\Users\Admin\AppData\Local\Temp\09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09a5384ab701ea41c20b218e6356d5c2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\DEMB8FF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB8FF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\DEM1008.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1008.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\DEM6637.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6637.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\DEMBC37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC37.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\DEM1284.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1284.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\DEM6874.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6874.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1008.exe

Filesize
14KB

MD5
6ea0a7b23596fccc1b8127538d676419

SHA1
82bd7edf8e2ecc26025b5e1ae5db2a9bbc546ee9

SHA256
567a63b8250c7a5b2dd65daae7063b862e9b8b5226782d0197256c4b1a1c2615

SHA512
22114f08a66ec4837915d6de4af27cbfc69843224f2005f27446418c33c9bad05988fe99ed6298834681792725ee40a7a8dcc4ab9d8351bdf9f6528fdf4cd601

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1284.exe

Filesize
14KB

MD5
85316037e70c5427fa07ca355bcf201c

SHA1
d184764815f3729e372f1a3e9ad4cd598b748966

SHA256
1cbb72a9150966a3404f1736b31c0a2458fd2e53476c77a38ca6c85a47c068d0

SHA512
6e2609b78090660d0a280b2e5fe43c96e0f797689cdcb198a40452b578c6bff16fd554da77c259434d52a775c5f097c2bc58b9ff3e14af576325bb99938a5a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6637.exe

Filesize
14KB

MD5
21d889b7923981ec3e6f189d86a6aa29

SHA1
792b0459821b65a63d3d933119d52a4c6dd37f8e

SHA256
39a54f2a6761564fdbf6bf8a84715b6d11583ecd0477b23bd8ca4123c9a3b5cd

SHA512
264a563762584e5dfab5e7a85e2d5b48df98382efb11cca1eba63605e245c5bca5b9605e215d41a2423e1971b4408eb1b7fb4db500b67497956f5943b8487dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6874.exe

Filesize
14KB

MD5
d12fc53c55f66a29ea6ecb22b270af8e

SHA1
56d6a9ebfc3486da84275e74048fc76121aae150

SHA256
ee44b593ff4f5422ddcda4575b7aa8f7d5f921d1b66514af3e00364c4d5c76b1

SHA512
20fc97fb5af57c355cd82295cd99a5150b316c2ae6f73dc4a536ed3e00292dbf2224b6cc3009dcdfdbd2ba0214bf17e7f5991a4f552d635d675342e1067d9eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB8FF.exe

Filesize
14KB

MD5
fdf2c28b1fd37c3b228e2780f45bed29

SHA1
6080dcd54fdaa690a17f90917b935cfca9c7cbf8

SHA256
f60dbb39270306a0eb93deaf496b71b0f71d4eea86af520fd535e7e27fd64190

SHA512
882a7a67f18d62bb8e07ab69549fff8bb6a4dabd6456c56150cd24ebdd4f33d5331bdd9d50bab5712d51a7a17c280b738b6f531b8cc2f5c83ee00a3cf5c531ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC37.exe

Filesize
14KB

MD5
4b1596f863d65083ed6bc371e6c95825

SHA1
b55b381276e6cfd2373ed4cfcae078707e6736fc

SHA256
f0fec59ef9e6284eaaf3f4fbc295c279be117b50fbf80b73ba0255dc3087e400

SHA512
e0658cbf738ce4c93a54469a76233048e7bad48228fd6b79f3d7bf508090de0266d5167b6dc4e1c8ace4d1918fb76b8a95122eaea9b67b8df137d3a12d1764a2

Download Submit

Analysis

Sharing