03171fa73828cef5ff6d97d95eefb9b6fcaa9c196007643faf3862175affd3aa

General

Target

09dad4a47dda1d2a5124732720233a41_JaffaCakes118.exe
Size

14KB
MD5

09dad4a47dda1d2a5124732720233a41
SHA1

f9b6b86eaaca95a628d8b94c5dcd46f1991f92c6
SHA256

03171fa73828cef5ff6d97d95eefb9b6fcaa9c196007643faf3862175affd3aa
SHA512

c0c564d36c6ea7edbba9613859fe4de8334e74c8b4405185305dfc9528208df0ae107ccefafbabcefac86046a22d3fefc6946ef3ab9e1fc82ff5f1317eba7371
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbY:hDXWipuE+K3/SSHgxmWmbY

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	09dad4a47dda1d2a5124732720233a41_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM9B94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEMF25F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM482F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM9E6E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEMF4BB.exe

Executes dropped EXE 6 IoCs

pid	Process
976	DEM9B94.exe
3856	DEMF25F.exe
2196	DEM482F.exe
1716	DEM9E6E.exe
3428	DEMF4BB.exe
3456	DEM4AAB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9B94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF25F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM482F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9E6E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF4BB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4AAB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09dad4a47dda1d2a5124732720233a41_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 976	4508	09dad4a47dda1d2a5124732720233a41_JaffaCakes118.exe	90
PID 4508 wrote to memory of 976	4508	09dad4a47dda1d2a5124732720233a41_JaffaCakes118.exe	90
PID 4508 wrote to memory of 976	4508	09dad4a47dda1d2a5124732720233a41_JaffaCakes118.exe	90
PID 976 wrote to memory of 3856	976	DEM9B94.exe	94
PID 976 wrote to memory of 3856	976	DEM9B94.exe	94
PID 976 wrote to memory of 3856	976	DEM9B94.exe	94
PID 3856 wrote to memory of 2196	3856	DEMF25F.exe	96
PID 3856 wrote to memory of 2196	3856	DEMF25F.exe	96
PID 3856 wrote to memory of 2196	3856	DEMF25F.exe	96
PID 2196 wrote to memory of 1716	2196	DEM482F.exe	98
PID 2196 wrote to memory of 1716	2196	DEM482F.exe	98
PID 2196 wrote to memory of 1716	2196	DEM482F.exe	98
PID 1716 wrote to memory of 3428	1716	DEM9E6E.exe	100
PID 1716 wrote to memory of 3428	1716	DEM9E6E.exe	100
PID 1716 wrote to memory of 3428	1716	DEM9E6E.exe	100
PID 3428 wrote to memory of 3456	3428	DEMF4BB.exe	102
PID 3428 wrote to memory of 3456	3428	DEMF4BB.exe	102
PID 3428 wrote to memory of 3456	3428	DEMF4BB.exe	102

C:\Users\Admin\AppData\Local\Temp\09dad4a47dda1d2a5124732720233a41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09dad4a47dda1d2a5124732720233a41_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\DEM9B94.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9B94.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\DEMF25F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF25F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\DEM482F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM482F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\DEM9E6E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9E6E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\DEMF4BB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF4BB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\DEM4AAB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4AAB.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM482F.exe

Filesize
14KB

MD5
f611fc01b960c2d2aba118a44414e7f8

SHA1
d15985fb4948f83937fc6cbcd6aa28dc54236727

SHA256
bf53815423bfa99976173309530f86c03fe132f92cb26d578a72188df18d8366

SHA512
3ca06027febd2f00ac4fb1b3b37a0ef064184080485f3ca361f4e8445ca309aceda4c9882d38fa2898ba29fb565d3fb81bf5b871c5014b78f0b01f28ebbab871

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4AAB.exe

Filesize
14KB

MD5
49ff8c6e321229c7eaf80770ffbc7da7

SHA1
37b73c57b64d4b0ec4632c3d91cdfe93639cdf33

SHA256
8d15424670700ac6b45c1e50a71ad3d8e2d5c926b4804d683fbd5c7e491e165e

SHA512
e2ca2ea5bf3e6be0bb7485ff35b364c1afed9633c389592c259fb42dd8097eea5859651c4e1df6a0fc1fed8f10e36661a1575f674adb0e0107631f82558fee12

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B94.exe

Filesize
14KB

MD5
83e4a21c4195245d8e45d3ed719f9340

SHA1
b3c072ea02ea147cba092305c090548b80a3d33b

SHA256
7a24937dcf53007bc0c615a8370410575dd1dc76b4352c88524107242e1eaaee

SHA512
888749a77a9a5126f4f0cb62cd90959413a23bc8fe3d5b7f78acc00d6e74c1a450b6fad30a0563fa7272dcd8cd34c4c948250788915883d5054170b15e65b3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9E6E.exe

Filesize
14KB

MD5
fcb735dbabcdedbbb20b9eb968dceebe

SHA1
5415b135f0e98182413a1939fcc346e527e5ce9c

SHA256
9882a0e0e9844acd3dc81d94b5e3b70533897778553d7ad09b324e26e9091b45

SHA512
74f0bab5d94c4a76d47b3d4ece7033c95d34560865344203c1b7bddb087d19197853c25379414403cf10e923ac528ea8113e49d1cfb12f188865575af75cd3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF25F.exe

Filesize
14KB

MD5
1086075ebb3c75573dbfa3fd4c4a7e18

SHA1
a1e3059c39341c7df4066c0dfe283aefbc706e6f

SHA256
388cc425c038138dc2b0786350a413ca28cf21e8396170f0723427926403995b

SHA512
6cd10e80348ddc3c36184395d5f854299062982b24ee5b026f38ad329c3465706c333d5979900edb00c00e5efcee1b0272e282786c4a0d35bd0357418bb1bc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF4BB.exe

Filesize
14KB

MD5
f447e6d783a3ed8fd9d9adaaaf1de51a

SHA1
ccaa959068ad7ed220197e250715f76c94165f70

SHA256
9be8d81c12572e1f30e8dda50427f71bf90808b74a29ea33d5c0114bb2f91254

SHA512
e7930e6c7162406196213e8b9c41676149c65b14062de055b22d17d07aab73c210dfb74f35c13770a2777e9dec014b2c83fa20b6f2677eb059f24478140201f1

Download Submit

Analysis

Sharing