725cb9b2b3c972aaf75cdeb2e4115207b640a47b88deb9c8e9eecde73a5416b2

General

Target

0b888247f1614d039f4c5339b243bcd8_JaffaCakes118.exe
Size

14KB
MD5

0b888247f1614d039f4c5339b243bcd8
SHA1

f85d7f206be2e15f83f0f9c762935e2e1f9a8ff1
SHA256

725cb9b2b3c972aaf75cdeb2e4115207b640a47b88deb9c8e9eecde73a5416b2
SHA512

90221b5b6089196d584d2d58e5f6a3920d4903205559dfc9d9699989f31455cf8bea03e3b70614a5297fa3d309dfeee9f570fc0ca2e9b55376bda5620c93192f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYqNq:hDXWipuE+K3/SSHgxmqA

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	0b888247f1614d039f4c5339b243bcd8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMCA64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM2110.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM770F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMCD4E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM2409.exe

Executes dropped EXE 6 IoCs

pid	Process
1792	DEMCA64.exe
4504	DEM2110.exe
2880	DEM770F.exe
1956	DEMCD4E.exe
5056	DEM2409.exe
4164	DEM7A08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b888247f1614d039f4c5339b243bcd8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCA64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM770F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD4E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2409.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1792	1032	0b888247f1614d039f4c5339b243bcd8_JaffaCakes118.exe	90
PID 1032 wrote to memory of 1792	1032	0b888247f1614d039f4c5339b243bcd8_JaffaCakes118.exe	90
PID 1032 wrote to memory of 1792	1032	0b888247f1614d039f4c5339b243bcd8_JaffaCakes118.exe	90
PID 1792 wrote to memory of 4504	1792	DEMCA64.exe	94
PID 1792 wrote to memory of 4504	1792	DEMCA64.exe	94
PID 1792 wrote to memory of 4504	1792	DEMCA64.exe	94
PID 4504 wrote to memory of 2880	4504	DEM2110.exe	96
PID 4504 wrote to memory of 2880	4504	DEM2110.exe	96
PID 4504 wrote to memory of 2880	4504	DEM2110.exe	96
PID 2880 wrote to memory of 1956	2880	DEM770F.exe	98
PID 2880 wrote to memory of 1956	2880	DEM770F.exe	98
PID 2880 wrote to memory of 1956	2880	DEM770F.exe	98
PID 1956 wrote to memory of 5056	1956	DEMCD4E.exe	100
PID 1956 wrote to memory of 5056	1956	DEMCD4E.exe	100
PID 1956 wrote to memory of 5056	1956	DEMCD4E.exe	100
PID 5056 wrote to memory of 4164	5056	DEM2409.exe	102
PID 5056 wrote to memory of 4164	5056	DEM2409.exe	102
PID 5056 wrote to memory of 4164	5056	DEM2409.exe	102

C:\Users\Admin\AppData\Local\Temp\0b888247f1614d039f4c5339b243bcd8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b888247f1614d039f4c5339b243bcd8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\DEMCA64.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCA64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\DEM2110.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2110.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\DEM770F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM770F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\DEMCD4E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCD4E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Users\Admin\AppData\Local\Temp\DEM2409.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2409.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\DEM7A08.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A08.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2110.exe

Filesize
14KB

MD5
b923a01b1652ca766a1e9aa1baeeeda4

SHA1
d9649427991fc22d0040c5fee3902ab697b85645

SHA256
0cf8fd2f6fd2e78f06a3e19fa8a1a326a41e0fbfa2f1de63c77407346f95a381

SHA512
223370bca00c19fd10f7dcf93df23860c74f3fe922c9163ebe392a493bfad09cee88748e689dc69716ed20838a70bfc39aa4be5f97a89d1f3926b48364f4c2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2409.exe

Filesize
14KB

MD5
3026448f3aa7a67fd26124301ec2c14d

SHA1
53f285080ab29b8c8be943ef16f44717ef3d0e74

SHA256
b302fb28b7e6d49a7dc469f64be3cbbe3d8985ecb1fa77bb74e1f3104438e20f

SHA512
073f070a5e210846c30669c7b8274c7df7b8eb26c69d2f5aa81118e716b862615e898c6546663597732d93b415457497791524af42e86bb8df361fa080243e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM770F.exe

Filesize
14KB

MD5
878a21d1b98c9a8410de32aed81c295e

SHA1
8599755aeba402980b1a054cebbc098b82bfaf13

SHA256
a2cfb7ac9cc925782ac7798ac0871981b11dfb89474ae205f55cf6df1ced0436

SHA512
41f9b9f1c7d2fd75ade2db439bc0fced057f9e04fc597397993a6abef0fbbdfd831ed1e8886cc94a58150a7e7ab8d499104f54bef121942177cfcf4863fd7800

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A08.exe

Filesize
14KB

MD5
69360f442e70d6dc77106a4c1244bfeb

SHA1
48d7bc4fbc707a010f4cfdb8cc3c60f42a958b2f

SHA256
4870dde17d84a9c0bac8a0cf752981204f75caa313ab261f221e50f4b1a1ab2e

SHA512
0721b0c92f55df081bcdef4c06c3fb1a5becde38b24a3a65f010c0efcbbb5cafb5fcd103b286a2f558c66c59a548dc2dc36ddbc011ad9d0ab53ec3b8dd345eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA64.exe

Filesize
14KB

MD5
e97717d914b3da403660e7024e36b556

SHA1
95e2f79c91f48048dd64e6ef5c3fc5b393d4e3d8

SHA256
939c0f6b47f99a81563393c497aa122f45eda0bd275a5c4ba962671f8448e809

SHA512
bac1d2cdd655fd78e1514109de80319a2a28e17e5f21aad20d45b3865c6727f57d60572c388d4f7b62da6c793a7d3f304c157610f3c54feb9b4c681cae1f3183

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCD4E.exe

Filesize
14KB

MD5
4fdf4169ba480a97ffe017aa61662b5d

SHA1
37fde4c4217b1a6d5aed6943294ed593c409991c

SHA256
b25f9913d1f8d5d414a2c35aa18ff9c1b81c289193b14cc99eaeac8ab178ba50

SHA512
604e37d057e70f8fc341d6185ef147c9f276949c4b430979e3047ca9eb13cc5fee843efb3738a5f1d655ab784c19693df52993e26799c081b79bf16f255a040b

Download Submit

Analysis

Sharing