129a44f3fba7881220adb4ea8ce80f40550700660497b32f42b8975ec093af96

General

Target

0eaff39caf07d8c92716bf6da58e9054_JaffaCakes118.exe
Size

15KB
MD5

0eaff39caf07d8c92716bf6da58e9054
SHA1

e1061c4f36fc9672404186fe20325afe7fcc9de2
SHA256

129a44f3fba7881220adb4ea8ce80f40550700660497b32f42b8975ec093af96
SHA512

1f03e0e2765c965c097bed74005590ed1763e90c7f23be94e8445a3c01261410082101f67bf81639026625d6dabe96a5f61baef2c1451abf99caae8cd925c284
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxDr:hDXWipuE+K3/SSHgxmHtr

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM34D6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM8B34.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEME1A1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	0eaff39caf07d8c92716bf6da58e9054_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM87BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEMDEB7.exe

Executes dropped EXE 6 IoCs

pid	Process
648	DEM87BE.exe
3748	DEMDEB7.exe
1656	DEM34D6.exe
956	DEM8B34.exe
4700	DEME1A1.exe
3192	DEM380E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDEB7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM34D6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8B34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME1A1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM380E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0eaff39caf07d8c92716bf6da58e9054_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM87BE.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 648	2016	0eaff39caf07d8c92716bf6da58e9054_JaffaCakes118.exe	90
PID 2016 wrote to memory of 648	2016	0eaff39caf07d8c92716bf6da58e9054_JaffaCakes118.exe	90
PID 2016 wrote to memory of 648	2016	0eaff39caf07d8c92716bf6da58e9054_JaffaCakes118.exe	90
PID 648 wrote to memory of 3748	648	DEM87BE.exe	94
PID 648 wrote to memory of 3748	648	DEM87BE.exe	94
PID 648 wrote to memory of 3748	648	DEM87BE.exe	94
PID 3748 wrote to memory of 1656	3748	DEMDEB7.exe	96
PID 3748 wrote to memory of 1656	3748	DEMDEB7.exe	96
PID 3748 wrote to memory of 1656	3748	DEMDEB7.exe	96
PID 1656 wrote to memory of 956	1656	DEM34D6.exe	98
PID 1656 wrote to memory of 956	1656	DEM34D6.exe	98
PID 1656 wrote to memory of 956	1656	DEM34D6.exe	98
PID 956 wrote to memory of 4700	956	DEM8B34.exe	100
PID 956 wrote to memory of 4700	956	DEM8B34.exe	100
PID 956 wrote to memory of 4700	956	DEM8B34.exe	100
PID 4700 wrote to memory of 3192	4700	DEME1A1.exe	102
PID 4700 wrote to memory of 3192	4700	DEME1A1.exe	102
PID 4700 wrote to memory of 3192	4700	DEME1A1.exe	102

C:\Users\Admin\AppData\Local\Temp\0eaff39caf07d8c92716bf6da58e9054_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0eaff39caf07d8c92716bf6da58e9054_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\DEM87BE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM87BE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Users\Admin\AppData\Local\Temp\DEMDEB7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDEB7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\DEM34D6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM34D6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\DEM8B34.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B34.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:956
      - C:\Users\Admin\AppData\Local\Temp\DEME1A1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME1A1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\DEM380E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM380E.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM34D6.exe

Filesize
15KB

MD5
63d5a28d1fd28c4faaffbd9afe396e3c

SHA1
f630293be6de7a62a7ae0c8c0e292e1ade15bb54

SHA256
ef7fa05a6eee6ffc7899c222d343dc97d281104d04ba08933d2a56f3232ad605

SHA512
5e912d28c2f4b473738118dd31fc0c84bcb36b3a6348062d8794251e36d97a179f679c64473cc7420c4b34fc94dd2af70f62bee5378c9e204e9a8b9c8738864f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM380E.exe

Filesize
15KB

MD5
243b520ceb55181f4e94b299378cb2cc

SHA1
70e3f866422b2010c57c68d6a798f3591b591c57

SHA256
8058af60741d945d8ed428fbe353f6bc01a4fed0c948cca914f07e53c2b65e34

SHA512
599bd194cb17ca1eca99084a0c0c8ace71d00807444d4c7718f0dc68cfe0bb3cce766ffc57a517aba2e57380160b739f67ef6d7c55e28c7de2f3edda80de8c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM87BE.exe

Filesize
15KB

MD5
635561589946c70942e5c4f50727b989

SHA1
13453d21bfaf190a0ef5d842b16086ec40235cec

SHA256
3881d3899653fdb18dd965d79790661cb15ec8d2099ff89403fdb7110c4b0f8a

SHA512
52fa9d71898d42393ba0c578a427902e5e6ed3dbf429e0834ac2d838ead8a961f826e285b4f65db3627129159e344b12ffb0296be398945f9d8ce88e0b6db736

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B34.exe

Filesize
15KB

MD5
671fbbdb4f61784216fff13bdc82ed52

SHA1
795f16a397e857f646e0b711324499ed2fc2ecbf

SHA256
818d36f3d0590732bbe1c38cc52d8929f462af0f1e1d424789d32cd587d1ab2f

SHA512
82950e88969d028c41105152fcccf6e6d9fe2c8b29efb340a0e281b9d15c9acda9e18ca26d014a690ce2c2eaf70901e5972b3d30c511c36d9dad260725c00857

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDEB7.exe

Filesize
15KB

MD5
e6aeb1071fa09d6a14c4351ede26d519

SHA1
207ead8049962082d3f4d1cef51285ba445b24a0

SHA256
c893c257e04eae9818cde7896048674df02650584a48c3bb36fc4c3b0a839f5a

SHA512
f13d2a65f724d6ff321a1fb598f80f01d9834fc4d63f21f32cc56c8fb72fac9dd320fc4c3eedf6b2641d1abf9bceb8cef6dd51a577169897dbaa018490149726

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME1A1.exe

Filesize
15KB

MD5
ac94738a1675469b88943ea6b574f7ca

SHA1
2341aabe2067514e2697d4905785652b6369bb91

SHA256
5520fe25e803d790399760de6a79dfca76f7eed3ed8adc0b4b96ffe6fbfe3644

SHA512
069b740a43c726efca79c28187e27d6a829ac2603b274cc1e3477433a6e7f66ded1880536a769f08931b87a9d98e68cdf42c32c8e7d12d72a9255f4f51fb991f

Download Submit

Analysis

Sharing