1e6aa573c08c3e33f848576d62f99387fb8d23902530c40ed946a6e363f21445

General

Target

15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe
Size

14KB
MD5

15dcdae961d3953948845deb0e8bfcbe
SHA1

9fd7b608fd42fd504556828bec00b42956c9a845
SHA256

1e6aa573c08c3e33f848576d62f99387fb8d23902530c40ed946a6e363f21445
SHA512

b39b31022593e88d934ae42f4b769de317d8a3f27c20fcd8342eecc6a826ea5cd2682e485a0f29df2687bc4a34572ea0ec17d65bbf7ef0686c547dbbeee7edad
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYqNG:hDXWipuE+K3/SSHgxmqY

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM8405.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEMDAEF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM312D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM876B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEMDD5B.exe

Executes dropped EXE 6 IoCs

pid	Process
2756	DEM8405.exe
2916	DEMDAEF.exe
2224	DEM312D.exe
4472	DEM876B.exe
4324	DEMDD5B.exe
2256	DEM333B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDAEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM312D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM876B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDD5B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM333B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8405.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 2756	3980	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe	87
PID 3980 wrote to memory of 2756	3980	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe	87
PID 3980 wrote to memory of 2756	3980	15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe	87
PID 2756 wrote to memory of 2916	2756	DEM8405.exe	94
PID 2756 wrote to memory of 2916	2756	DEM8405.exe	94
PID 2756 wrote to memory of 2916	2756	DEM8405.exe	94
PID 2916 wrote to memory of 2224	2916	DEMDAEF.exe	96
PID 2916 wrote to memory of 2224	2916	DEMDAEF.exe	96
PID 2916 wrote to memory of 2224	2916	DEMDAEF.exe	96
PID 2224 wrote to memory of 4472	2224	DEM312D.exe	98
PID 2224 wrote to memory of 4472	2224	DEM312D.exe	98
PID 2224 wrote to memory of 4472	2224	DEM312D.exe	98
PID 4472 wrote to memory of 4324	4472	DEM876B.exe	100
PID 4472 wrote to memory of 4324	4472	DEM876B.exe	100
PID 4472 wrote to memory of 4324	4472	DEM876B.exe	100
PID 4324 wrote to memory of 2256	4324	DEMDD5B.exe	102
PID 4324 wrote to memory of 2256	4324	DEMDD5B.exe	102
PID 4324 wrote to memory of 2256	4324	DEMDD5B.exe	102

C:\Users\Admin\AppData\Local\Temp\15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15dcdae961d3953948845deb0e8bfcbe_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Local\Temp\DEM8405.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8405.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\DEMDAEF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDAEF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\DEM312D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM312D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\DEM876B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM876B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\DEMDD5B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD5B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\DEM333B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM333B.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM312D.exe

Filesize
14KB

MD5
8ba377de8e0786ede87fa21357995ce6

SHA1
645a04d2bdccb0e173572fbedf43bbaee29d4019

SHA256
6a5966cca92f5e96fc418bd1aeddcb061d338d5b51b68da0e225ab73bbaf5f57

SHA512
5dafc11e00564e7dbc030bdf90ebb7c4694f9d5dbba8cb6f03c5150de3136b2898ffd0326a8e18f73b7e330163ce73472a99764cc5575fdeabf48d286cce92e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM333B.exe

Filesize
14KB

MD5
586ae3429eec0c002c4f67d34f47bb8e

SHA1
857b40dc5e890d274336c34ee3b8f37ddd1c40b7

SHA256
74293a9fed09fefd89eeeedc2da50c567ef2fb0abc2157b2b39a38975e3588b5

SHA512
630124681327b7f88d06455f2ae329ed924035d1404e5e0faeaf4962f570497afab946c1b1624c2300af3e4b4b01392b927f8e35594bb5aca7743c2fdf9600b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8405.exe

Filesize
14KB

MD5
f872fb49233f157068a21fcfe5e2999a

SHA1
26801fc61d43c6d8930de94791f39cc135cb5fd7

SHA256
95e309bd2cf975149bffc876e9c60286e81dc78dc7630f3c348a8d7ba6ed699f

SHA512
c4ee48b63815f76a6169ff31585b78436ea6536e2a1d19e52f8ca44d7bf6fa80d7c10b8e0509f101000192c454b1478759b0fcdd610d4b7dba3eacd7a0b79e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM876B.exe

Filesize
14KB

MD5
6aad1c705415355c9411b2bb7538ce54

SHA1
72a426a101073930cf1b1be49b01668cd95299f3

SHA256
840fefbff5356f674db4d148fb7959315476a11f99752d0cd673f933a9abe0c0

SHA512
f13f3bf3b10c3229595337d3f266a01eed58b74cb1a8f064523acce2303762f322849cb3eac6650a5abd7a0e8e87c62ad3caf530ea2e5e9decd7d7f2c7775ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDAEF.exe

Filesize
14KB

MD5
d32f6d8b801c73b359ffe972faf0617f

SHA1
92b5b080e3a256f676e39cc40edc255f1886d464

SHA256
fb0f1f6b5e0dc267a18bbbd6e85dd7b4156c192cb7e5b4efdbf6565faec683a3

SHA512
976240dfef54672e46f512f876d101486d5ef8c5a409e4809556374461ba7be53414dce0d89fca9e79f9ca0e0ccd5eb8409cecfe83c7b8e95c920320a78dcdb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD5B.exe

Filesize
14KB

MD5
98840a2297f64f433a8c3a787995dfbc

SHA1
ad3f1e862f0ea4d7d3ef67e570ae3ff4ca8e4b17

SHA256
59721fa1291167b814302f3051ea83bbe3fa55b04303b892f3ad0db479105021

SHA512
375f3114881791c207fdcd4a208c2b7eeeececd160d6748c42665173716f795d9a3782ec6d1159ccff112f6596deff02fe232e8c858d6b924091f0bd1ac7c95d

Download Submit

Analysis

Sharing