60856fe8482547c19e743a1ccfa6264c8d2f6584ab2764019c43d32df46d7cd4

General

Target

17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
Size

14KB
MD5

17ce1129878d4a18b153c487f87f4f50
SHA1

bbf24086466ed820af34d2e7ba46b91096c32477
SHA256

60856fe8482547c19e743a1ccfa6264c8d2f6584ab2764019c43d32df46d7cd4
SHA512

d57aa78751492e176f50302b8061676ed957dcd08c041627d1dff438cea2a7eb50f88a6c2b01ab8c185a01bf510123c1d84ed03be3d75b74d30b60d38ab61ae1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh0:hDXWipuE+K3/SSHgxS

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM8ADB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEME186.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM37B5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM8E12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEME450.exe

Executes dropped EXE 6 IoCs

pid	Process
3164	DEM8ADB.exe
3824	DEME186.exe
3048	DEM37B5.exe
2008	DEM8E12.exe
4556	DEME450.exe
2136	DEM3ACD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME450.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3ACD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8ADB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME186.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM37B5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8E12.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 3164	3624	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe	90
PID 3624 wrote to memory of 3164	3624	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe	90
PID 3624 wrote to memory of 3164	3624	17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe	90
PID 3164 wrote to memory of 3824	3164	DEM8ADB.exe	94
PID 3164 wrote to memory of 3824	3164	DEM8ADB.exe	94
PID 3164 wrote to memory of 3824	3164	DEM8ADB.exe	94
PID 3824 wrote to memory of 3048	3824	DEME186.exe	96
PID 3824 wrote to memory of 3048	3824	DEME186.exe	96
PID 3824 wrote to memory of 3048	3824	DEME186.exe	96
PID 3048 wrote to memory of 2008	3048	DEM37B5.exe	98
PID 3048 wrote to memory of 2008	3048	DEM37B5.exe	98
PID 3048 wrote to memory of 2008	3048	DEM37B5.exe	98
PID 2008 wrote to memory of 4556	2008	DEM8E12.exe	100
PID 2008 wrote to memory of 4556	2008	DEM8E12.exe	100
PID 2008 wrote to memory of 4556	2008	DEM8E12.exe	100
PID 4556 wrote to memory of 2136	4556	DEME450.exe	102
PID 4556 wrote to memory of 2136	4556	DEME450.exe	102
PID 4556 wrote to memory of 2136	4556	DEME450.exe	102

C:\Users\Admin\AppData\Local\Temp\17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\DEM8ADB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8ADB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Users\Admin\AppData\Local\Temp\DEME186.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME186.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E12.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Users\Admin\AppData\Local\Temp\DEME450.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME450.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\DEM3ACD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3ACD.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe

Filesize
14KB

MD5
2589ec6b44821b727fc582779f7a7a4a

SHA1
80ba04dd341309b149bd564e30d658093f1eca76

SHA256
f34984a691d27c9963df68f741f073c5c75d455409f09fe03ec944966cfdd0b6

SHA512
6ebba5db693a04917c854901cc794b14bc218a3ba45a0eba205b23b8a41c25a4f9dd479a70c51731e2ad0350ef2242a6bbba6d361cfd96fe906f3984c325582a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3ACD.exe

Filesize
14KB

MD5
837f1b92400b616d83477cf1b0c0ec84

SHA1
94c59b910b24ea21c7e4898d117cda332e7ebfe2

SHA256
7e8d4c8d702a1d33da8ac2f9765917f548751aab4cd87cec51385baeb0902272

SHA512
5d59ea31728825f28c0843d3d45cb89f32b8350bdc482c5ff0b77cd5632a53935435f1b5bc829bf8e99d786e2e791992c535c462cfef20ef57dbcf9e43e496f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8ADB.exe

Filesize
14KB

MD5
4a88bc0a1487a192558c6e36e4937dd8

SHA1
0f19d9150147e8a6a4aba788c308f640a485a07f

SHA256
010db036a41ad0c2792fd5efb8b269e6db31abb3a55baa7e883507f337d41216

SHA512
7c4dc33c3b0e77c0d0127d7bd33984929c990bf5be6fc5e5db8f8c50c98c428cdd440498c6937605ee02364ec3ade12aef6f91bcbe6d41af8538c6b5577dd488

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E12.exe

Filesize
14KB

MD5
06640ab3ff6860a3f6a2c38c3ac3f45c

SHA1
868e6994b8325cfb6000a09f60d0a1b2777eb3f3

SHA256
3216c938d626409fbde98f4f385b77b59feaddea241c4814dcdb4bc1c3c7724c

SHA512
001699e246501267eab844bf683b2bdb9437e2fdb5229abc6b4ffa8825cc5ac2895b29410294417187495a70c5191ecd40f0ac80c889ea09c8e6b25472caea0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME186.exe

Filesize
14KB

MD5
ad53615ca1c33f31ca46b1e089990528

SHA1
7365de3f4188ee34260862273014333c2ff437b9

SHA256
bc53cc7d5d9b8b0e97b1dff47d02a251ba3c3ac3600780042c13487bf39f55cb

SHA512
46cdd6ea19a66e1a23a6cb48925e7051c2283913e3a75eba8eed723c001ebcbdb003d0fca588fa90cfc441473ac6493d5f6f6bf6c21f198555f59a0acf8ddd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME450.exe

Filesize
14KB

MD5
be9630d6f7b0c9956ae84d8ceeebfc11

SHA1
b0fa2990e3ef6cbfdb3b64d54235b5ddffae9645

SHA256
abac69b77de9ab1078507fea26e2c22b782fb19304640b370c8eb2d6ddfc08e6

SHA512
949e16380da2a908e1f6b6a90b7c12f9b4e96f0f5849d2855e0a2b3b35a469229fb5597becc44203702debac14cfde6fd2825cae359a65c6439f2049896f7b07

Download Submit

Analysis

Sharing