45f2db7fb385a0b897ced85ad47b0dfe282b217864cf8c30eac5b5c06b632b3d

General

Target

17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
Size

14KB
MD5

17e83badf5d724560a8a2463ea52e916
SHA1

0857485e02cd49c0c77a38788211e718f6129b78
SHA256

45f2db7fb385a0b897ced85ad47b0dfe282b217864cf8c30eac5b5c06b632b3d
SHA512

fc59563f2c43890d78ce3f53b83ea6b59f580b34707b8520961399ad35b6b078f3388be7393ded90646f08eb768a623e28c85251e9292946fef38cf4afb8a5de
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYi:hDXWipuE+K3/SSHgxmi

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMDCD3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM3321.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM8940.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMDF20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM8666.exe

Executes dropped EXE 6 IoCs

pid	Process
3804	DEM8666.exe
4708	DEMDCD3.exe
3528	DEM3321.exe
2228	DEM8940.exe
792	DEMDF20.exe
2728	DEM354F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8666.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDCD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDF20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM354F.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 3804	3164	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe	90
PID 3164 wrote to memory of 3804	3164	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe	90
PID 3164 wrote to memory of 3804	3164	17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe	90
PID 3804 wrote to memory of 4708	3804	DEM8666.exe	94
PID 3804 wrote to memory of 4708	3804	DEM8666.exe	94
PID 3804 wrote to memory of 4708	3804	DEM8666.exe	94
PID 4708 wrote to memory of 3528	4708	DEMDCD3.exe	96
PID 4708 wrote to memory of 3528	4708	DEMDCD3.exe	96
PID 4708 wrote to memory of 3528	4708	DEMDCD3.exe	96
PID 3528 wrote to memory of 2228	3528	DEM3321.exe	98
PID 3528 wrote to memory of 2228	3528	DEM3321.exe	98
PID 3528 wrote to memory of 2228	3528	DEM3321.exe	98
PID 2228 wrote to memory of 792	2228	DEM8940.exe	100
PID 2228 wrote to memory of 792	2228	DEM8940.exe	100
PID 2228 wrote to memory of 792	2228	DEM8940.exe	100
PID 792 wrote to memory of 2728	792	DEMDF20.exe	102
PID 792 wrote to memory of 2728	792	DEMDF20.exe	102
PID 792 wrote to memory of 2728	792	DEMDF20.exe	102

C:\Users\Admin\AppData\Local\Temp\17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\DEM8666.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8666.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\DEMDCD3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDCD3.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\DEM3321.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3321.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\DEM8940.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8940.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Users\Admin\AppData\Local\Temp\DEMDF20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDF20.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\DEM354F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM354F.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3321.exe

Filesize
14KB

MD5
cd058993b3d755b8443a7975d5fdf1f8

SHA1
df487b0285d13e3426cd611e45aa334d99a09fb1

SHA256
39409a1f06254e5f362be981efd1df928352525895760871b4987dd504770b71

SHA512
53cf00845f91766072e428498db1b46705187a3a642cf94d422f31d5c44cffc3a0d08ba45403381ca927836a5c7d27e13beb826147cb1384a984bb0851b0da77

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM354F.exe

Filesize
14KB

MD5
8dbe81e618cf64738e2c46405a3dc777

SHA1
2732a779ae18ce9289676a36ff5e04579951a8b3

SHA256
cecb31862368b8c3a8b15261c81c5f7ab0d592582707b6c52c22ce466ded2d54

SHA512
63d83025d7be17cc2a7d306a03b4bcca618ac0a7071d5df8bb641164de1311a26428022e07e35c232f68594237fd51f0ae83e186ea662003bc0d3b699fad0e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8666.exe

Filesize
14KB

MD5
25c8318a659eb2cd51bf7709078b4893

SHA1
9697b72fcaf38515139c41d19317bc6032286c51

SHA256
71173b78485b173d14fd13894338630230afa1c6297156cafc11097f235df932

SHA512
f1b4c5cd0494542f6676fb9cafeb1a05ee564fd4d01ad028d24de15a7b2d0c09e8366454e0852bac52174aeb9a9a76f2f80379cef15aad243bdc0b26aafb0df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8940.exe

Filesize
14KB

MD5
0f6adcde86117b298ee37c36ab3b0593

SHA1
26ceb2d32e5b95ca86c9d1251f79592464968ab8

SHA256
77ee177a68ce8babadb1486270d23d1f5aaf727a44a0803e2b77635a7607c960

SHA512
8b8b6f042926652cbc4636ab4b19cf0812311f81b2d918aded2d053db5db7d698165b6c1cb1cd404a26d9c43eb90c1e743e9e63b25ccbb09d570fc810404537f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDCD3.exe

Filesize
14KB

MD5
7bafbc707b2361b638f1763b2514f57c

SHA1
78164ff40c7ddb86006e2743219199d633944e0c

SHA256
ad2e7353799deb70ffa875eab179b8ecdffa47b60559ea7e975edd650fe53c9a

SHA512
3e6769d197fa9b8f229f09cd9067f1bd87f0b2bf12400569bea8b0b0fd1387a16a04c3bf6a7d4c019bdebec654de13e8faa98815e43317ab5a9feeb4da93023c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF20.exe

Filesize
14KB

MD5
b95d4eba810a20f4eee5c6180d6b6d5f

SHA1
b2291ec0e71e9a90bd880d949328451a4847ee81

SHA256
296fd3ae365d1d90992866850b669229c795a683d15e49e4bb49a770b47a6a2f

SHA512
dd9eeb9af0f8d232f999e8a881519d8ba9f0774d44e9dfd2aadab19a27122ea28618dbcf30c66663e2c7e04bdd42ec2e3ece8477dfd29b8176199d0b07d922fd

Download Submit

Analysis

Sharing