002fff90876f89c4eaa64fdce86aac9da8808c5eb79de92195a7b6a582786ad6

General

Target

26b18b6d1b9b57ca5ce68bfa0d49edcc_JaffaCakes118.exe
Size

14KB
MD5

26b18b6d1b9b57ca5ce68bfa0d49edcc
SHA1

e6cc221e858bd2dff57fe9b2484082c50a5e7c1b
SHA256

002fff90876f89c4eaa64fdce86aac9da8808c5eb79de92195a7b6a582786ad6
SHA512

380bcd34df74d4c29a7ec9cd29666768830ae92ab20cf797193ee5b0caa6430fa95a47496f4ca75ff875f1c75dd218eaf6ec19f6998b037e21a85c8b316efdab
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbSH+:hDXWipuE+K3/SSHgxmWmbSe

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	26b18b6d1b9b57ca5ce68bfa0d49edcc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM9923.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMEFA0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM45CE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM9BAE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMF1BE.exe

Executes dropped EXE 6 IoCs

pid	Process
4564	DEM9923.exe
876	DEMEFA0.exe
4588	DEM45CE.exe
3084	DEM9BAE.exe
1824	DEMF1BE.exe
1176	DEM47AE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9BAE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF1BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM47AE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26b18b6d1b9b57ca5ce68bfa0d49edcc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9923.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEFA0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM45CE.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4564	3476	26b18b6d1b9b57ca5ce68bfa0d49edcc_JaffaCakes118.exe	87
PID 3476 wrote to memory of 4564	3476	26b18b6d1b9b57ca5ce68bfa0d49edcc_JaffaCakes118.exe	87
PID 3476 wrote to memory of 4564	3476	26b18b6d1b9b57ca5ce68bfa0d49edcc_JaffaCakes118.exe	87
PID 4564 wrote to memory of 876	4564	DEM9923.exe	93
PID 4564 wrote to memory of 876	4564	DEM9923.exe	93
PID 4564 wrote to memory of 876	4564	DEM9923.exe	93
PID 876 wrote to memory of 4588	876	DEMEFA0.exe	95
PID 876 wrote to memory of 4588	876	DEMEFA0.exe	95
PID 876 wrote to memory of 4588	876	DEMEFA0.exe	95
PID 4588 wrote to memory of 3084	4588	DEM45CE.exe	97
PID 4588 wrote to memory of 3084	4588	DEM45CE.exe	97
PID 4588 wrote to memory of 3084	4588	DEM45CE.exe	97
PID 3084 wrote to memory of 1824	3084	DEM9BAE.exe	99
PID 3084 wrote to memory of 1824	3084	DEM9BAE.exe	99
PID 3084 wrote to memory of 1824	3084	DEM9BAE.exe	99
PID 1824 wrote to memory of 1176	1824	DEMF1BE.exe	101
PID 1824 wrote to memory of 1176	1824	DEMF1BE.exe	101
PID 1824 wrote to memory of 1176	1824	DEMF1BE.exe	101

C:\Users\Admin\AppData\Local\Temp\26b18b6d1b9b57ca5ce68bfa0d49edcc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26b18b6d1b9b57ca5ce68bfa0d49edcc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\DEM9923.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9923.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\DEMEFA0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEFA0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\DEM45CE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM45CE.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\DEM9BAE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9BAE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Users\Admin\AppData\Local\Temp\DEMF1BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF1BE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\DEM47AE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM47AE.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM45CE.exe

Filesize
14KB

MD5
e8323a11fa094f88bb2b6b21137f4d9a

SHA1
0ef0669df08154b20b510d4272d14df823c414a4

SHA256
e2b39df50195ca786b94edd09d0abacb8d1f9ad5105c5ccfd35df1c444e0cd60

SHA512
d64a933865bfa77e86e12b157fec8bdc487ef4a2724d53d79680006da400781af7bc78863caf7b064010882c920b07ce13a1a8c91f6347df48d8f2de31da45f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM47AE.exe

Filesize
14KB

MD5
9b8bc5516a85927dd552549cf8cbd678

SHA1
77a8740a10b05b424cd1dffdbd9cf014a3f01494

SHA256
8910276bcb0907dd8104ca4b5b32d97a6be120ff901e5209f903587ee33d7f68

SHA512
9421fca7817ef057c44c60bf15e512886e8e63d30f7228d2f47da9bc2f1524770aa69f9fe05a8187b1a58b607cedd0722b78048be50b72c541eb4001c20c96e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9923.exe

Filesize
14KB

MD5
3b41c82a257ad3e0e25b38cd146e95fb

SHA1
16ee9a15ebc4a554f5b68effcb524c7a2cd4c442

SHA256
c267cd4d021aa357511d576b935b63e54c6cb23fe7539f92e98ea330b7a09142

SHA512
643b92267262158e320fc13b224c43d119d4eea1414978d680617680da65bf9a611a846280b387b14491648971a0aed4aac506a23affcdc44b1b9d44c9fad8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9BAE.exe

Filesize
14KB

MD5
2532093a5f9041951bb0877adad047a8

SHA1
12b2f1ba7239eaa1b47746f64c7fb1aa222f4a40

SHA256
c5f7f472146aa2b5c75cf7e01c47e43dcaf79e3030299caf7b31620dcd6e2ba8

SHA512
61814546287b15151340ced2a423d9be81410c5cc84f31f087e94ec20feb7992c024951273dbc6814fdd0bcdc045febb4d900b32e6e8dd662b1769ccc84d1fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEFA0.exe

Filesize
14KB

MD5
b6cb3d84ae781b7da855a83893949ed3

SHA1
01e497de7cfa3d65456c953db7205f3bad155a93

SHA256
4063dfe407c0baa1e3a1a551fbc11da678ad1f9b783ecd97b10b4c9a4c036d03

SHA512
f5d4335b55a939255976716b8d18e74a001b8e4c8a77df0045cced17be02ef121f8262fa425937580d7f91f94346297689d81714f75de120d58122e1d8ea543c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF1BE.exe

Filesize
14KB

MD5
230c1aa260e24304dea36309153f4043

SHA1
8c8624ff9942f9047788df0cf8d0cffa848b1eea

SHA256
765fb5f5153896f159adac0a99bbc83c5bbed4db42655c3e97dce6b81769bfa4

SHA512
2f4cef3373fff01e12e7ad2ba4f085f953c44f3d38f1833b7380345b1befc31a3f7bcd81b8e749c954be423da82f4634646e595c6272ca992c4575f89529d905

Download Submit

Analysis

Sharing