1014b6ff9c9a4e8b83d4bd707980f337566a9ee34c971dc7cf537cb2d4ca88ca

General

Target

2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe
Size

14KB
MD5

2a27e93605c5d0168a5d8a10be858013
SHA1

2dff4df9f05d87cf24714cfbb0de9bbc11291923
SHA256

1014b6ff9c9a4e8b83d4bd707980f337566a9ee34c971dc7cf537cb2d4ca88ca
SHA512

f9ad3272c95905e618cc7114156e61236991e755f255799cdf4556cb3bb4afe73552df6b88d2d4ad88ae4fe7452eade12a06ca3780b38aef6ee6bdff66b7613c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZKa:hDXWipuE+K3/SSHgx3b

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEMCB5E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM21DB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM7867.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEMCE76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM24D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3864	DEMCB5E.exe
2352	DEM21DB.exe
1472	DEM7867.exe
2092	DEMCE76.exe
436	DEM24D4.exe
2808	DEM7B02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM24D4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7B02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCB5E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM21DB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7867.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3864	2308	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe	87
PID 2308 wrote to memory of 3864	2308	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe	87
PID 2308 wrote to memory of 3864	2308	2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe	87
PID 3864 wrote to memory of 2352	3864	DEMCB5E.exe	95
PID 3864 wrote to memory of 2352	3864	DEMCB5E.exe	95
PID 3864 wrote to memory of 2352	3864	DEMCB5E.exe	95
PID 2352 wrote to memory of 1472	2352	DEM21DB.exe	97
PID 2352 wrote to memory of 1472	2352	DEM21DB.exe	97
PID 2352 wrote to memory of 1472	2352	DEM21DB.exe	97
PID 1472 wrote to memory of 2092	1472	DEM7867.exe	99
PID 1472 wrote to memory of 2092	1472	DEM7867.exe	99
PID 1472 wrote to memory of 2092	1472	DEM7867.exe	99
PID 2092 wrote to memory of 436	2092	DEMCE76.exe	101
PID 2092 wrote to memory of 436	2092	DEMCE76.exe	101
PID 2092 wrote to memory of 436	2092	DEMCE76.exe	101
PID 436 wrote to memory of 2808	436	DEM24D4.exe	104
PID 436 wrote to memory of 2808	436	DEM24D4.exe	104
PID 436 wrote to memory of 2808	436	DEM24D4.exe	104

C:\Users\Admin\AppData\Local\Temp\2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a27e93605c5d0168a5d8a10be858013_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\DEMCB5E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCB5E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\DEM21DB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM21DB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\DEM7867.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7867.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Users\Admin\AppData\Local\Temp\DEM24D4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM24D4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\DEM7B02.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7B02.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM21DB.exe

Filesize
14KB

MD5
156851f67551d1299e20e44a776add55

SHA1
16e15f210366f4c64c0d8c523752591d362512ab

SHA256
f518533aadf735be69e1b85a1c9c9c05a33de69d77cd63aff1080af898a89e75

SHA512
8842e9269d29967f065627e10293af6536ca1f04c21a5ced4bd16caeeb6a12bf31b81877167524ef41d7344d012108e1ba8be74b5d5831dc68b1ac6f1b9ee6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM24D4.exe

Filesize
14KB

MD5
43e39568d39a0715c7b3d0d03eead449

SHA1
d4b8e1d36ec6d9dd7f09b5c21e0eb42d1a3d09cd

SHA256
3a336d7f3c5f45f165ce9d8db76ad962b45ce6c732a124931c0a69c391dd3e10

SHA512
9903648e5e679c7f60f2b4e87ddf5eef94f42ce40318f31482ff643f782da571c1919532f1beeb5a9091fd5c41894ef1aa5fcc680c69d050ddfb4f7b0fb5641e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7867.exe

Filesize
14KB

MD5
76e1b0cb407dae233fcb7fab9584b564

SHA1
1a8d52a3abd429410ae7d2488b4c676294ec31ff

SHA256
ed64a4b7b082b00d7d708672eeb61421009d375b931c745db1daa9c6bc979158

SHA512
abdce4e82b620bfe82d4925fa1d7b0fd99e4e91a2a2b59d607a10970fe853b2e571a1c3ea708475682688fb15f316ffeaceaff6be11e69f862175b6518078a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B02.exe

Filesize
14KB

MD5
4497440b914ac2e9180c29a08a473ea0

SHA1
7411bae0ee4df78a95b1bfd0439abe2d9291c0ed

SHA256
7a9eeaa0f0a2f46b06b1d24371cf0d7010f560aa2b427ff9bca3191983bfaf6c

SHA512
1adddafd2cce9bd10ff5f4117afab9ba4c47573a7f17a6e502da30a9e1405765c505b13c3de1898e81090f703583dbaa0427588ad70dc4162bddebbf7a7e78f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB5E.exe

Filesize
14KB

MD5
6b913877b0febad976826eeeb3538c76

SHA1
9574475337b9f065e2c251e7d301f7653f183636

SHA256
dd2a192c6a8aca1733ace1e34a2619e04e3e4ef0c93320c914b8e331ff816fd5

SHA512
4fa79c3fa13e251ecdff58f7e44bcd69c61287a8bbe66d3793caa9436af091bf764319de67ed5f971cee1f8fd479868deaa51b8fce3538384ce203b7334d10bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE76.exe

Filesize
14KB

MD5
e3a88b2225cb8c41055a0f52b2a8ec36

SHA1
42fc743f9fa92bba458481520832183eca0bf67a

SHA256
a0a40d55e1cc4f417d823409f0f513cacb6d868e499e7e8b7f3d49815fabf609

SHA512
fec1e3722ab42835f86b8a7816c2d38934c25be6cec3da0d60166f6c15bd8246d78b9b7a3e9589ecc24572d3857a04298482b171638e206eaff4bb5848ffebd7

Download Submit

Analysis

Sharing