2cd4e54465ecbc47f9e09ef920a05c43ff193f3a21be5fb041aa7174f26dedda

General

Target

2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe
Size

14KB
MD5

2a3c1a8e82a47138e1fdddf3e9f8bf8e
SHA1

bcf4cf04330416ee7f9dfe5bf8b1472664163cef
SHA256

2cd4e54465ecbc47f9e09ef920a05c43ff193f3a21be5fb041aa7174f26dedda
SHA512

12a95d7f642adbd7561316e93a92b1c5941cf34e7a03c8f7508304996b5250f1dc7212c8a16747e23342380e06f0ebdf8f9104e3317ae693b17dfbcec049d3b3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5m:hDXWipuE+K3/SSHgxmc

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMC043.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM17AA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM6EA3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMC5AC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM1C0A.exe

Executes dropped EXE 6 IoCs

pid	Process
1800	DEMC043.exe
4852	DEM17AA.exe
5032	DEM6EA3.exe
1584	DEMC5AC.exe
1444	DEM1C0A.exe
4408	DEM7313.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1C0A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC043.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM17AA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6EA3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC5AC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1800	2408	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe	87
PID 2408 wrote to memory of 1800	2408	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe	87
PID 2408 wrote to memory of 1800	2408	2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe	87
PID 1800 wrote to memory of 4852	1800	DEMC043.exe	93
PID 1800 wrote to memory of 4852	1800	DEMC043.exe	93
PID 1800 wrote to memory of 4852	1800	DEMC043.exe	93
PID 4852 wrote to memory of 5032	4852	DEM17AA.exe	95
PID 4852 wrote to memory of 5032	4852	DEM17AA.exe	95
PID 4852 wrote to memory of 5032	4852	DEM17AA.exe	95
PID 5032 wrote to memory of 1584	5032	DEM6EA3.exe	97
PID 5032 wrote to memory of 1584	5032	DEM6EA3.exe	97
PID 5032 wrote to memory of 1584	5032	DEM6EA3.exe	97
PID 1584 wrote to memory of 1444	1584	DEMC5AC.exe	99
PID 1584 wrote to memory of 1444	1584	DEMC5AC.exe	99
PID 1584 wrote to memory of 1444	1584	DEMC5AC.exe	99
PID 1444 wrote to memory of 4408	1444	DEM1C0A.exe	101
PID 1444 wrote to memory of 4408	1444	DEM1C0A.exe	101
PID 1444 wrote to memory of 4408	1444	DEM1C0A.exe	101

C:\Users\Admin\AppData\Local\Temp\2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a3c1a8e82a47138e1fdddf3e9f8bf8e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\DEMC043.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC043.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\DEM17AA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM17AA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\DEM6EA3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6EA3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Users\Admin\AppData\Local\Temp\DEMC5AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC5AC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\DEM1C0A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1C0A.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\DEM7313.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7313.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM17AA.exe

Filesize
14KB

MD5
db4df09a5e36bed7bcf2fffa399f422e

SHA1
ad87b7dbc1deeffeca130d3d0e718f215a493bbc

SHA256
3daa6eddc8ab2782880631afe83a86b341ca1afe43bcab0a987e2a4d69a98fce

SHA512
328698d73e8c065c52193658282cfe941e87c966c4c6c92dc126e6f42733cc13cbf4f31b6157eee17cfeb812e553850e35d70fbdf13ae72370c2699cb4808d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1C0A.exe

Filesize
14KB

MD5
3e5d2f62b6d076a99f240b9563fb4d3a

SHA1
7a23166f46774987eab711f3339876acd7beb60a

SHA256
7f48576b0121bb72b6342b0dc11e0bc4a781837c0474cc03fe0b8e44046730e1

SHA512
23c596baabecfbabf7d12ad0fbc7eec044dd2d4de02688b0ddd54f9fd4e7154861766cdd65ad010879b18528995286da515cea32c202876259bb708090c38033

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6EA3.exe

Filesize
14KB

MD5
fc0d14f16836cb65f34bf4f69da8a765

SHA1
bf63e3e04c428ff71673b6b145bd8cb96e06ffbe

SHA256
4e428a399eeb16bdc581695547f06ea52f14e6cf823c78fd17b620d9cea8bdbc

SHA512
1b808ffd16f27231a22e78f33b7ff91a315e9c4e93249052c1edcfa5bb69f52214e8fa7077579579aac58479ca0e22cb81367edfa9486f71308cbf0eacfa9f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7313.exe

Filesize
14KB

MD5
a777556bedc8a9556f58955ee4151c43

SHA1
8d0c4ae2aa03ae61ecb0c450eeabbf5fe3fd3e31

SHA256
de8031a400f013f9e019a4bde1ff0b1cec3fea1f5909e336c13f5b73774366ce

SHA512
1dc1b74deb5f3870a1307065b876593d3522749a5ddf27db46bcf2b2debbda10a93ca70219aa69abe1ee49e327d6a443914091efed61d974cd54c53ae4dd887c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC043.exe

Filesize
14KB

MD5
e43fb2031f2093f4c1af54d74d0ee9f6

SHA1
e06c41c4396bc51bf4b73f5e153284e1ed6aacf7

SHA256
ac206641e8efebb6e46bbab0dd4d2b6c37bcf3da9b845abd77fe44b064c05c30

SHA512
6f5195d7becfed2fcf6ed696a4956534496d796dbd951a003381b67735c6d0d46351e88886df760a8fb0332976355f55bebafdb60bdba7915b7e8044a7d33b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC5AC.exe

Filesize
14KB

MD5
bc1547d4bb87e342879eca312b2c3875

SHA1
820ea4e4345ecb326670b8c7247c0e2426489b75

SHA256
0cedfe023e452f96a9217b453aa61a5bec57cbbaa6eb36146ef0765600c769bb

SHA512
b4519877d648226238b0076f86449688dce500683244b48ee0b1af77aee2e014a3fd6ca1d6401044adf8eb3a4204c882172b41b26948142f3081abce750a2fec

Download Submit

Analysis

Sharing