367f6b7e132cd558935f5feebe6b2c0d5c5eb851c224b71894c4768d15d85eae

General

Target

2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe
Size

14KB
MD5

2b5a0d4c023678b5f128a69973db55f7
SHA1

297d1f047b3f19ab6eacf3cd3b06e95df4f4cf9f
SHA256

367f6b7e132cd558935f5feebe6b2c0d5c5eb851c224b71894c4768d15d85eae
SHA512

cd65cb4de1fc7a973d96cf78d514c6f5c4842b9789ae76947084e1147a0471a39a3b91a68bfe42d460fc83078963c2e4a8be6615f5e89d21585de453e1cdb90f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYjG:hDXWipuE+K3/SSHgxma

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMD8C7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM7FFD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMD68A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM2C99.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM8299.exe

Executes dropped EXE 6 IoCs

pid	Process
1044	DEM7FFD.exe
436	DEMD68A.exe
392	DEM2C99.exe
4776	DEM8299.exe
3788	DEMD8C7.exe
3376	DEM2EB7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD68A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2C99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD8C7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2EB7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7FFD.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1044	2960	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe	87
PID 2960 wrote to memory of 1044	2960	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe	87
PID 2960 wrote to memory of 1044	2960	2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe	87
PID 1044 wrote to memory of 436	1044	DEM7FFD.exe	92
PID 1044 wrote to memory of 436	1044	DEM7FFD.exe	92
PID 1044 wrote to memory of 436	1044	DEM7FFD.exe	92
PID 436 wrote to memory of 392	436	DEMD68A.exe	94
PID 436 wrote to memory of 392	436	DEMD68A.exe	94
PID 436 wrote to memory of 392	436	DEMD68A.exe	94
PID 392 wrote to memory of 4776	392	DEM2C99.exe	96
PID 392 wrote to memory of 4776	392	DEM2C99.exe	96
PID 392 wrote to memory of 4776	392	DEM2C99.exe	96
PID 4776 wrote to memory of 3788	4776	DEM8299.exe	98
PID 4776 wrote to memory of 3788	4776	DEM8299.exe	98
PID 4776 wrote to memory of 3788	4776	DEM8299.exe	98
PID 3788 wrote to memory of 3376	3788	DEMD8C7.exe	100
PID 3788 wrote to memory of 3376	3788	DEMD8C7.exe	100
PID 3788 wrote to memory of 3376	3788	DEMD8C7.exe	100

C:\Users\Admin\AppData\Local\Temp\2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b5a0d4c023678b5f128a69973db55f7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\DEM7FFD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7FFD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\DEMD68A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD68A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\DEM2C99.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2C99.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Users\Admin\AppData\Local\Temp\DEM8299.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8299.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Users\Admin\AppData\Local\Temp\DEMD8C7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD8C7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\DEM2EB7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2EB7.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C99.exe

Filesize
15KB

MD5
345ffea72ec2a3ef97a7fc67332c5650

SHA1
510f916000a72d134d8a28dcd70abafc7fd8a93b

SHA256
061ef70cb1b17480e2ce881f510ba0735d4670db1910bbe5b3367056cdf64ee9

SHA512
2475e480b212bd321c9f783b83c945fe4ae874dd0eabb76e8be41ee1b5ea1011f5e3ae3147fc578b6cd3d5088fa50cd2390784e7946e19f2b85ba0a38f6f298b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2EB7.exe

Filesize
15KB

MD5
55fba8e75808aa001cf8d75ed778add5

SHA1
3cb6c3c6b75613ae19f41399fe4a348e9eb5e9d7

SHA256
42b4b66e65a1051fea5757335deda209c5e6ce823bb621d6c2887655db795d6d

SHA512
75a253c4ef3f371eeabb013f0d3a88b2d0f03b4635722289a64e40d3392934ac0d6cfb3ee7edcec1f7a6d4e8c54d389da8622cf6614c3062778f0cdd150c0e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7FFD.exe

Filesize
15KB

MD5
feaf38fbd37eea5e650ac58e11e4acce

SHA1
936b394bdcf2d2f98ee1509ce02d128b4c9acd90

SHA256
40de6236a6444408464c2b2d79438b5ba6f0abfe6bf0f7adc8fe748901010c96

SHA512
5df8758cd1f4732bd166fd49b8863547967122f1262d8af922758010779511eb0bb7dfa28ab9b6e5410eb276e4ed4cb7e4ad97eb18f1add25045b283bb194b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8299.exe

Filesize
15KB

MD5
dca913cfddd5eddf73bed6f4ed997588

SHA1
a6670ada87ad1ac656f7688cd729c270eb21bd0b

SHA256
c619e42ad87bbd6e3b7b75f66913df42c3f26e0c78b3cab09516c41a58585053

SHA512
6ed427821735963a608250325f8f671f03ce276c5641fc8cd426f9dc078219def948bd290bd8b90083a2d50ebd5dd68baf7c03779a052cd9b80158347ea9ef37

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD68A.exe

Filesize
15KB

MD5
c4346cc9d9a0fe310328b822dbf29768

SHA1
83306eee9112ed6a09ac78a1a1020eac9b592860

SHA256
0411ff3005c779589313341f56222daa37d7c8c2f923db380831035be3835c8d

SHA512
967db51e692745545e2dad805691e24409ef4e6543d9f12fa988e81511fa4805942c09e7b11cc56da8e51ac4605d75b6c4763298d83de068b86c2cd9ffad37a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD8C7.exe

Filesize
15KB

MD5
85bf79ed2b4e7b7d3574a682767ee942

SHA1
243979f235d085c12231c9607bc91fa0861a7fee

SHA256
59b42a77ea6ea2f0c85e59212ec933093c10eca2fa606aec9bfadac132d7f933

SHA512
2ba694fbeba6053b91c1969a9a6541fd7ed1be1571eadd1c5554548c77eaf0887122990ebc03943f0255766e03c9adc191d664783a715efbce3c9cd55581ab53

Download Submit

Analysis

Sharing