fec2572a6d416f435c97ffab6dcdf8b1eaea20eb0386f054850b319ffef86d75

General

Target

2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe
Size

14KB
MD5

2b7be53b885604ba6b04afd8f33ab830
SHA1

837891d1051fa77a06bc96ea13fec8938db9a7f5
SHA256

fec2572a6d416f435c97ffab6dcdf8b1eaea20eb0386f054850b319ffef86d75
SHA512

dabcf0ee190afe23f7d03db420413136cf50ea224f7706c14cfd53758db4c7e3d80e773aa1cb756c85aae360cb370453dd23bdc8cb3fcd8b59c876a213c7596e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbX:hDXWipuE+K3/SSHgxmWmbX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEMD90A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM2F48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM84EA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEMDADA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM30AB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3288	DEMD90A.exe
1316	DEM2F48.exe
1532	DEM84EA.exe
4628	DEMDADA.exe
3008	DEM30AB.exe
2376	DEM868B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM84EA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDADA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM30AB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM868B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD90A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2F48.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3288	1560	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe	89
PID 1560 wrote to memory of 3288	1560	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe	89
PID 1560 wrote to memory of 3288	1560	2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe	89
PID 3288 wrote to memory of 1316	3288	DEMD90A.exe	95
PID 3288 wrote to memory of 1316	3288	DEMD90A.exe	95
PID 3288 wrote to memory of 1316	3288	DEMD90A.exe	95
PID 1316 wrote to memory of 1532	1316	DEM2F48.exe	98
PID 1316 wrote to memory of 1532	1316	DEM2F48.exe	98
PID 1316 wrote to memory of 1532	1316	DEM2F48.exe	98
PID 1532 wrote to memory of 4628	1532	DEM84EA.exe	100
PID 1532 wrote to memory of 4628	1532	DEM84EA.exe	100
PID 1532 wrote to memory of 4628	1532	DEM84EA.exe	100
PID 4628 wrote to memory of 3008	4628	DEMDADA.exe	102
PID 4628 wrote to memory of 3008	4628	DEMDADA.exe	102
PID 4628 wrote to memory of 3008	4628	DEMDADA.exe	102
PID 3008 wrote to memory of 2376	3008	DEM30AB.exe	105
PID 3008 wrote to memory of 2376	3008	DEM30AB.exe	105
PID 3008 wrote to memory of 2376	3008	DEM30AB.exe	105

C:\Users\Admin\AppData\Local\Temp\2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b7be53b885604ba6b04afd8f33ab830_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\DEMD90A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD90A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\DEM2F48.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2F48.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\DEM84EA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM84EA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\DEMDADA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDADA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\DEM30AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM30AB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\DEM868B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM868B.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2F48.exe

Filesize
14KB

MD5
d060840f19dedd333be9c90bb0f80bcd

SHA1
8524a8339d7e42f985cee73d730959a658a937a1

SHA256
55bde1695c023771550e38980d054f2b0fa170c3b29ee34777d376d68af0b67b

SHA512
f889f65107a6d224bd2613f59812ecc0dcb43f38e6b929f70abc38c2d319a4a8534bc5d9f6ea99431fe870684449aab2cb42e9ed10b21997efa9441d2b562f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM30AB.exe

Filesize
14KB

MD5
54c9cb53cd9b07798ff900c24005332f

SHA1
1455a88206dd8802388b311286a8e78df602ce6b

SHA256
f7befe26a0a9c20ca33fa69f27e103116854b8a247e10f0880b8c54a6b28fc5a

SHA512
03e9196b12faee11622791f695b579c9c870a466ea304f0d5e5b8918f4d861f2ef176acdfc4b9091a41bc5521dba9d3663019f4b0b048adf6e41a4a2374f4b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM84EA.exe

Filesize
14KB

MD5
170428668249041d3692088e2c728a57

SHA1
5b49f0cecfd506bf091abb144c88fee210651c0a

SHA256
80830b699b159c06788bfa054364da537c3345dfcaed63cfc6aa068037f35319

SHA512
15a2f1404a9137127d9148aeca6e61ecf0f180cbba1af22931798ca8d2b974f6f81edb8c78a70cfba2cdae5e7d5d7f3aaee2aa58d8e79b91f53a4371b8327073

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM868B.exe

Filesize
14KB

MD5
a2e6f78840ffe764acc9f682ac2c0d39

SHA1
bdfd228365c572f7adc5ab3d540ff7b71f565e09

SHA256
9461d4b3c32c5cea6cc870fdda1954e23bf7532420acabb50516558d3a6d5a01

SHA512
be7eb753987a48c8ff8371bb36aa84ff48904087464790d13362d509299655cd9aac455c87832c3976e825f3573931321391c236858e463a31bca234f3326e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD90A.exe

Filesize
14KB

MD5
97dab0249751d61b063fb0e39847c676

SHA1
8d91122679267a1acb319113bb6939c9d78c7c81

SHA256
5587b24343c2470c221a8058a6cbbf0967fd73e40c5849fafbd11e824cca5ab8

SHA512
e1689a7439d44b354b3cde75905e280cb06e7c127345c536e6d9e5134a81f31c1a6713b0dc1ba5399a9a6f11fce17002ec0e9f155daec14abd5b8d61b4641b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDADA.exe

Filesize
14KB

MD5
9fe1a36d674202a327a49d3177d7c4c9

SHA1
0266f340b3b0fd615a05ba15d7693e0d2927efdb

SHA256
77d43eb0559b0d42785a69ecc7518259e252496a29c77c8eaa7c391def0af726

SHA512
926e9b0067a5c4d6d6be0de45b2964e23dcfb7b0ae522c6e3ac90e88597431945f9df94ac92c280a0cd8801fe4d29d9516d86e7c8c8bc406c708118082ec97d9

Download Submit

Analysis

Sharing