3efe63b10ba61a31b6c88a0768f89a635ab3e12e64b4c5b79c57033509704647

General

Target

2ccf46dbeb276e98050d3eb3c9cd3916_JaffaCakes118.exe
Size

14KB
MD5

2ccf46dbeb276e98050d3eb3c9cd3916
SHA1

4467afa0124fa79cb359d9982f23d9e758962a9c
SHA256

3efe63b10ba61a31b6c88a0768f89a635ab3e12e64b4c5b79c57033509704647
SHA512

9cc129859c2173f8e49684cb3a0ab3b5f600b641433f1332b6d4d051e51a2c6a6106ea737cd08dafdf1cfea28eae8fa157ac5bf365bd0f306c4f9539f14d60e4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYqNe:hDXWipuE+K3/SSHgxmqU

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMA037.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMF741.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEM4D50.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMA3DC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMF9FB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2ccf46dbeb276e98050d3eb3c9cd3916_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

pid	Process
2992	DEMA037.exe
1988	DEMF741.exe
1592	DEM4D50.exe
3608	DEMA3DC.exe
4248	DEMF9FB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF9FB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5049.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ccf46dbeb276e98050d3eb3c9cd3916_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA037.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF741.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4D50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA3DC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2992	4664	2ccf46dbeb276e98050d3eb3c9cd3916_JaffaCakes118.exe	87
PID 4664 wrote to memory of 2992	4664	2ccf46dbeb276e98050d3eb3c9cd3916_JaffaCakes118.exe	87
PID 4664 wrote to memory of 2992	4664	2ccf46dbeb276e98050d3eb3c9cd3916_JaffaCakes118.exe	87
PID 2992 wrote to memory of 1988	2992	DEMA037.exe	92
PID 2992 wrote to memory of 1988	2992	DEMA037.exe	92
PID 2992 wrote to memory of 1988	2992	DEMA037.exe	92
PID 1988 wrote to memory of 1592	1988	DEMF741.exe	94
PID 1988 wrote to memory of 1592	1988	DEMF741.exe	94
PID 1988 wrote to memory of 1592	1988	DEMF741.exe	94
PID 1592 wrote to memory of 3608	1592	DEM4D50.exe	96
PID 1592 wrote to memory of 3608	1592	DEM4D50.exe	96
PID 1592 wrote to memory of 3608	1592	DEM4D50.exe	96
PID 3608 wrote to memory of 4248	3608	DEMA3DC.exe	98
PID 3608 wrote to memory of 4248	3608	DEMA3DC.exe	98
PID 3608 wrote to memory of 4248	3608	DEMA3DC.exe	98

C:\Users\Admin\AppData\Local\Temp\2ccf46dbeb276e98050d3eb3c9cd3916_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ccf46dbeb276e98050d3eb3c9cd3916_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\DEMA037.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA037.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\DEMF741.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF741.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\DEM4D50.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4D50.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\DEMA3DC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA3DC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Users\Admin\AppData\Local\Temp\DEMF9FB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF9FB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\DEM5049.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5049.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4D50.exe

Filesize
14KB

MD5
bb566aa5a3eaa0ed09e8205e451c615c

SHA1
49d9b274e9992710ee07ba908a816e9cce2661a3

SHA256
992a38ca33b5d2565b7d54f343bb3262f57ade32c311ef939494a631096a58e9

SHA512
f1500555bbf5df830a873f608379f04460723f376a1f833f3d6162d11a14bf8d1ceef7c4c2001b9fdb3199cb68d6b68dba2e23272b10894b5d4dfe1ddd954c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA037.exe

Filesize
14KB

MD5
1c537f21f8753b3078df0eaf1c5722a2

SHA1
66cbd78a9dc88121f0deebb7d41259e1550caf80

SHA256
88e566d286863491cbe137a1bcf8f4479e65236ed7d20acbcba05a1ebd2afae2

SHA512
4e5a915acafd8c3730632c50ed74343a3ebe7a327f79808246b5ae6164bad59c438acacee00f7fcd2a40228ba6bb5106229f798f0f5dfd4f54859e432428ec52

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA3DC.exe

Filesize
14KB

MD5
03e80844274ba2d4cc88aaad97e92d65

SHA1
0b206ab19493a733f0ed07f50a92987f111d8228

SHA256
5e7d72dce36298874157506cc610a7e4d7214da626cd0c5e4542ea868935e148

SHA512
c43b02bd0563b212123331baf364fd01b978c592e18754aa513631d8a473c1119d8b7a6ba4b3fb6717087cd1e92839aef8a4468ed40a2c7c492fc5ea98a195a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF741.exe

Filesize
14KB

MD5
43f1c8983a09f514ebaf802e3c8eb7cc

SHA1
d46ca638c76be95eea18ec8e1641e58637e89c9d

SHA256
d952136de9d17cb44b43f739488471e2766c18212c9d5d205a5fe9b61f4a4cb7

SHA512
f3cf5bb7bc5d1c25c20db652e3e1d7646512a67a384bf3db478acc63d1ca796700ed5eb0005159eb49704bc43a694e02e9ad62c26dcb452e30909067319cfc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF9FB.exe

Filesize
14KB

MD5
7044ff9123af12d9c245c570aa78275e

SHA1
6eec06375cf336d83cee1e224547c8f37bdfefb6

SHA256
2fe26ff9a49f0ff77f285e2d15eb8d58dfbba4943d3c23ffa20e85fc600cbf8c

SHA512
947b5bf367790f58b767ecadb9c06a5cb5bbe3f2b4292f31186a900b59c0986d0830a060faa01dcd1e50803aaae7b08d8f238f455d60389b4d4f62ba665d22be

Download Submit

Analysis

Sharing