333e6c381cf515d11f28828ee8a033540894e2f02d1afcb17d239039591ac9a7

General

Target

2f4998657c1318c014fac873cca43763_JaffaCakes118.exe
Size

14KB
MD5

2f4998657c1318c014fac873cca43763
SHA1

3b3c81356ff8d0f320abd267414332dad9887a2d
SHA256

333e6c381cf515d11f28828ee8a033540894e2f02d1afcb17d239039591ac9a7
SHA512

a941ee1248195948413a543d0ea5e83900d4fdb953974a5fdba8dd27fa77d6275df892010fa31fc2e25b44711bc5edd691ee91a89ce9fd1c3fec1012d8ec0adb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0K6:hDXWipuE+K3/SSHgx4K6

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMD1E6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM2882.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM7F2E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMD5C9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM7AFC.exe

Executes dropped EXE 6 IoCs

pid	Process
232	DEM7AFC.exe
4564	DEMD1E6.exe
4672	DEM2882.exe
2188	DEM7F2E.exe
4324	DEMD5C9.exe
3616	DEM2C36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7F2E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD5C9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2C36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7AFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD1E6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2882.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 232	2052	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe	87
PID 2052 wrote to memory of 232	2052	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe	87
PID 2052 wrote to memory of 232	2052	2f4998657c1318c014fac873cca43763_JaffaCakes118.exe	87
PID 232 wrote to memory of 4564	232	DEM7AFC.exe	94
PID 232 wrote to memory of 4564	232	DEM7AFC.exe	94
PID 232 wrote to memory of 4564	232	DEM7AFC.exe	94
PID 4564 wrote to memory of 4672	4564	DEMD1E6.exe	97
PID 4564 wrote to memory of 4672	4564	DEMD1E6.exe	97
PID 4564 wrote to memory of 4672	4564	DEMD1E6.exe	97
PID 4672 wrote to memory of 2188	4672	DEM2882.exe	99
PID 4672 wrote to memory of 2188	4672	DEM2882.exe	99
PID 4672 wrote to memory of 2188	4672	DEM2882.exe	99
PID 2188 wrote to memory of 4324	2188	DEM7F2E.exe	101
PID 2188 wrote to memory of 4324	2188	DEM7F2E.exe	101
PID 2188 wrote to memory of 4324	2188	DEM7F2E.exe	101
PID 4324 wrote to memory of 3616	4324	DEMD5C9.exe	103
PID 4324 wrote to memory of 3616	4324	DEMD5C9.exe	103
PID 4324 wrote to memory of 3616	4324	DEMD5C9.exe	103

C:\Users\Admin\AppData\Local\Temp\2f4998657c1318c014fac873cca43763_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f4998657c1318c014fac873cca43763_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\DEM7AFC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7AFC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\DEMD1E6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD1E6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\DEM2882.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2882.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\DEM7F2E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7F2E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Users\Admin\AppData\Local\Temp\DEMD5C9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD5C9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\DEM2C36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C36.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2882.exe

Filesize
14KB

MD5
58fc2b519956c6719a761d1176c9a093

SHA1
9b71384aad1ca452e647fe44a860e2f3d65abcde

SHA256
a4f762819d2ada393382737be4865fbe55167655c3631cafa31d9768581bd71a

SHA512
6d0bfef22e54697c1b222ed9d3d3b4a9b8a93803f202c6b986af1945d6c2bfb01ab1d20d727f8699d8a00000d22df0a556e0e31cb4842a6fe6ba80e1c0918e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2C36.exe

Filesize
14KB

MD5
4e313c6647e087927c1c924165a53067

SHA1
04d88538e63cf10d640719a8f1708a507ab69ab5

SHA256
729bd6563894f753f233d68286e98666667214e7bb204fe6602e758145cf994f

SHA512
90315a9c0ecc93a28306378b9638d11d21153980c869bc16b205dceda440d3f7fcb57134a60f3555a7615ecd900ca5b74bbfe7662b7200ade2e56c34d494c750

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7AFC.exe

Filesize
14KB

MD5
7194179a69c586bcb89b6b94013b5aba

SHA1
a3845ded755747d44a4af5e5ac36a6f755517bdc

SHA256
e99da47ec8327088e04f9b78fbb72a21dd93417f8afb98533b77366e7a160f21

SHA512
573bb2565d7aae753f67c4aaaa9fd73369aea523d1efd73d17d11874d36c7a8aebe0798f57541c246ff2d81c20382b5a6cc8cb3869ede8f06bc6e29ed3b9459d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F2E.exe

Filesize
14KB

MD5
58d6e108188a7d57daee72cdd7321dc1

SHA1
58a56681e342aac48dc915edd0cc3aa930776f28

SHA256
7775cb4036f45e020378b5249e3cf7106d90564e74da036d86d7606f7318ca97

SHA512
c0ccef68d6a29573f744a218333352c3a7a39ca67da49ac5abf302b159734f4fa96d202e38d5d8548c696e3ad8f944d89413bbf65dfbac7fcbfb4f862cfbf1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD1E6.exe

Filesize
14KB

MD5
9f3936dcb8b81456412bec6823275d68

SHA1
e2acf1b13cba32141550bee1c5bfa35b5b38874a

SHA256
1fe0887f61f5cd7d952a3f7231845698241803ed0f80d72b60876886753b5bb8

SHA512
c796f0fb582abb5406a90999b4ef2f82ff25264103bffd117c5238c73798a29e62d7918b69637d1a7656968004f63cd4fad89c154a5e4cf2e3cb64609a1b2d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD5C9.exe

Filesize
14KB

MD5
074833d27a3af28cace7b9f0254e5971

SHA1
f6ab1777657684dba77b505ecdd10d50f1b1828d

SHA256
cbf4fa7383b3382954bb2568a555a3ac239a38d58c33f8a803d043f37ffa4c60

SHA512
b923267f7676ae5820d2c0dda62f4f451f5e48cd21f902b8bf779b9d7ffb00fbcb2c5d6b920976217e29e6da0c3c04800a89a903a8173b77defe304077c05cb4

Download Submit

Analysis

Sharing