07d663e1bde1c398f3d774c4adc737c41dac3e6363c163706bae4a26517629bd

General

Target

30290ad2b1966d19ece5582e41e8847d_JaffaCakes118.exe
Size

14KB
MD5

30290ad2b1966d19ece5582e41e8847d
SHA1

8ca31b297cb82b010bcfcd81ca6a8a9d0a3da9ec
SHA256

07d663e1bde1c398f3d774c4adc737c41dac3e6363c163706bae4a26517629bd
SHA512

05963eb27ed8e1ecc0aa735ead4aa14de75b0eb8633b407971551939f281e4f264f15db33108ad9eb8fbea13a3a95cbc6484313bcfd07c783fd1740bd8391010
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhpL1u:hDXWipuE+K3/SSHgxc

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	30290ad2b1966d19ece5582e41e8847d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM925D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEME995.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM3FA4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM95D2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEMEC30.exe

Executes dropped EXE 6 IoCs

pid	Process
2268	DEM925D.exe
4916	DEME995.exe
4556	DEM3FA4.exe
3600	DEM95D2.exe
1680	DEMEC30.exe
1596	DEM42BC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM925D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3FA4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM95D2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEC30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM42BC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30290ad2b1966d19ece5582e41e8847d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2268	2752	30290ad2b1966d19ece5582e41e8847d_JaffaCakes118.exe	87
PID 2752 wrote to memory of 2268	2752	30290ad2b1966d19ece5582e41e8847d_JaffaCakes118.exe	87
PID 2752 wrote to memory of 2268	2752	30290ad2b1966d19ece5582e41e8847d_JaffaCakes118.exe	87
PID 2268 wrote to memory of 4916	2268	DEM925D.exe	93
PID 2268 wrote to memory of 4916	2268	DEM925D.exe	93
PID 2268 wrote to memory of 4916	2268	DEM925D.exe	93
PID 4916 wrote to memory of 4556	4916	DEME995.exe	96
PID 4916 wrote to memory of 4556	4916	DEME995.exe	96
PID 4916 wrote to memory of 4556	4916	DEME995.exe	96
PID 4556 wrote to memory of 3600	4556	DEM3FA4.exe	98
PID 4556 wrote to memory of 3600	4556	DEM3FA4.exe	98
PID 4556 wrote to memory of 3600	4556	DEM3FA4.exe	98
PID 3600 wrote to memory of 1680	3600	DEM95D2.exe	100
PID 3600 wrote to memory of 1680	3600	DEM95D2.exe	100
PID 3600 wrote to memory of 1680	3600	DEM95D2.exe	100
PID 1680 wrote to memory of 1596	1680	DEMEC30.exe	103
PID 1680 wrote to memory of 1596	1680	DEMEC30.exe	103
PID 1680 wrote to memory of 1596	1680	DEMEC30.exe	103

C:\Users\Admin\AppData\Local\Temp\30290ad2b1966d19ece5582e41e8847d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30290ad2b1966d19ece5582e41e8847d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\DEM925D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM925D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\DEME995.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME995.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\DEM3FA4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3FA4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Users\Admin\AppData\Local\Temp\DEM95D2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM95D2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\DEMEC30.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEC30.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\DEM42BC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM42BC.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3FA4.exe

Filesize
14KB

MD5
baa4928654a82a0e7e92036a72c7c3c9

SHA1
56c586e3af22b45d7eb48fe7646fe59b34af368c

SHA256
5183fb763d648d13ca0a9533c65793ad8a4005129b0dd4a8889dbc27fedcd5e0

SHA512
92f7afade529cf5dffd4e7aabdd9406a9dc825f31a22acec8c27a35278a6bc858838f1a7e13e4e8fc483a98cf3d66578b51f4c44986a236886322d82bdb7bbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM42BC.exe

Filesize
14KB

MD5
2e1376f54470a44e031e48dbfd57fbfb

SHA1
5e87f25346248809b4f0d53afe585b4a013fafea

SHA256
a9381264d762a5d88b593eec8bd24f5f59031b0698447c91d3cbd3c330134269

SHA512
c73dbbb9fc7d39d1e8108ff51a2ae30b8aceab9e8961f4c0e5fdff7171e11f96315ad8aa8bbb7f251c201340ce1a1dfdbfcab21fe21597701ca6e05bf5500b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM925D.exe

Filesize
14KB

MD5
51c5dd33f049574a9167621fd68281b9

SHA1
6cfb526c4dbad19b68c8e9a3bb3ae188cda31e00

SHA256
d3317d013b7b3c0f7db27fa9825de0d7302ef552aaf9434a172c14cc02d1dd4e

SHA512
6ba6f47fc72bce1e567367323d089f88b7b77702a6eeb8643b6b88016472d126ff2bfdb15cf2142ece9990b18ec73e48fae71adc6c865e5d55e7e2c37a6b22e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM95D2.exe

Filesize
14KB

MD5
20cc593603bbbe070af6ea476648c1ca

SHA1
347fc4d274495c8c511f2be5846673601f3deb99

SHA256
5fc52bbaa84ecec47777a43337dc050e8906b159a33cabb74db3e5db3bc64c06

SHA512
8194d67b31134bfaad12e69525956d1a34aa26a01242c59c0cfea76fdebcd7889dbce6022ff7f367807136163f24fdd03bb8fb5fc7cf5df1e14d04a431368013

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME995.exe

Filesize
14KB

MD5
02d58a06fa831db8a100159e16e717ad

SHA1
7bfab41e23bc05d3d1c7e217627b712e18de4562

SHA256
b2ebe3ed0e8ebc9ae57d8561577836da7afb8237cea31ab0ae62edd95ed28641

SHA512
66cccf4a4d301bc5ee220e1de99b5a09e8b747a4f9dfdf99eb81019743f7f842975d80b88b1973f18eeccd8abdd786e8603dbb96b522cfa954087b76dcac12a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEC30.exe

Filesize
14KB

MD5
e33cf455f72281e388783c6bbc37e6f7

SHA1
be8244b5fd4f1729a4c7fa1211c643f36cdd66a2

SHA256
6fd1cc759859d0724c262cecb7f8e5e3dad3f6e17f7afbdf58eff1970f490b20

SHA512
130f6e96b8769320738e8d8b0c342d77cb1ddfd9b8226e93a5e9971f351f417067c4c5c7ba329b94e48594ef46007ce79cd2b36287d2c59047dd40b96b1c8cca

Download Submit

Analysis

Sharing