fd2f3f0f7c90d07e96d7fb80d79f51e8b81de745839f331a6a42ebb9b410473a

General

Target

3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe
Size

14KB
MD5

3077e7dfa37f7b57488e11c7ca0b143c
SHA1

9876096ccc681b185b6d7d69b0e59d0519e1cd5a
SHA256

fd2f3f0f7c90d07e96d7fb80d79f51e8b81de745839f331a6a42ebb9b410473a
SHA512

31cd6ed8c2e05be765e94da8a4cdd28d350e57d55636b937c192aa3852bdb2b9463f031905d4fc7b27b1845b0e5ba9a6957df0bd6481ae072ec9763d0c5c40e8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh7:hDXWipuE+K3/SSHgxN

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEMCB4F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM21EB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM77DB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEMCE19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM23F9.exe

Executes dropped EXE 6 IoCs

pid	Process
952	DEMCB4F.exe
4832	DEM21EB.exe
4996	DEM77DB.exe
4904	DEMCE19.exe
2156	DEM23F9.exe
1636	DEM7A66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM23F9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCB4F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM21EB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM77DB.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 952	4812	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe	87
PID 4812 wrote to memory of 952	4812	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe	87
PID 4812 wrote to memory of 952	4812	3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe	87
PID 952 wrote to memory of 4832	952	DEMCB4F.exe	94
PID 952 wrote to memory of 4832	952	DEMCB4F.exe	94
PID 952 wrote to memory of 4832	952	DEMCB4F.exe	94
PID 4832 wrote to memory of 4996	4832	DEM21EB.exe	96
PID 4832 wrote to memory of 4996	4832	DEM21EB.exe	96
PID 4832 wrote to memory of 4996	4832	DEM21EB.exe	96
PID 4996 wrote to memory of 4904	4996	DEM77DB.exe	98
PID 4996 wrote to memory of 4904	4996	DEM77DB.exe	98
PID 4996 wrote to memory of 4904	4996	DEM77DB.exe	98
PID 4904 wrote to memory of 2156	4904	DEMCE19.exe	100
PID 4904 wrote to memory of 2156	4904	DEMCE19.exe	100
PID 4904 wrote to memory of 2156	4904	DEMCE19.exe	100
PID 2156 wrote to memory of 1636	2156	DEM23F9.exe	103
PID 2156 wrote to memory of 1636	2156	DEM23F9.exe	103
PID 2156 wrote to memory of 1636	2156	DEM23F9.exe	103

C:\Users\Admin\AppData\Local\Temp\3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3077e7dfa37f7b57488e11c7ca0b143c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\DEMCB4F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCB4F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\DEM21EB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM21EB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\DEM77DB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM77DB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\DEMCE19.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE19.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Users\Admin\AppData\Local\Temp\DEM23F9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM23F9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\DEM7A66.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A66.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM21EB.exe

Filesize
14KB

MD5
8ca7a99f7e7dfc901cd9d5504ea0d3aa

SHA1
4673d5f3974dc0301728807bfcd85f4158dca9c8

SHA256
abcd859d8ccc063fd92f2cff356a62798a5bbb03f311c9bb0caac5c8a0cf36e2

SHA512
7e92b97f830cf37633335baddc6c9273c1149e719b41a79db11ed303f171bfb1eb4b61258ced04cf447d98f283f1335cf29d29e6edf7b97566d1a0ae8700ff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM23F9.exe

Filesize
14KB

MD5
6c9c98dc4a0362cf0f96589f8b6d488d

SHA1
1ec55b7202b7cbfc4a2d76d8a07123dc3a0f1490

SHA256
122f2a7092e8533bfa8bf3616fade8c6351b4c4de5355832d071c1a5faddd887

SHA512
8aa5bff7702548ad01842555b890faa7581e099794c6bebea3ad5780ce2eafb5ec09332eeddb2112569951cab25602384a0fb5b911a688d2ba7141076b7b6326

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77DB.exe

Filesize
14KB

MD5
af878bfc433070dd8441a6ecb7f61f15

SHA1
d076ba0ba05344254c778fb7143b6b3e476050dd

SHA256
13a4bd22920b48025e80eab9f83dd6476937751deeaabc4af8434cd14f2a050a

SHA512
094acde6b432d0584289236ad2896ee830dd7b8d4983c03f582dc45503654dd1841b91fefec3fb5c453645b225b704c842cdb7f53302bef742cc14f1e39fa891

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A66.exe

Filesize
14KB

MD5
84e6346461171b69d8efdceba0a2cc35

SHA1
a19e37725aa2586a11837773b370c573a7bfc82c

SHA256
79fc6efdcbe33f82ae1e5fe1eb2f180f352b116fdd82f2091ca5998ee3e4f3fa

SHA512
15db0a329db1467e1c06f1930e1cb8bc468baecfbef1d6ef48b97a78509cdc1e2b222f690934afac588a8ed5827b42dd69c916d70d36cc248c9be8171a99e73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB4F.exe

Filesize
14KB

MD5
9e5abb49d1ae8a175314a52fa2ef0352

SHA1
be793bb780fc832c1a0adb0ca1db119a105350a9

SHA256
ddd2f1ecb72dff27563d5e3458f50c1034b0a252f04ff5fe71c0a4beef7a868e

SHA512
1ae8677df627dc34946563c960a63a251cf4f01db55a8b0e5ca977b7e99b372ac27fa261b321323f7355442a807079b91dd84318ce932ef53e43889205650720

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE19.exe

Filesize
14KB

MD5
475d7cc38c1e1ef1c86a405865dd1bf0

SHA1
c8993cb91ec05fc5f59bcf13c70c340cd2c577a8

SHA256
c750ca02fb6f065997b3534ad496174ef051dc395aa44a5c17f79c5a33bded36

SHA512
dd872671ce89ea21441bf2fdf1ceeae063e8a6dbd886a9978cc9d6dbffca600acc723251df2301190f1b596511496476edda211f59551badf1f1d307d7f9a265

Download Submit

Analysis

Sharing