0ce3670ee79151fee65be5e9a41dc16e04b653c5cf3f39e282ead0280ec836e3

General

Target

374728010db560a17581324230b94736_JaffaCakes118.exe
Size

15KB
MD5

374728010db560a17581324230b94736
SHA1

75034f9a3592c633be370cd398504a8101a3b75d
SHA256

0ce3670ee79151fee65be5e9a41dc16e04b653c5cf3f39e282ead0280ec836e3
SHA512

2aa1ededa36c57108dbadeb7ca07f8becd97a108d693923a6f7c138c958ba6898973e7be769a1092d4e4ab2a6233b0f075ebbfc7f0fb56e57e38a778a911a198
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxZaf:hDXWipuE+K3/SSHgxmH6

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	374728010db560a17581324230b94736_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM7D8C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEMD448.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM2A86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM80A5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEMD6E3.exe

Executes dropped EXE 6 IoCs

pid	Process
4016	DEM7D8C.exe
740	DEMD448.exe
2300	DEM2A86.exe
4340	DEM80A5.exe
1696	DEMD6E3.exe
4964	DEM2D11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2D11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	374728010db560a17581324230b94736_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7D8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD448.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2A86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM80A5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD6E3.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4016	4300	374728010db560a17581324230b94736_JaffaCakes118.exe	87
PID 4300 wrote to memory of 4016	4300	374728010db560a17581324230b94736_JaffaCakes118.exe	87
PID 4300 wrote to memory of 4016	4300	374728010db560a17581324230b94736_JaffaCakes118.exe	87
PID 4016 wrote to memory of 740	4016	DEM7D8C.exe	94
PID 4016 wrote to memory of 740	4016	DEM7D8C.exe	94
PID 4016 wrote to memory of 740	4016	DEM7D8C.exe	94
PID 740 wrote to memory of 2300	740	DEMD448.exe	96
PID 740 wrote to memory of 2300	740	DEMD448.exe	96
PID 740 wrote to memory of 2300	740	DEMD448.exe	96
PID 2300 wrote to memory of 4340	2300	DEM2A86.exe	98
PID 2300 wrote to memory of 4340	2300	DEM2A86.exe	98
PID 2300 wrote to memory of 4340	2300	DEM2A86.exe	98
PID 4340 wrote to memory of 1696	4340	DEM80A5.exe	100
PID 4340 wrote to memory of 1696	4340	DEM80A5.exe	100
PID 4340 wrote to memory of 1696	4340	DEM80A5.exe	100
PID 1696 wrote to memory of 4964	1696	DEMD6E3.exe	102
PID 1696 wrote to memory of 4964	1696	DEMD6E3.exe	102
PID 1696 wrote to memory of 4964	1696	DEMD6E3.exe	102

C:\Users\Admin\AppData\Local\Temp\374728010db560a17581324230b94736_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\374728010db560a17581324230b94736_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\DEM7D8C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7D8C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\DEMD448.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD448.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Users\Admin\AppData\Local\Temp\DEM2A86.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2A86.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Users\Admin\AppData\Local\Temp\DEMD6E3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD6E3.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\DEM2D11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2D11.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2A86.exe

Filesize
15KB

MD5
67e985e72a9e97de442ffcf6fca0879e

SHA1
a64fbb13454d4de44cb39a819327bd09f4ae3911

SHA256
32e7f8dccb30f173a254a4e079a7811c299f0eec6b816d60e10877f10ff7e5df

SHA512
cd9e844c5814369390b7b03fb16bcc0597de55c28b31f363a3377c2b5bf4acd58db37ada95321640e1871e839e47fe097c8d47f8f87223bfdcf8e351504b425a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2D11.exe

Filesize
15KB

MD5
80060ed4508be738c785d1b1f988b186

SHA1
cf160fcc4641648bb89b158c28a510c4d83a837a

SHA256
b57d39eddd36ce82490dbe359ba3e487d065b318d65ff564510f7bc042657381

SHA512
b0e47aff5ba357009d5cba038d9b36a105fa40f7412d7772587ed762b9da584ba2dd5953f736ab35f92916c121e97604854f05d344c1894b7cbdafecf99c79ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7D8C.exe

Filesize
15KB

MD5
8dfe219eb38786bde8f26e80be9be0dd

SHA1
64644499c6499e496d934bde8ad59223d2e40de7

SHA256
863674903a84d65809449dfb0867b1192a5bc83d86e29d47999860c5be9a6708

SHA512
ea4f894f81283fec36144643bff420aa916e6ec56ca4dc42ef3859ffef4e0f24c428f9ac640c842ff90d89d03c2ccf95d4a4c8053edc2c8f05c4a6953587bfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe

Filesize
15KB

MD5
f28cd04b57b02e919dcf25f2e168ac10

SHA1
c80b63040d7a46c782d06c5a86be046fa4b65685

SHA256
84786379bc2fe619bf17ffc550760676d6b66b313c5706c75116114a309b48f4

SHA512
32bcf2058ede1e20ddf0a910600ee203d86f56e78952d1b648cbfbb048bd6e13b766ed5a8dc1bbe2e895b8ef81af1d06c45e9599ef6df64f2b894f05d4d4547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD448.exe

Filesize
15KB

MD5
2a0ec4e5814c018a7c9cabed2cd8809d

SHA1
8d5d079208f3d21169af1a756cc3f1add29cac94

SHA256
1bafe0c6d02ca5808ab0dda26b970f7acc540c2cf5778c6186dcc39ebd9a05e7

SHA512
80974004362c907b861b4dc9ec0298e3290de2a7d5b9f18c0e70ebf98cddea33f350ca583d92df49d278990bad409b9c43799a9a7c38f4f3bb37642989413b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD6E3.exe

Filesize
15KB

MD5
2d7faa18d2bead5c08ff8a5b0b3554ba

SHA1
257ea7c0b656adc0dd648f927ecb60074dda5f8f

SHA256
78bd7ee4740ecfa53f507bbe72732a0f94da73008b3aaedbd1bf3ee82e43daf0

SHA512
2e4024c4bb26241008e6615f9460d9a1d8371087c36e1e59df9c579b909bc75c8ad7d74f3846752d86a4a7d84f2b9fd851d2ecc08ec88fd1d2fc113f827e2891

Download Submit

Analysis

Sharing