ea0e3e401488f6442774f9dfdc05b794a0d632d3a1e71bebd9bc38e42f1bb03f

General

Target

3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe
Size

14KB
MD5

3755096f70f5b06820c778af7e0b2266
SHA1

cd38bb6be49b74000727b9355368b932fbe5ce2b
SHA256

ea0e3e401488f6442774f9dfdc05b794a0d632d3a1e71bebd9bc38e42f1bb03f
SHA512

d369a7fe5a2ad5fc93e05845cf93507687f1878449544836c781d6210b652dc87caf7122313ccdea652ff24e963e8322ca627c497b2f6a018b3a564280a0e408
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhq:hDXWipuE+K3/SSHgxY

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM8EDD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEME4AE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM8C90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEME2FD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM38ED.exe

Executes dropped EXE 6 IoCs

pid	Process
1300	DEM8C90.exe
5100	DEME2FD.exe
2408	DEM38ED.exe
2452	DEM8EDD.exe
4348	DEME4AE.exe
4828	DEM3A5F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM38ED.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8EDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME4AE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3A5F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8C90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME2FD.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1300	1576	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe	87
PID 1576 wrote to memory of 1300	1576	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe	87
PID 1576 wrote to memory of 1300	1576	3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe	87
PID 1300 wrote to memory of 5100	1300	DEM8C90.exe	95
PID 1300 wrote to memory of 5100	1300	DEM8C90.exe	95
PID 1300 wrote to memory of 5100	1300	DEM8C90.exe	95
PID 5100 wrote to memory of 2408	5100	DEME2FD.exe	97
PID 5100 wrote to memory of 2408	5100	DEME2FD.exe	97
PID 5100 wrote to memory of 2408	5100	DEME2FD.exe	97
PID 2408 wrote to memory of 2452	2408	DEM38ED.exe	99
PID 2408 wrote to memory of 2452	2408	DEM38ED.exe	99
PID 2408 wrote to memory of 2452	2408	DEM38ED.exe	99
PID 2452 wrote to memory of 4348	2452	DEM8EDD.exe	101
PID 2452 wrote to memory of 4348	2452	DEM8EDD.exe	101
PID 2452 wrote to memory of 4348	2452	DEM8EDD.exe	101
PID 4348 wrote to memory of 4828	4348	DEME4AE.exe	104
PID 4348 wrote to memory of 4828	4348	DEME4AE.exe	104
PID 4348 wrote to memory of 4828	4348	DEME4AE.exe	104

C:\Users\Admin\AppData\Local\Temp\3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3755096f70f5b06820c778af7e0b2266_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\DEM8C90.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8C90.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\DEME2FD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME2FD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\DEM38ED.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM38ED.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Users\Admin\AppData\Local\Temp\DEM8EDD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8EDD.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Users\Admin\AppData\Local\Temp\DEME4AE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME4AE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\DEM3A5F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3A5F.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM38ED.exe

Filesize
14KB

MD5
fbebce25e353bb7b78b27725809ce188

SHA1
e6bd866484c992ac818387d70bc4e30b7e282005

SHA256
78576f5dc31bb6819447155bef74e8acb69e9713ebf7ee169c6804e4b038b89a

SHA512
387b1d281e9d9229dcd59c423471eb8c498e862564beb3b51b51ae0229d1c2e21824c5a34c2643793745c8d61627ebe22d6aef062eb229dd1193f8966852ecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3A5F.exe

Filesize
14KB

MD5
5ddaf0502a3f62386a206f55cd57bf34

SHA1
897b72b0541b8bb998157c63d6ec05b106829159

SHA256
7a64fedce88d7c302d70056665349a71856f324840a2b4a0ed1b22e89745335d

SHA512
215d03faedd481a5c5de19b0b3c6dd3f71f4c2f0dfdaa85f3357b3ebd166cfb2cd43e6a8d2b50a46a06862896d4ff116dc43f6ca8d08ea0a51bce1b9312090d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C90.exe

Filesize
14KB

MD5
94a69e8985fe51d416668c6ff7ee0cf8

SHA1
b4519eaa62e10cdced3a4422e0908e0c5d26ca47

SHA256
fb3c3d62f0432ab6617ed2773f9e6e1bab9cb6c2bf3f10ba4559f8a98e6576eb

SHA512
3763f8471ef99e5e503211b953f48fd917ef8f6c67d00853c136394fc334e02e8515b93b8853a8cb8469b80c02c32029ab8dbbe8f8364d979160327714a95f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8EDD.exe

Filesize
14KB

MD5
1aded7a089729cf56907dd11a24722d6

SHA1
833cebb8494236f5936dc76a2cad90a9f63ef61a

SHA256
1d44c2d8d21e033c5626911ce0ea26c71ad8f0e65b277c9e9d689a1a9e801539

SHA512
388b469663585e1afb70bd6a4ea3aa8b0ed3b553695fa6b4d9ab5f23826cc6e1f9457873545c004fa1f15cd9bb63c2913d5d19c440f9e6b529cd7c997dcd4f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME2FD.exe

Filesize
14KB

MD5
d389b6dfa2c8d01f182264eba97a6416

SHA1
75a1dd07156cf15c91df613883e3f1d0467ab209

SHA256
6dc967ccea9e335bf9bb14fe665c0ef917eb59aa503ed1872098738281e9504b

SHA512
80df7a05ef1ec4faae03ee6caa61293f94f97d3bae075fb176e0b72bce64beeb3f2e567f226c88662f5144b1bf602d933ab75b41d368a92195cda79308ce2398

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME4AE.exe

Filesize
14KB

MD5
f3a67512bbef442f8c0676ddd5cfea65

SHA1
e26c543606f13675701b1f0869d59fc51ec5645a

SHA256
ef0f057c310fba9c3635bf6752de6fbd5ef8b0ce13cfb57a3c1b50a77e152cd3

SHA512
1e4c9a26d70390e057f1c4c5d49305b96ef36492edb4b1db2e2a269b46787fafe0483fd4bf40ee2f25d7a75747988a8410cf74d31e5864ec39cef9e7c80f4982

Download Submit

Analysis

Sharing