5fc902d366e6ee1386a8d8c4a015f55281cde13b99589e72c0365c3f8aa12e06

General

Target

3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe
Size

14KB
MD5

3c9a2900d31fb1b91c189473da7cd487
SHA1

d341b0bc21e576a70451d23dab16f5c6994a51f9
SHA256

5fc902d366e6ee1386a8d8c4a015f55281cde13b99589e72c0365c3f8aa12e06
SHA512

6f83fbc6d9bd754d602b0723944567f1355c0615aa799657d5fe62ea894f3ab51ab2656f166ce32f6119e5329cc7a178ef49f6584b6a4603436d4144e7a1625c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhP:hDXWipuE+K3/SSHgxp

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMB5D3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMD49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM6397.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMBA62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM111D.exe

Executes dropped EXE 6 IoCs

pid	Process
2436	DEMB5D3.exe
3408	DEMD49.exe
2896	DEM6397.exe
1468	DEMBA62.exe
1448	DEM111D.exe
3700	DEM67A9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB5D3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6397.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBA62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM111D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM67A9.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 2436	4036	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe	87
PID 4036 wrote to memory of 2436	4036	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe	87
PID 4036 wrote to memory of 2436	4036	3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe	87
PID 2436 wrote to memory of 3408	2436	DEMB5D3.exe	93
PID 2436 wrote to memory of 3408	2436	DEMB5D3.exe	93
PID 2436 wrote to memory of 3408	2436	DEMB5D3.exe	93
PID 3408 wrote to memory of 2896	3408	DEMD49.exe	96
PID 3408 wrote to memory of 2896	3408	DEMD49.exe	96
PID 3408 wrote to memory of 2896	3408	DEMD49.exe	96
PID 2896 wrote to memory of 1468	2896	DEM6397.exe	98
PID 2896 wrote to memory of 1468	2896	DEM6397.exe	98
PID 2896 wrote to memory of 1468	2896	DEM6397.exe	98
PID 1468 wrote to memory of 1448	1468	DEMBA62.exe	100
PID 1468 wrote to memory of 1448	1468	DEMBA62.exe	100
PID 1468 wrote to memory of 1448	1468	DEMBA62.exe	100
PID 1448 wrote to memory of 3700	1448	DEM111D.exe	102
PID 1448 wrote to memory of 3700	1448	DEM111D.exe	102
PID 1448 wrote to memory of 3700	1448	DEM111D.exe	102

C:\Users\Admin\AppData\Local\Temp\3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c9a2900d31fb1b91c189473da7cd487_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\DEMB5D3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB5D3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\DEMD49.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD49.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\DEM6397.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6397.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\DEMBA62.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBA62.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1468
      - C:\Users\Admin\AppData\Local\Temp\DEM111D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM111D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\DEM67A9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM67A9.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM111D.exe

Filesize
14KB

MD5
c2b117e529edfc2debe1ef4918222e78

SHA1
0d887c143ea07e8ca89084833777b40b4b09f7b9

SHA256
5b408fc08535a01a51237286c30c2b50bdfee376f8c24bbcb79d3acb864f9bfb

SHA512
d448a444417c93dc2ca57dec08512d737c737c9119722c6c2c8c33db2494dddb2037f4d37fd22b41a3668b9d21bb0bcf4bf9c268bf9b66ca8747d1a2059b3708

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6397.exe

Filesize
14KB

MD5
7f92f1ba1fe3a449f99832621316cce4

SHA1
63a6318915d37ab1855cf44befd9897591d39676

SHA256
23256dee44fddf590ed40cf0253c76c7472ab331e482a47e596ae8da3ab4ea13

SHA512
9a728dab5479dd5e670bda353d7a26d442a06681840aef65200e2ba5c8de718a9b604b146e8ac205b6ec69e4d011581fba613cc65caacd44a5827895dba1927c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM67A9.exe

Filesize
14KB

MD5
a5eb2984898618c520134d4f8b46657e

SHA1
11cafb9f9f1e763c576642f7de08eacc4224b350

SHA256
8a70ebd231a446018da95ffe4cc0bac1565a860984a5d47fa9c73ef96c128b43

SHA512
062bef03aa5a7de2d2ba014f5218ff8ecef354cb5edbb88f165e6a9fb9a4cf651335123c916434c8d7daa1ae4cd0f64750eaf1972fc5ab3930f61589c8ce680d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB5D3.exe

Filesize
14KB

MD5
68f81ca004509d1c1eb78247f1cd2eb6

SHA1
5c8542280ed44c29cff703b76863064c92b27e32

SHA256
f5157029ff1d4ee29aaac8a87a66bdcd1804f459062c2193aaad798b5163d69b

SHA512
105dd9f5b12ec79df9bf91fd4974afe53051d98c4eb1d32d58022ccfdc378099ec5146b2db957b454232c5979be9392bd8906f2b3e59640c0cbf7f5306b1f262

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA62.exe

Filesize
14KB

MD5
e070572dc47304feeac68b48d23f0b8e

SHA1
87942a5bc1dd0ff86fd8eb24be03fd44bd15f399

SHA256
b263b5e8a9f858d09c5809ab0ff50be4ac4e4bdf4f61498570cb57415a5c2b56

SHA512
1b1da32302ff63c62eb6912642eedc80d8e55c936e63752057c1ea98c75cc0a7600a2899e97de2718d0b1e06f4cf0a22ef60c2154315561d313a7f44f405e67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD49.exe

Filesize
14KB

MD5
3fd6417e543a83879f51d62435ac400e

SHA1
e9a230c1b60375be3bf09fc1f24d1c9db4573b4c

SHA256
5bbf34ced345602a91ba14c9a71a707a31c7706d3f7615e72571a3c4ae5010e9

SHA512
a90ef2dbdea8210f7cea91639ce4d1e0c11a63e52858f382421f112a878fec119a95986a1619b165ef4b2f049a6dcc82007643466546901e9925e43088cc8654

Download Submit

Analysis

Sharing