dd40156bb590a67efd281860ba3e8a9b27fc51258cd784c983f9e1ac0700b332

General

Target

3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe
Size

15KB
MD5

3b6d83310ed0b07a71a362a21663d3a0
SHA1

b912e6f5c7a8dcf15f4cfb95275795d49dd2f1c1
SHA256

dd40156bb590a67efd281860ba3e8a9b27fc51258cd784c983f9e1ac0700b332
SHA512

a1535c0b6b1534733494b524a1f1ae2091c31cc6dee048afab626bf3342b298171a3879fe51b1c161656b7dc3f92af5f1dc3de4a2dc15af1a34a85f9e1c1cf83
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxU:hDXWipuE+K3/SSHgxmHC

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM26CD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM7CEB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMD349.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM7A41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMD0AE.exe

Executes dropped EXE 6 IoCs

pid	Process
2348	DEM7A41.exe
2484	DEMD0AE.exe
2636	DEM26CD.exe
3304	DEM7CEB.exe
3040	DEMD349.exe
3772	DEM2968.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM26CD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7CEB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD349.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD0AE.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2348	1212	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe	87
PID 1212 wrote to memory of 2348	1212	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe	87
PID 1212 wrote to memory of 2348	1212	3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe	87
PID 2348 wrote to memory of 2484	2348	DEM7A41.exe	91
PID 2348 wrote to memory of 2484	2348	DEM7A41.exe	91
PID 2348 wrote to memory of 2484	2348	DEM7A41.exe	91
PID 2484 wrote to memory of 2636	2484	DEMD0AE.exe	94
PID 2484 wrote to memory of 2636	2484	DEMD0AE.exe	94
PID 2484 wrote to memory of 2636	2484	DEMD0AE.exe	94
PID 2636 wrote to memory of 3304	2636	DEM26CD.exe	96
PID 2636 wrote to memory of 3304	2636	DEM26CD.exe	96
PID 2636 wrote to memory of 3304	2636	DEM26CD.exe	96
PID 3304 wrote to memory of 3040	3304	DEM7CEB.exe	100
PID 3304 wrote to memory of 3040	3304	DEM7CEB.exe	100
PID 3304 wrote to memory of 3040	3304	DEM7CEB.exe	100
PID 3040 wrote to memory of 3772	3040	DEMD349.exe	102
PID 3040 wrote to memory of 3772	3040	DEMD349.exe	102
PID 3040 wrote to memory of 3772	3040	DEMD349.exe	102

C:\Users\Admin\AppData\Local\Temp\3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b6d83310ed0b07a71a362a21663d3a0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\DEM7A41.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7A41.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\DEMD0AE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD0AE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\DEM26CD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM26CD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\DEM7CEB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7CEB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3304
      - C:\Users\Admin\AppData\Local\Temp\DEMD349.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD349.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\DEM2968.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2968.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM26CD.exe

Filesize
15KB

MD5
a86b7737ff2da4c39e2b045f91e1ac3f

SHA1
40c193c4ecb4f2f00477e6b413760f4b4f2b7bc0

SHA256
2f77a5024db9570cf4a20d35ed9fdb1ef2516e407a6b1f799353456bf68c61e9

SHA512
dbed256603b51bb7f702db4aeabcc2ef8ec337c87638d42c920e9e67bf0c3d8b9e1cd32a8837cf4e7c8ea1ccc1b371c12ac649e6c92642924865e796c75bcdbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2968.exe

Filesize
15KB

MD5
f5ac73388a4aba14f0a225278da53b47

SHA1
eb2ce0326b7d843261e6f8d0c81b02b6dd66d181

SHA256
fd185c77bf8a4c0c131706f00a729b09e17e9b671f33511a907d5e7530b40025

SHA512
2665848e44fab3eb1e136f490f880268fa52bb51fd48fead28b49a2bc9c2241224cf1275a38104526141af951ec3f099f5fa93c51638e3c63abef5d6b5648c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A41.exe

Filesize
15KB

MD5
c5ca2a7625bf4d8b7409caf4ecc4a82b

SHA1
b00672c67a9b73e19a6dc2d7f3da3a67f3a97149

SHA256
195076779f6d1bd02f682b90c1d4a94c9c79cdf47a9dc67a15fdcea4cc41d059

SHA512
15e882b944cf4894da7163e793af6eddff5adb942cff9cb0c2579d9b09433c823511ef19d06a2fe6ea38b24e68923ded47d6f4f45f93921e966ccc9d28fa6205

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7CEB.exe

Filesize
15KB

MD5
15b443ce5a6bf183a6937a34c4a332a8

SHA1
43ba6fece634450b7ecfd2f067fc5c9eface72b6

SHA256
7929815e026fa2b155c3a7e3d2714b87bf60e749dce524f0b843cc0819a93636

SHA512
01408066a82cac34a73ad4ed65a7771a35745c2102deb0c6040bcdcc5278e090209fdf4cef5eeadcd6909504bbddcadbc6c42cc847d2b9618f2619f0be9e3ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD0AE.exe

Filesize
15KB

MD5
678c9fdf26ba38552cfca093c0c3cb34

SHA1
0faa044268c8bc3ab2c85e39451b190f33cc2316

SHA256
f3281a5ebfcc395211b0d4b2cec7c66631de1e6ad3ce29d6ab6f6dcdd26eee33

SHA512
e1344730507d810fe8e8decce2936fa73dc7aec5f0725a55f5673c287f89c9e1680d2d818a1223ba4119d6b5cc166971205a814ebbb64a7bd24b350ed8591491

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD349.exe

Filesize
15KB

MD5
67ca2a78d95cdd67ebc9e40d026ff618

SHA1
4980134e1ee0eac8beed15baaaf753551e486942

SHA256
1e39020587ae65c6b38a8ec7447bdf591057ac7bc85ada4aa025428b0d2c0168

SHA512
f965142afc2a5701a9a1a9d4a8725cfe090ca423ce108cee7eab0d2a3e3ea509ba0f0e243ff5190c5c82563e7218f9b488e5b84a966a63d6b380c54c51a9c789

Download Submit

Analysis

Sharing