651357b39854dde06a526cb37836264a7df605911ce589c848c2e4120ae965d4

General

Target

3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe
Size

14KB
MD5

3cdacb6ab5121019143c5c96e67f2000
SHA1

6d0aacb61a250492c118915902ee747d7bc82d98
SHA256

651357b39854dde06a526cb37836264a7df605911ce589c848c2e4120ae965d4
SHA512

f87aaef1ca9fab141eb976db4360bf510b8358801a4f59b181ab6ac48db2ede43bd50559f79418b46ba94bf7552b0086ad38ac3b47c75ec6d1e286286cfa7ade
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5S:hDXWipuE+K3/SSHgxm0

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEM8095.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMD712.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEM7D7D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMD438.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEM2A76.exe

Executes dropped EXE 6 IoCs

pid	Process
2848	DEM7D7D.exe
4320	DEMD438.exe
4560	DEM2A76.exe
3824	DEM8095.exe
4748	DEMD712.exe
4796	DEM2D8E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8095.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2D8E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7D7D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD438.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2A76.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2848	2876	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe	87
PID 2876 wrote to memory of 2848	2876	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe	87
PID 2876 wrote to memory of 2848	2876	3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe	87
PID 2848 wrote to memory of 4320	2848	DEM7D7D.exe	92
PID 2848 wrote to memory of 4320	2848	DEM7D7D.exe	92
PID 2848 wrote to memory of 4320	2848	DEM7D7D.exe	92
PID 4320 wrote to memory of 4560	4320	DEMD438.exe	94
PID 4320 wrote to memory of 4560	4320	DEMD438.exe	94
PID 4320 wrote to memory of 4560	4320	DEMD438.exe	94
PID 4560 wrote to memory of 3824	4560	DEM2A76.exe	96
PID 4560 wrote to memory of 3824	4560	DEM2A76.exe	96
PID 4560 wrote to memory of 3824	4560	DEM2A76.exe	96
PID 3824 wrote to memory of 4748	3824	DEM8095.exe	98
PID 3824 wrote to memory of 4748	3824	DEM8095.exe	98
PID 3824 wrote to memory of 4748	3824	DEM8095.exe	98
PID 4748 wrote to memory of 4796	4748	DEMD712.exe	100
PID 4748 wrote to memory of 4796	4748	DEMD712.exe	100
PID 4748 wrote to memory of 4796	4748	DEMD712.exe	100

C:\Users\Admin\AppData\Local\Temp\3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cdacb6ab5121019143c5c96e67f2000_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\DEM7D7D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7D7D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\DEMD438.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD438.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\DEM2A76.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2A76.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\DEM8095.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8095.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Users\Admin\AppData\Local\Temp\DEMD712.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD712.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\DEM2D8E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2D8E.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2A76.exe

Filesize
14KB

MD5
863df3f1e2b4690e23ad563ecb74652b

SHA1
0b73752b8b94d0c02255c649e71593387dbf5510

SHA256
cb08a34f8b53d6baf276350cb0bfee7786c7515157a183d59708b2c275d08135

SHA512
3748075d25625a7d353e876549cda636cee8a15c0e004d278671a2611c7693856fabec2b0a45de7d047200d2234c441d51f28445f13bf1a2047e500a66af99f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2D8E.exe

Filesize
14KB

MD5
a5ab7a6764c6fcfbb2ed1d54bf0e31f7

SHA1
dddef05c26f2224777cba5ad753b6e300ba3c510

SHA256
505009c5697f964cabc6ff26ff852ff8b62f3b20b422c7126dc50d8bf665b04e

SHA512
59a681012575999a8c79d38849e20b1a5462ab61b53860ca3a290bf36a705df32f06ef762aa523a1dd36311b7895d05b4b004cd611d139a207a1155fed913e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7D7D.exe

Filesize
14KB

MD5
dbfd5ea47c2a1b37fa7f96627a7646f8

SHA1
d049ba0583447a0ab13383eb924688e58c72b710

SHA256
c3b46166e6422561a949600c2c19e1a34045e57be524641356b00102f30d876f

SHA512
7155c98ab50f62d49f7fc2a9e52f11a5ecc5041e72ca581802862d4fab68a4685db8f7ba8cb52c2db5de6de55c37fc07d210ed922de81a33a0ff7f0da2319dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8095.exe

Filesize
14KB

MD5
9f1f374155d3c2090c9b7a0e53ebec38

SHA1
56869ed09333e8e03fa21a2023eae40fddb84ea2

SHA256
aa6716e52516db391e1d7cde07815968ba9352151ab83a7dac1218702cea602b

SHA512
2c104d19eb267cde7700438478e36c511641861fbebb2baf5f5bcbdf7ac5952a057f4ea30d2901f8bb1c2bf7e1cad3e0ad2129c51730bf448a75f8fd9561dc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD438.exe

Filesize
14KB

MD5
c772dc33c8bd0d9d3f8e0cd653ce8b09

SHA1
698a53630eee2cc97c3dec01a257a94590c3a35f

SHA256
b0874bc84cbbc80a1c382bdc66c32b67b6cc05722bf61dabf7dd1279ede034f4

SHA512
dc8e26830397511c80b38811ac936d2545b9c2840a011ca888b64086105df2090cf280d59298f47ebf68a865dc9da7559c09ca3a93f1a779628c1572b0f23407

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD712.exe

Filesize
14KB

MD5
1bbf3ab12277ab501e5d6a7e46c54293

SHA1
84e7f3eb86a713390b93826665ba018a58a7f1a2

SHA256
f35805ee7a90ff6ad1587e36371486b00efec12fa3a9cba9bf8bb6cbfe080f1e

SHA512
ab08340deaa872fe66afaf7dce1cb451fe5975bda501abf7f5057e78d1ee9e892e25ae58941dbf2f0818ec55ecc672a57a9b9d93f0c8d1f67b886d05aba7a700

Download Submit

Analysis

Sharing