cede34e133897c5d429934031ce26a8d1d14f67f511ed56045e4738200d412b0

General

Target

3eae069d086e855b8494ce9da8de6b36_JaffaCakes118.exe
Size

14KB
MD5

3eae069d086e855b8494ce9da8de6b36
SHA1

1de6422e19fd3e7523faff80957015834083ca0d
SHA256

cede34e133897c5d429934031ce26a8d1d14f67f511ed56045e4738200d412b0
SHA512

fdb966ad434963c236cbc0fd218c5a898cf4a1b1da3cb8f9c4a5c4f768fb65574cb79b5425213e88da6e1a1438ebfa8505947f03d5c62ebc0948db174d845d1b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5ur:hDXWipuE+K3/SSHgxm0r

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEME2F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3eae069d086e855b8494ce9da8de6b36_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM89B2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEME07D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM368C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM8CDA.exe

Executes dropped EXE 6 IoCs

pid	Process
3004	DEM89B2.exe
4060	DEME07D.exe
444	DEM368C.exe
1672	DEM8CDA.exe
4040	DEME2F8.exe
3132	DEM3965.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8CDA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME2F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3965.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3eae069d086e855b8494ce9da8de6b36_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM89B2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME07D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM368C.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 3004	3632	3eae069d086e855b8494ce9da8de6b36_JaffaCakes118.exe	87
PID 3632 wrote to memory of 3004	3632	3eae069d086e855b8494ce9da8de6b36_JaffaCakes118.exe	87
PID 3632 wrote to memory of 3004	3632	3eae069d086e855b8494ce9da8de6b36_JaffaCakes118.exe	87
PID 3004 wrote to memory of 4060	3004	DEM89B2.exe	92
PID 3004 wrote to memory of 4060	3004	DEM89B2.exe	92
PID 3004 wrote to memory of 4060	3004	DEM89B2.exe	92
PID 4060 wrote to memory of 444	4060	DEME07D.exe	94
PID 4060 wrote to memory of 444	4060	DEME07D.exe	94
PID 4060 wrote to memory of 444	4060	DEME07D.exe	94
PID 444 wrote to memory of 1672	444	DEM368C.exe	96
PID 444 wrote to memory of 1672	444	DEM368C.exe	96
PID 444 wrote to memory of 1672	444	DEM368C.exe	96
PID 1672 wrote to memory of 4040	1672	DEM8CDA.exe	98
PID 1672 wrote to memory of 4040	1672	DEM8CDA.exe	98
PID 1672 wrote to memory of 4040	1672	DEM8CDA.exe	98
PID 4040 wrote to memory of 3132	4040	DEME2F8.exe	100
PID 4040 wrote to memory of 3132	4040	DEME2F8.exe	100
PID 4040 wrote to memory of 3132	4040	DEME2F8.exe	100

C:\Users\Admin\AppData\Local\Temp\3eae069d086e855b8494ce9da8de6b36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3eae069d086e855b8494ce9da8de6b36_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Local\Temp\DEM89B2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM89B2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\DEME07D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME07D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\DEM368C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM368C.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:444
    - - C:\Users\Admin\AppData\Local\Temp\DEM8CDA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8CDA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Users\Admin\AppData\Local\Temp\DEME2F8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME2F8.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\DEM3965.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3965.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM368C.exe

Filesize
14KB

MD5
21db2c4f21cd6ed7ca190c6fb0359c12

SHA1
432cb0cd871ac90b22ad8c24d1e7769eacc52993

SHA256
51170bb8a938a32adf1f995bca2e46baa4b680c5af2a46f408422aacd99ffabf

SHA512
15692c5bbb33094880af61382e75192ddd9498d06bf82690bbb28e96c96f49c62c80e7918fb2fbd520d1af7946d481844ee84f78655f9723c65bc376eca7b982

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3965.exe

Filesize
14KB

MD5
b7dce38da82d1d25610f4eaf23a2afdd

SHA1
531374a92bee47a5f9f774cedf4f1c6ac5779c46

SHA256
388f5a6054831dc723e37a0f073564d71d73e343d304ed080f1491eb5bec1522

SHA512
3a44087245b5a1d5f3bbedba21cf93989d3170b94daf86f88cb8392267bf6b6cc566403e86592484d30f634020f921725c2f185744313d04cd84331c5ade1044

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM89B2.exe

Filesize
14KB

MD5
0197f6dcd61331a8260e98791c4f262e

SHA1
c7f83ec73b1315ad2b47403632f96b1ba9b3a6a0

SHA256
8e7d5e95c754dc9f5c4740fc30afb228ae273249bd58456f2aa86e50624b8294

SHA512
54a384f582de0db2e807de84f508921074df9f00f56d47d661c142631a83bd088f239fea295df0cfa1d78c527ed7468e020514b103858a11f219a52b73170e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CDA.exe

Filesize
14KB

MD5
760d3c67e9b19ab95902f4e38630a6c6

SHA1
95b6a7f40af5d6d0985702552a926c912e96a281

SHA256
f90abb877a8c165ee9852af2eb433b7b82847d882b436de2a7676159e0ea4066

SHA512
7fb0227c66290437a3c5f7e80d9b091fa23d7fc2a00f95d768c5335186cff6bbec0be09995c5b773d884675cfb02f95deb089e9e6e8024a69a2af916e7ffae32

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME07D.exe

Filesize
14KB

MD5
e92c9dfdcae94adc11b761dd131ed9bd

SHA1
e2d0fa96a7673c4ca8190772070e251ebac19f97

SHA256
6e285326bb37117a924f3a07c0f8c6556e6df60a48e752bb1226e1edf2468dcc

SHA512
be530daf3687bcef96b5ec3ba29ebc54818ae1f9a4e4dc8cf573c01f2d40f679d30ed874362c3eb26d4f1a6ff0cb33c4dc49126fee4c63587cd3a42951ad5b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME2F8.exe

Filesize
14KB

MD5
bfebfd000e794790907cd3fb71fc6e7c

SHA1
f69c51bd79f8bdcee86a0979c64190b3b3ba506b

SHA256
47bac7a914dacaef81806e4f6ddabb069faacf4d9a5e42a7cb3cf26baba09397

SHA512
171bd9dd547dddcdf36f104b3c67fc8809ac3a904f5731f3e2fa4e8937a8ebfd7477163382bc3c9daa1f0c2587af019a05a8b8b741a14514813decbe3528cc90

Download Submit

Analysis

Sharing