c461e1dfd818913f2ecd92901515c2d84e8f1a6309513d3194eea25e212ad54b

General

Target

41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe
Size

15KB
MD5

41892fa9ef59157dd6d19f03bcf9608b
SHA1

1dc833d8c9cfda67e1c05ae484f42ac575dc5fce
SHA256

c461e1dfd818913f2ecd92901515c2d84e8f1a6309513d3194eea25e212ad54b
SHA512

728093b9db16bfb6ec1f836c4bcb87bf98144410fc2c35d3e14074ff31aefeb800ae092a625d5d7aabecd8589608dae40424d47320cc691ccf1ef82e3593a20d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8a:hDXWipuE+K3/SSHgxm8a

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM8D6B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEME3C8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM39E7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM9045.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEME663.exe

Executes dropped EXE 6 IoCs

pid	Process
4012	DEM8D6B.exe
4452	DEME3C8.exe
4220	DEM39E7.exe
3612	DEM9045.exe
4464	DEME663.exe
3476	DEM3C92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME663.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8D6B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME3C8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM39E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9045.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 4012	4120	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe	87
PID 4120 wrote to memory of 4012	4120	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe	87
PID 4120 wrote to memory of 4012	4120	41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe	87
PID 4012 wrote to memory of 4452	4012	DEM8D6B.exe	93
PID 4012 wrote to memory of 4452	4012	DEM8D6B.exe	93
PID 4012 wrote to memory of 4452	4012	DEM8D6B.exe	93
PID 4452 wrote to memory of 4220	4452	DEME3C8.exe	95
PID 4452 wrote to memory of 4220	4452	DEME3C8.exe	95
PID 4452 wrote to memory of 4220	4452	DEME3C8.exe	95
PID 4220 wrote to memory of 3612	4220	DEM39E7.exe	97
PID 4220 wrote to memory of 3612	4220	DEM39E7.exe	97
PID 4220 wrote to memory of 3612	4220	DEM39E7.exe	97
PID 3612 wrote to memory of 4464	3612	DEM9045.exe	99
PID 3612 wrote to memory of 4464	3612	DEM9045.exe	99
PID 3612 wrote to memory of 4464	3612	DEM9045.exe	99
PID 4464 wrote to memory of 3476	4464	DEME663.exe	102
PID 4464 wrote to memory of 3476	4464	DEME663.exe	102
PID 4464 wrote to memory of 3476	4464	DEME663.exe	102

C:\Users\Admin\AppData\Local\Temp\41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41892fa9ef59157dd6d19f03bcf9608b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\DEM8D6B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8D6B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\DEME3C8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME3C8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\DEM39E7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM39E7.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Users\Admin\AppData\Local\Temp\DEM9045.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9045.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3612
      - C:\Users\Admin\AppData\Local\Temp\DEME663.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME663.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\DEM3C92.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C92.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM39E7.exe

Filesize
15KB

MD5
b118ace626199d18b5eff80c3bf92831

SHA1
276a9d87321650c47480210683473b4f6cc33f38

SHA256
daf7d5b04c44da7776f0cf968269f6cba84a176a8fda7ee686421f59bb61d885

SHA512
0b4bd8f4d0dea636359d35810c8a740834ce1d832e9f39be8613a2c025afe37d012c9a3a943af659d3b5214fe1c0666cf1ffc54430dfcb8a5ecca3bcee41dd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3C92.exe

Filesize
15KB

MD5
30ecb6661abbb7c1cbf1fee09d14500d

SHA1
3955ea75ef9ad1ed08b3c73899da7a9f893d8d51

SHA256
f1bdff0230da8dca04e997b7912d79b217f0dfd527a1480bf9c76d3cc05e1be4

SHA512
65c46ddb77891e37764226a09b662ada8a6ebc5f5953994f88790c6968b8d6fcf1835c613401d61eb1710218c7a2819b6b019eb3356c52527c521db14eafd7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D6B.exe

Filesize
15KB

MD5
f8a9527887826f96dbc85ae0fe01b774

SHA1
62d2f6ea295d3f02f0ccc88db73a0cb317636cd9

SHA256
73648b8d5e109ba7191714cfb85b3f4b1605e0e380bd0668b45ccbb0a3630361

SHA512
3ca1597fce2bc5237e4bb6f7c7ae89b10da9b472738892d438b6f3be70278f94a226dc392b1e755b6e695ad4a69eef58f6f914e5961590eaa24bf504ff31f402

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9045.exe

Filesize
15KB

MD5
433da655ca09120655c14a013b4c0d3e

SHA1
edf9094573aea24c300fade8a57a6a67dcfda8a6

SHA256
ebd1ed4db79e26835d93118084501591ea783891d35a94f8b35266d117cebf42

SHA512
cca00c2acc3e7b2d95a8e597a4d0a8320c49417315c65bdc599ce4159b9cea76d238399312bbe0d0f5eadcfe0e6fc36febc18922e9c5425d6f8b5ba3606f3072

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME3C8.exe

Filesize
15KB

MD5
d8fdec3655ac8a5a2ddf3bba34997484

SHA1
60a4eff442abb2e0518f92a26f05f039bd749db2

SHA256
b04df4d9a32342ecb802f214e0f5430f0c83cfc7044db12b9541fb7a35ca672e

SHA512
5b41547f845e110937b0aa2cec5bc29a8373d9fc4970bafc29f7a502dde047e576ff86b3364823f3fa48e48745a1e7b4b2008015958a4b55b37a3ee1a94b63db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME663.exe

Filesize
15KB

MD5
fd924325e832aa4ce516e91d0cf00eb7

SHA1
0fff0ca081341815d190ad0457aa3c6e67d882a7

SHA256
d06ce181b2bc7aeee343886365c560b1535175451415b796fd76489cb10e05df

SHA512
91b7f2a1e11ed6d780a7a41a5859b0598d9a21c9f7bb427729a9733b3590d158b8e552f90295f8367fc800bd7a61d16f7de9b506cc1ef707b31fe20dd4b194e9

Download Submit

Analysis

Sharing