3c2c608954fe1564e2f9f66ed89d3296c1214626b842cd772df8b43f55be2d38

General

Target

429a7995560ed7dd6fb858ecf23c2519_JaffaCakes118.exe
Size

14KB
MD5

429a7995560ed7dd6fb858ecf23c2519
SHA1

5a5134a6c4f9869f19f9366f8dd5cf5c236c45a2
SHA256

3c2c608954fe1564e2f9f66ed89d3296c1214626b842cd772df8b43f55be2d38
SHA512

9becab79f3794f2d837150f0775c99c7fc4844868885a65ebc52e9f910e9cbc1741c5bb9a326a5c06224588958f293262c6f2a058d216c694c0e0930cdab6dee
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY1:hDXWipuE+K3/SSHgxm1

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	429a7995560ed7dd6fb858ecf23c2519_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM80A9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMD755.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM2DA3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM83C1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMD9F0.exe

Executes dropped EXE 6 IoCs

pid	Process
3676	DEM80A9.exe
2820	DEMD755.exe
1336	DEM2DA3.exe
4360	DEM83C1.exe
3036	DEMD9F0.exe
4104	DEM300F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	429a7995560ed7dd6fb858ecf23c2519_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM80A9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD755.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2DA3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM83C1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD9F0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM300F.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3676	5036	429a7995560ed7dd6fb858ecf23c2519_JaffaCakes118.exe	87
PID 5036 wrote to memory of 3676	5036	429a7995560ed7dd6fb858ecf23c2519_JaffaCakes118.exe	87
PID 5036 wrote to memory of 3676	5036	429a7995560ed7dd6fb858ecf23c2519_JaffaCakes118.exe	87
PID 3676 wrote to memory of 2820	3676	DEM80A9.exe	92
PID 3676 wrote to memory of 2820	3676	DEM80A9.exe	92
PID 3676 wrote to memory of 2820	3676	DEM80A9.exe	92
PID 2820 wrote to memory of 1336	2820	DEMD755.exe	96
PID 2820 wrote to memory of 1336	2820	DEMD755.exe	96
PID 2820 wrote to memory of 1336	2820	DEMD755.exe	96
PID 1336 wrote to memory of 4360	1336	DEM2DA3.exe	98
PID 1336 wrote to memory of 4360	1336	DEM2DA3.exe	98
PID 1336 wrote to memory of 4360	1336	DEM2DA3.exe	98
PID 4360 wrote to memory of 3036	4360	DEM83C1.exe	107
PID 4360 wrote to memory of 3036	4360	DEM83C1.exe	107
PID 4360 wrote to memory of 3036	4360	DEM83C1.exe	107
PID 3036 wrote to memory of 4104	3036	DEMD9F0.exe	109
PID 3036 wrote to memory of 4104	3036	DEMD9F0.exe	109
PID 3036 wrote to memory of 4104	3036	DEMD9F0.exe	109

C:\Users\Admin\AppData\Local\Temp\429a7995560ed7dd6fb858ecf23c2519_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\429a7995560ed7dd6fb858ecf23c2519_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\DEM80A9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM80A9.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\DEMD755.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD755.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\DEM2DA3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2DA3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Users\Admin\AppData\Local\Temp\DEM83C1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM83C1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\DEMD9F0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD9F0.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\DEM300F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM300F.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2DA3.exe

Filesize
14KB

MD5
44fb57f58b0933a54371c40fa7da88f1

SHA1
531ce5470579f838e96a9f65cc5e632be2b2a7a9

SHA256
bd1c94400a424ef47c3c96f48dff14a7bdeab3b5e713b9b04a4f0c258c6a86d6

SHA512
71675e362d8bb2513586c2857059ec7949ea4e903644ebd746f805a1282cb42deef2a1f1244aa10a83de8f15814eca75a6b4945cdf5af0270f66cc9082666c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM300F.exe

Filesize
14KB

MD5
45ea9dd7a3b3c9e7935b27f10af2524d

SHA1
6f0fd56dba4e886fc7893735621c4f0b2e0c445c

SHA256
817ebb6e8bcb9d5137cb6a3f9460a67345033a632ef00d000ce4ea80dfd37351

SHA512
e6f7d3cf1e932c335c60a7c4e879b8ae01a0f83ec285ad65b0d8ad4651a947c5afb67a9fe912101f879f9e8b8e4f754578ae367137af8ffa332253925ba436b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM80A9.exe

Filesize
14KB

MD5
94e9c296c07b9dcb1b7ef3b9584747ef

SHA1
7ee9f15424bf3c331baf8ea08a6ce972e021e5dc

SHA256
6715ccbcc0b07e3e3d3c22675b2ec98b0663909df605c58662c904ce5bdabf89

SHA512
af6ed5cf60877e64fe829b26fab202725ef1d3e64f4ec33ff906cd3a9226c7c5330cfa241cbd2675fc968541ce85be518e59b0b811a41ef1c6157e47c8f6307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM83C1.exe

Filesize
14KB

MD5
5bf86041129174cad7f367a505c14397

SHA1
a876eb8cf26a73017b2f5e71d2514505768c9270

SHA256
8f400a4810dab96b96192e3d5e4dfe14be3cb76d0874daa3bfb2a0cf36d74c81

SHA512
1b8119d22abe03b12e4339bffccfc9a6aaaa662e44079a2299f65bf4cc18b9b64c59b10a5b8460d6de4cc22346b51cafd7a98a783ef23c8affc521763b4d6d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD755.exe

Filesize
14KB

MD5
f8c7e0eb75b30a23379529b8d0d88ef9

SHA1
656faff0b6263c14bb086e953c7dd510f24a5581

SHA256
357fe770ae8c4405cad7c7d3142498a2f844a6d33d38dd89cb1c191a1e72cd45

SHA512
0949fce85932ffca4132febb3eec06d563ee33441bfafab9a5d78f4673bd0c2eea1b7d36b0afdf1575e7b9c07824278992f3001dcaeee714886d625687f7dab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD9F0.exe

Filesize
14KB

MD5
88d5d3ea620a37ad90878e04a472680d

SHA1
b7b53d5a3a474a9cc7aad2d2cbcecb59080769e0

SHA256
93abc4d6fb2d95eabfb5be20c6165277162dd13d5ab3941ee78b56c2f217646b

SHA512
905ada80b5ee98c3607fc4bfd42afc403e0ab94cccf88997e585f1e2ed3293eb1bea30ef2635a4ad65c757c52a120451d22a6fa07b3e248ef93628b873d53841

Download Submit

Analysis

Sharing