cddb37fb15b785cda9aa0ee177f934294054fa58c21720a063f6bf5ddd968cb5

General

Target

523192e9aba390ef00648935f2d76e8e_JaffaCakes118.exe
Size

14KB
MD5

523192e9aba390ef00648935f2d76e8e
SHA1

b68131fa3bb3d0a061718768f0523bbcfa1e3d60
SHA256

cddb37fb15b785cda9aa0ee177f934294054fa58c21720a063f6bf5ddd968cb5
SHA512

a8ac54a5b9f0ea42645af79669e475ebf716c75361cb1ef583dc60a1e3046bd3e7bb093f58089759c4987b47e61ce508bb74cfb962b1dce4f94c82599d10cca5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyOQX:hDXWipuE+K3/SSHgxmyOQX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM8CBA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEME2AA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	523192e9aba390ef00648935f2d76e8e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM8A00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEME109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM3709.exe

Executes dropped EXE 6 IoCs

pid	Process
1756	DEM8A00.exe
4944	DEME109.exe
1384	DEM3709.exe
3088	DEM8CBA.exe
540	DEME2AA.exe
4032	DEM3927.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	523192e9aba390ef00648935f2d76e8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8A00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME109.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8CBA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME2AA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3927.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 1756	4288	523192e9aba390ef00648935f2d76e8e_JaffaCakes118.exe	98
PID 4288 wrote to memory of 1756	4288	523192e9aba390ef00648935f2d76e8e_JaffaCakes118.exe	98
PID 4288 wrote to memory of 1756	4288	523192e9aba390ef00648935f2d76e8e_JaffaCakes118.exe	98
PID 1756 wrote to memory of 4944	1756	DEM8A00.exe	104
PID 1756 wrote to memory of 4944	1756	DEM8A00.exe	104
PID 1756 wrote to memory of 4944	1756	DEM8A00.exe	104
PID 4944 wrote to memory of 1384	4944	DEME109.exe	108
PID 4944 wrote to memory of 1384	4944	DEME109.exe	108
PID 4944 wrote to memory of 1384	4944	DEME109.exe	108
PID 1384 wrote to memory of 3088	1384	DEM3709.exe	110
PID 1384 wrote to memory of 3088	1384	DEM3709.exe	110
PID 1384 wrote to memory of 3088	1384	DEM3709.exe	110
PID 3088 wrote to memory of 540	3088	DEM8CBA.exe	121
PID 3088 wrote to memory of 540	3088	DEM8CBA.exe	121
PID 3088 wrote to memory of 540	3088	DEM8CBA.exe	121
PID 540 wrote to memory of 4032	540	DEME2AA.exe	123
PID 540 wrote to memory of 4032	540	DEME2AA.exe	123
PID 540 wrote to memory of 4032	540	DEME2AA.exe	123

C:\Users\Admin\AppData\Local\Temp\523192e9aba390ef00648935f2d76e8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\523192e9aba390ef00648935f2d76e8e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\DEM8A00.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8A00.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\DEME109.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME109.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\DEM3709.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3709.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\DEM8CBA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8CBA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Users\Admin\AppData\Local\Temp\DEME2AA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME2AA.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\DEM3927.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3927.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3709.exe

Filesize
14KB

MD5
ac3bd367c87730110f4da20774c9d93c

SHA1
70652c909b8c2fee9377df84e8a74c603679e285

SHA256
5a63debfb4a7156d89eb824dd73001cbceaa687ab06991d804f5adf1d440ddc3

SHA512
c7f4dcb0fec613ca500177cba0fafdb8189ef099c2dd233dbb6b065efa1a24efccdc49f02aa8e08bb522f197761c86ae14d41a7aaebfb97a84c89dd30b9cb87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3927.exe

Filesize
14KB

MD5
2eb5910f8532732a35742befa7701629

SHA1
83d76359f86d4ec9d76fd0c411b7f85412dbebd7

SHA256
d7964d1d49cd983d047d39ff6ef78de3549cbd79b45fefb31bea963dad117972

SHA512
5f181705bb9757be7acfbdcf6bed19d9d4495646f5fcb2829a6a1051524779cde9ea864e0cea7307e8663ff5127f0ae42eba419ecdb889ddd401cfc962253f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A00.exe

Filesize
14KB

MD5
025a8f9123d290e53ac487380baa206a

SHA1
251b7e405c98f1638c676b12e5863efbd89965ea

SHA256
2b15962c01b9e7dcd353e5f374518a2ddecde98d383a12f379c902f0d5c4f52b

SHA512
2345b33e19bdbe3bfa32971b264e2a53f4713821f8962dafb044e69cd9d639ff598122bc9cc72adbf57d527a68645a67dabc2f38239baf86748301fd98e5418d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CBA.exe

Filesize
14KB

MD5
8736645d45e7e32733b36845d2e88597

SHA1
8df08df8ab127c3a25edbb96564b029a50bf9c06

SHA256
46b41f25d60db0d1953a7e4cac08492c4e22e0a1b8160050e7898c744cebc3fa

SHA512
e9b4216746d8640fc9802caea35114b6dec5646b883b707f0fe9f4616ed206222cf9bba4641320e8f6fa46d1148f7f085ccb832c5751a22818680aa70eddde4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME109.exe

Filesize
14KB

MD5
f9113db34f22d6c3f2a0536f3d866589

SHA1
992b0bfd05fdf914264874a5c85fd60bdda9e71a

SHA256
f94962049d83257cebf6339b25ae909bc6430ad1575245c52f4e66659d31c7e5

SHA512
40cf08c8cbd1e988e8eace3767ea7c976c12e74490a5dd5bae7e670cf3e968e2fec3dda3219c1777366b8eb2c885355ab8cb09cd96f3a603297b16205b5b39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME2AA.exe

Filesize
14KB

MD5
5821c9a4ed47a5eaae98b7db326447b2

SHA1
607f2ea39cdb0ddd1d13800e2052979d7fee2e22

SHA256
7f36881427f9652f3860722dcef352a7fd32c19e3bf5b3707ad9a7458a1cbbe2

SHA512
3ed8a01449cb88a520a7fbdd2c5ef0dfb6a74d413974d95ed229b34fb7df03aab649597eb1e53f48e4074545b4f7001451c9eedaec50b2a827f5dab83029ceab

Download Submit

Analysis

Sharing