a60c35ee4b80b3373bce0da4b51306b11db37faf37ed8ed6b76616d722c88d90

General

Target

5465268c18cfbc376667b64fbae84c9c_JaffaCakes118.exe
Size

14KB
MD5

5465268c18cfbc376667b64fbae84c9c
SHA1

bfe3ec58baf77f5376630d5fc1468f3593ef589a
SHA256

a60c35ee4b80b3373bce0da4b51306b11db37faf37ed8ed6b76616d722c88d90
SHA512

6e96fc12024bf92ad0bdc83e8586829a72a8adf4c593d939056df2719e0521ddf65af51cb3445ea8821f8edeab6505ed77d7be6ffbb608b69c691881adb17906
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlB:hDXWipuE+K3/SSHgxmlB

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMD8BC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM2EFA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM848D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMDACB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	5465268c18cfbc376667b64fbae84c9c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM8230.exe

Executes dropped EXE 6 IoCs

pid	Process
3568	DEM8230.exe
4040	DEMD8BC.exe
1380	DEM2EFA.exe
2256	DEM848D.exe
1512	DEMDACB.exe
1284	DEM30DA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM30DA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5465268c18cfbc376667b64fbae84c9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8230.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD8BC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2EFA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM848D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDACB.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3568	2388	5465268c18cfbc376667b64fbae84c9c_JaffaCakes118.exe	95
PID 2388 wrote to memory of 3568	2388	5465268c18cfbc376667b64fbae84c9c_JaffaCakes118.exe	95
PID 2388 wrote to memory of 3568	2388	5465268c18cfbc376667b64fbae84c9c_JaffaCakes118.exe	95
PID 3568 wrote to memory of 4040	3568	DEM8230.exe	101
PID 3568 wrote to memory of 4040	3568	DEM8230.exe	101
PID 3568 wrote to memory of 4040	3568	DEM8230.exe	101
PID 4040 wrote to memory of 1380	4040	DEMD8BC.exe	104
PID 4040 wrote to memory of 1380	4040	DEMD8BC.exe	104
PID 4040 wrote to memory of 1380	4040	DEMD8BC.exe	104
PID 1380 wrote to memory of 2256	1380	DEM2EFA.exe	106
PID 1380 wrote to memory of 2256	1380	DEM2EFA.exe	106
PID 1380 wrote to memory of 2256	1380	DEM2EFA.exe	106
PID 2256 wrote to memory of 1512	2256	DEM848D.exe	116
PID 2256 wrote to memory of 1512	2256	DEM848D.exe	116
PID 2256 wrote to memory of 1512	2256	DEM848D.exe	116
PID 1512 wrote to memory of 1284	1512	DEMDACB.exe	118
PID 1512 wrote to memory of 1284	1512	DEMDACB.exe	118
PID 1512 wrote to memory of 1284	1512	DEMDACB.exe	118

C:\Users\Admin\AppData\Local\Temp\5465268c18cfbc376667b64fbae84c9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5465268c18cfbc376667b64fbae84c9c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\DEM8230.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8230.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\DEMD8BC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD8BC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\DEM2EFA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2EFA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\DEM848D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM848D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Users\Admin\AppData\Local\Temp\DEMDACB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDACB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\DEM30DA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM30DA.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2EFA.exe

Filesize
14KB

MD5
5f5d6d4af3cad01456e2924e5a09a8c2

SHA1
a63539fd2c0cd5b6289041f1447b112d1a54bfe2

SHA256
5bab5738b7b95dd797030de1907de8dd8dd3872b3205e0f18b5cc4be58b59b83

SHA512
89b5c1d53a213ffb3c0f837d2273f5127e993babc2bf69f5361ceff01d4bda0d09630fd6878e331455fbe91383c664513c35d86caadeb0c44b261ff1da8766bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM30DA.exe

Filesize
14KB

MD5
e2bb9b8fb3e75107a8278980dc02280d

SHA1
ad6ffdbec97b710706b11f87441cec6c3babef82

SHA256
4bfc1d1f3d9a1da64a28081476b53cc10396747687abc6b87aac0abd6cbb632d

SHA512
76d167f40d7c394e4f414cae8d6d24f1a679080d95c2a9d2fd58832bdde3f46fe06c007ad7045bea31e4c74edb992b2527e37436be44309f57ad1dfa4e87d044

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8230.exe

Filesize
14KB

MD5
d5011c6c69528429647a696ad846de01

SHA1
39b34bcefcd202ff76df4355a45034398701b12c

SHA256
a57d746f836f68768ca7aeec3ccb9b6fb090ca40e49948a93e1a3647420523c1

SHA512
1890a36f855b47f79123f3aee04651da03a1520cbcc2c63c66771c85b0b8be525f8b84b75f194d214c67fa1bd32bdebefc4359c6baaa7fac64adf6bd868607c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM848D.exe

Filesize
14KB

MD5
760cb63b91d4e26b2a84450303eb1c2a

SHA1
f596ad39d263f6fed47c191765a43faec1aa3dd8

SHA256
f5e793a8546e9bcb56f0a14a46494cf7d00c87b7ea227010e9196061f115cd2f

SHA512
d6b6899b2601b24ea00627f0330f8cdfb1f306410dc6cab643925ac8ed09e9af638879f775e369d48f8dd285f3ea3ef7381e1f3245cea74f564f04a880136b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD8BC.exe

Filesize
14KB

MD5
39d48a526ad84c6470e5e9117edeb533

SHA1
26722cbd9b9013c96b3552614280c5b38f9d01ee

SHA256
08f56c305bf33a184cb87b5c90c5ebb2d78aa25751fe09aebefe5839721c1c49

SHA512
8e749c00c1c3ec081ef86089e9d2d9360636270e596872bdb83cae6278b9a397589b71c2d72718c251f5ca06192c96bc32804872cfb83129be44f6530cc04c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDACB.exe

Filesize
14KB

MD5
aebd644106c1a3f822f1f0b4958828b6

SHA1
df22df8e27143f1795fee7e8e27c1d01c4399dd2

SHA256
2f28201ce29afef0ddf1cfd630adae7e1f367831227bfc72a155a8e76f6a9dd6

SHA512
cf53f127447fe93c0ee0f51a56538e5efb512635f5cc2fb4225583caeff7e072c4de5e5feef0b2082305289a944b5f607ec5abf79014bb6aaf80aed9ee8580cb

Download Submit

Analysis

Sharing