c478f06e3d45c5f05da0badfe44ca888feab6b3fb55e8825e30a71cdb8bf8577

General

Target

5465af5ed7808c6acd7f639e68f9bca2_JaffaCakes118.exe
Size

14KB
MD5

5465af5ed7808c6acd7f639e68f9bca2
SHA1

75e1e183c933b4a1ba1594642f94e9b17e9d26bd
SHA256

c478f06e3d45c5f05da0badfe44ca888feab6b3fb55e8825e30a71cdb8bf8577
SHA512

4f68aea9200a4b90e714ac7348297c64861b1a63c48fc891ebf5e15791d6d59c058999897efbb1c8490146274c79b613cd0b60a5a46360e81feab50f92e5c3dc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhs:hDXWipuE+K3/SSHgxy

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM77DF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEMCED9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM24F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM7AF7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEMD107.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5465af5ed7808c6acd7f639e68f9bca2_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
2044	DEM77DF.exe
4368	DEMCED9.exe
3692	DEM24F8.exe
1520	DEM7AF7.exe
4416	DEMD107.exe
4828	DEM2793.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCED9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM24F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7AF7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD107.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2793.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5465af5ed7808c6acd7f639e68f9bca2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM77DF.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2044	5064	5465af5ed7808c6acd7f639e68f9bca2_JaffaCakes118.exe	95
PID 5064 wrote to memory of 2044	5064	5465af5ed7808c6acd7f639e68f9bca2_JaffaCakes118.exe	95
PID 5064 wrote to memory of 2044	5064	5465af5ed7808c6acd7f639e68f9bca2_JaffaCakes118.exe	95
PID 2044 wrote to memory of 4368	2044	DEM77DF.exe	101
PID 2044 wrote to memory of 4368	2044	DEM77DF.exe	101
PID 2044 wrote to memory of 4368	2044	DEM77DF.exe	101
PID 4368 wrote to memory of 3692	4368	DEMCED9.exe	104
PID 4368 wrote to memory of 3692	4368	DEMCED9.exe	104
PID 4368 wrote to memory of 3692	4368	DEMCED9.exe	104
PID 3692 wrote to memory of 1520	3692	DEM24F8.exe	106
PID 3692 wrote to memory of 1520	3692	DEM24F8.exe	106
PID 3692 wrote to memory of 1520	3692	DEM24F8.exe	106
PID 1520 wrote to memory of 4416	1520	DEM7AF7.exe	116
PID 1520 wrote to memory of 4416	1520	DEM7AF7.exe	116
PID 1520 wrote to memory of 4416	1520	DEM7AF7.exe	116
PID 4416 wrote to memory of 4828	4416	DEMD107.exe	118
PID 4416 wrote to memory of 4828	4416	DEMD107.exe	118
PID 4416 wrote to memory of 4828	4416	DEMD107.exe	118

C:\Users\Admin\AppData\Local\Temp\5465af5ed7808c6acd7f639e68f9bca2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5465af5ed7808c6acd7f639e68f9bca2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\DEM77DF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM77DF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\DEMCED9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCED9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\DEM24F8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM24F8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\DEM7AF7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7AF7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\DEMD107.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD107.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\DEM2793.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2793.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM24F8.exe

Filesize
14KB

MD5
f010cb22b525cd3369ff47b373038926

SHA1
132568ffbc673dad753841e57c827d93fa8fe813

SHA256
0ebc6e7acba589bd2c6e11587316b3d0ac1c098fb49efd43dc5ead7c4188cd75

SHA512
9dbf9657858e98ce232abe288e14f5b2c7d690c53bce8b406e3b3d9e11a83a22d6bd848e7aeb9de6f44f2fd1fbf9129d444884e7cf1024db48f77a233334aaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2793.exe

Filesize
14KB

MD5
0a548823c5a25dc9d52c06163e0842f0

SHA1
5b33df82b1f2df309ad78a8b09920a88158a0065

SHA256
d662e9a249e689ae7e15d59fc080b3deedd8edd6176480cb4aa31b5d312913b2

SHA512
b3d1f7f6df30769800df5e809a68a6a2d2c1f210fd2472f5051d1c64ea2539c15d93f03310fc9f4326f4dcd2cfbb3c1d6ad980db99a5a55b0fb07209fb30fc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77DF.exe

Filesize
14KB

MD5
c41e6128e42815adfa29ebef49ae70e6

SHA1
a9c6241e036e23f6367343023742edb8a3ed0120

SHA256
da8764362f02ecdbcf9e6edf45d147d60bdec96653c52d6bbf3884a1c38b1309

SHA512
10831c74d6bbe181b2654c3476d9cda72004ee5dee894d26c77ec4dfb10b2d11032c0ca8540f007f4b9ae439da7ffbb35b170f942fbb4b103902d8beff0de90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7AF7.exe

Filesize
14KB

MD5
1481c03e179a10c3435a63dec15b0d73

SHA1
c22657e4439d9cc3ad9c27715db8289a0455e2e2

SHA256
2e0cf7d424ddbdb6903164c2cd8132db2801b40307660a25ea534149360981a4

SHA512
403b197713b0936f6852d532e464765644ca952913b4c658f92a9aee1c40a19e95e8b31146eebd7ee02342be7b518546d8e8ef054d6af609937828a04304b3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCED9.exe

Filesize
14KB

MD5
809bc2757452e314e903e5226ea9e408

SHA1
c235378744b672583556dd42de103d349e291006

SHA256
7b4caba69c05963d448b8b16f1f5830a29bf068e20698e05ea1543ec7ee6c6a5

SHA512
dc4082cb1c7e63e4163c4c4ceb3131c0fa3a5ce60b5f80069b428aaffa577f6109c7cd45bc1766ea7949ebfb6de80ea05de66e5b9359906e11bfaf3e2c1e5a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD107.exe

Filesize
14KB

MD5
b3fb011c87b09a6daf9b9d3c3acd31f0

SHA1
8452ca8ffacb2e38b4614a401add74091ce19348

SHA256
555751c5512ba8c31983baaae82bd518421375cfbed38a96f436b2d748853525

SHA512
f620817a89b7aedd4d0937d16f9f2ce8eed403e9a43ad906da452414066ae1bfd253f6b7f6a1908febfb8f1d8034cd894f86d32b46a44bbd85e0b2cb33ceac0c

Download Submit

Analysis

Sharing