eb62c74dd9d6ec42a398c82936ab7bb858e8af0ed98e02da29d2600f98a57577

General

Target

547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe
Size

14KB
MD5

547c0aa76b09406f9571d24ab21988ca
SHA1

975b352d33cf9745d3e863febb8a08369b5acca8
SHA256

eb62c74dd9d6ec42a398c82936ab7bb858e8af0ed98e02da29d2600f98a57577
SHA512

ba65373c497622a55d099f7ed4285ead530f8a87a30ee81f281c989a232decb25a59e0aee839872ea9cde16b9293236d2496803acae81eca5214a9908d1df7cd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJx:hDXWipuE+K3/SSHgxt

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMB1EB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM952.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM5F9F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMB5BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMC2B.exe

Executes dropped EXE 6 IoCs

pid	Process
4400	DEMB1EB.exe
3400	DEM952.exe
5108	DEM5F9F.exe
2908	DEMB5BE.exe
5104	DEMC2B.exe
4756	DEM6269.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB1EB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM952.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5F9F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB5BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC2B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6269.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 4400	1596	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe	98
PID 1596 wrote to memory of 4400	1596	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe	98
PID 1596 wrote to memory of 4400	1596	547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe	98
PID 4400 wrote to memory of 3400	4400	DEMB1EB.exe	104
PID 4400 wrote to memory of 3400	4400	DEMB1EB.exe	104
PID 4400 wrote to memory of 3400	4400	DEMB1EB.exe	104
PID 3400 wrote to memory of 5108	3400	DEM952.exe	109
PID 3400 wrote to memory of 5108	3400	DEM952.exe	109
PID 3400 wrote to memory of 5108	3400	DEM952.exe	109
PID 5108 wrote to memory of 2908	5108	DEM5F9F.exe	111
PID 5108 wrote to memory of 2908	5108	DEM5F9F.exe	111
PID 5108 wrote to memory of 2908	5108	DEM5F9F.exe	111
PID 2908 wrote to memory of 5104	2908	DEMB5BE.exe	122
PID 2908 wrote to memory of 5104	2908	DEMB5BE.exe	122
PID 2908 wrote to memory of 5104	2908	DEMB5BE.exe	122
PID 5104 wrote to memory of 4756	5104	DEMC2B.exe	124
PID 5104 wrote to memory of 4756	5104	DEMC2B.exe	124
PID 5104 wrote to memory of 4756	5104	DEMC2B.exe	124

C:\Users\Admin\AppData\Local\Temp\547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\547c0aa76b09406f9571d24ab21988ca_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\DEMB1EB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB1EB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\DEM952.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM952.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Users\Admin\AppData\Local\Temp\DEM5F9F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5F9F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\DEMB5BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB5BE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Users\Admin\AppData\Local\Temp\DEMC2B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC2B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\DEM6269.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6269.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5F9F.exe

Filesize
14KB

MD5
8388730daafbb07cdc3d7fcb47730d45

SHA1
b1f94e0dd36740beca4ede397ae9864a0c6bada2

SHA256
49a9783550c5b4694ed9ab7333d827c3ee4118c12006eca51308f5dd5d9ec8ef

SHA512
fba05d62a9ac1a744eff1c17bc07c28e9d7e73ebce9a0071985b481683a12f4607c2f141d24d24c606522ea4c3a2cd17670cc66f0ff3c85dc96f455d744931bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6269.exe

Filesize
14KB

MD5
89ec74d8904f55774744bbb6b7745f94

SHA1
fe4709b87f90b51a61529cf3170e66ef6009a6b4

SHA256
9a1b3d261d419df0c47377fec9ced9cd727222544f47dc5d47707c8b6f5a609c

SHA512
2a41edc45fc2d0b77d38de3fd2c2e5e6c166f42fec3118e0be2b07602a802f4be499ce131773b12b540338dee5ac8289b749090a77dbe0a6aae7830e7445512b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM952.exe

Filesize
14KB

MD5
04c284612854bddd937cdcafe644f574

SHA1
d03ff36da482fa467c1041495c05d08c76a537cf

SHA256
53bf65be8cd26a283447c36bb09dfa12a8dfc16665492fbf73e94202ccbf2da5

SHA512
f07ce4bb2740e38a1fc8f73f34d152400461c62eb704d1619cda43507a2e943ff0c64b312904b16d64551b7a88e0faae2a1ea2e69a8df993395555bb2755f1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB1EB.exe

Filesize
14KB

MD5
08932e94fafd568218b2bd2ed9e6723d

SHA1
e65c72e97efdf28df5325c7194df4db3a47a1946

SHA256
07bce6b43d5299cc0ff731d85097ca8c1149c9f4ff5e3a9e723dc020800833a6

SHA512
6fee605ee74823fe5febbddb61a7e44e778d786958075c8d9b6e1ccfbd91b799ec653f16cb2cfe8311ab9a7bc03f8b886e68ac421d19d0406c29d0adfeca66fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB5BE.exe

Filesize
14KB

MD5
557adcc916f3e8fb0106b3eade46d678

SHA1
d915057d91b0c3c348142195c9e191062bc2a1e2

SHA256
5628a96d0f7612f943b1deccc5bbe2d83bc78e5e6bf1a4f16987622bf376cd79

SHA512
10d7f58f0fefc8124cbf3763b921fe0169c079a1d8892f3b3d3eb2bdabbe0c3da840a77b96f8a988aae35b229601dace9c0cbbc5bbb0369e16ce2f0a63f1e348

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC2B.exe

Filesize
14KB

MD5
f87ab0cb6e9525db1f9d6b6a528ca612

SHA1
395981b8ef5756810229f1b3ea36eb0122cfdc93

SHA256
0f7a184d2cc6a47bd560c27762db0cdb48bd04ff1aa80ae8b9be15af03b52b38

SHA512
3c5c9763eea436b216d0bb525a7507de41f86199afeda08c288599cb76ab33075e72760d72add68f546cb9d1a93c091aa7505ee995c61d97b4648fe828073c9a

Download Submit

Analysis

Sharing