ac1f4f128ad130f141e12d109b3e3d9394982611630987818bc19b5a0a2ce7fd

General

Target

561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
Size

14KB
MD5

561d055cc6c0da0756a01748ce967058
SHA1

8303f42074385c1a54302b4a785c90953b7250cc
SHA256

ac1f4f128ad130f141e12d109b3e3d9394982611630987818bc19b5a0a2ce7fd
SHA512

44e3b821fb1005865036b3f9d1c418c6c016ec09fde394c725706ce7d96fbe3625190177eae784561198a772c05821a31ec7f34f6be059a3d112481e4e98ead1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4bCl:hDXWipuE+K3/SSHgxm0O

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMB0B2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM71F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM5D3E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMB38C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM9AB.exe

Executes dropped EXE 6 IoCs

pid	Process
3012	DEMB0B2.exe
2152	DEM71F.exe
1596	DEM5D3E.exe
2552	DEMB38C.exe
3668	DEM9AB.exe
4788	DEM5FE9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB0B2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM71F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5D3E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB38C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9AB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5FE9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 3012	392	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe	95
PID 392 wrote to memory of 3012	392	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe	95
PID 392 wrote to memory of 3012	392	561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe	95
PID 3012 wrote to memory of 2152	3012	DEMB0B2.exe	101
PID 3012 wrote to memory of 2152	3012	DEMB0B2.exe	101
PID 3012 wrote to memory of 2152	3012	DEMB0B2.exe	101
PID 2152 wrote to memory of 1596	2152	DEM71F.exe	104
PID 2152 wrote to memory of 1596	2152	DEM71F.exe	104
PID 2152 wrote to memory of 1596	2152	DEM71F.exe	104
PID 1596 wrote to memory of 2552	1596	DEM5D3E.exe	106
PID 1596 wrote to memory of 2552	1596	DEM5D3E.exe	106
PID 1596 wrote to memory of 2552	1596	DEM5D3E.exe	106
PID 2552 wrote to memory of 3668	2552	DEMB38C.exe	115
PID 2552 wrote to memory of 3668	2552	DEMB38C.exe	115
PID 2552 wrote to memory of 3668	2552	DEMB38C.exe	115
PID 3668 wrote to memory of 4788	3668	DEM9AB.exe	117
PID 3668 wrote to memory of 4788	3668	DEM9AB.exe	117
PID 3668 wrote to memory of 4788	3668	DEM9AB.exe	117

C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\DEMB0B2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB0B2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\DEM71F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM71F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\DEM5D3E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5D3E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\DEMB38C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB38C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\DEM9AB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9AB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\DEM5FE9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5FE9.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5D3E.exe

Filesize
14KB

MD5
ae4b5e930459af60510eac362dac4efa

SHA1
eadfdb63db1290d63e340298f42928f1c4425fcc

SHA256
e9a6545b90184f1625d4a3fa77c852d75af7712e693c5ada65fb1df0c4b33822

SHA512
f1f5b5280c634fe80557ec0b706b5b7a1a2b8af2bc2712671c60fef67505db7c0f3ac5c175339291f97b971129d36aee2a0d113deec70bac79d94d9ab2210598

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5FE9.exe

Filesize
15KB

MD5
71db0406d1dfc69f693dfeabca247f29

SHA1
52be8e4f7e3fb6fcb758650dbf1ebc46559e442e

SHA256
0ae5d548e2cc0fbe321cd1609e88294149c4a356889ddfcd0084daf10d07df53

SHA512
df15a2b50fad7582177aa5a73ecbcb3d66e300db0b5d9fc737d5e1af302143d1c149ab5e9243a9cc7ba2cb001a3670f58eeb7659c3ad721a0523256d4b0f0d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM71F.exe

Filesize
14KB

MD5
93cd39db2b409981a33177c9daa2a240

SHA1
25f6d4236f25f47cdee1bb513206d5f5edb6c17b

SHA256
0e9e398769a63fc16c356bdaca995ab1158ae69586703422a0a588154ddac957

SHA512
847c8087849b83b33b6a5ec0aaa1ee7e3e7153364a16d9ded20b33336d1f2ab7cb98335af20b40c143a7a77be9d0776674b22e319335f01e503fb70888ae4ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9AB.exe

Filesize
14KB

MD5
460b6471a5c39b3581dc37802e59eb4b

SHA1
b33a27929847cd04a6b55dd5beec56d6747dbe16

SHA256
bc5705add8025fdc62fb250e70bfba7c6a90c6c79205548dedf42ff53fb2979b

SHA512
86fdb2b74e46505c4d7550ace2f0bf6c537eacb1d575929033bb471d35e43f625979d80bf5e72b73c58a22a027ebbba9934f9d062047efd139e3e42b64c0467f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB0B2.exe

Filesize
14KB

MD5
c926a195c1448fbc543bb46f03f27710

SHA1
0bd9277da2b06c18c16e0fae796fa904e14e2cd9

SHA256
04de75819d68b3deb9ee80f72aee78d1589cdce8c59ea7c0043c266b25071e7a

SHA512
9f379e36b6034d8ea9733ce5711c32a462643780802a60ba476a3329589bd9d44cc91f322e27c9ec4886066d757ab58d8717c100caabfd30fc16308335f5dcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB38C.exe

Filesize
14KB

MD5
c1e7ae9cc2ed0e7abe1681b8326e0548

SHA1
cfc6a0f2ae2e293534b72a4f25561bf071b9537e

SHA256
64ccfcff79e896e5bdfde68866ff11695802921224f8087cefdbca4a141f172f

SHA512
f79411bd87e02c5d65696d5e2bf0114eeb5ad27006968fb1e92a2959856b0d611f414d1c86685e64718957a9cd621e0ad3b1e9abc8fe54f1e6cd165779fc502c

Download Submit

Analysis

Sharing