a74b228fa2ee0f7ef1fe0eb26770b926a72c5618d86f5f8766f086e6333a877b

General

Target

JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe
Size

16KB
MD5

f9cf2715d4e9834207635d8660629a6d
SHA1

2d36db52fe1dabba65fbf0d66c64d57b0cd83c22
SHA256

a74b228fa2ee0f7ef1fe0eb26770b926a72c5618d86f5f8766f086e6333a877b
SHA512

ab5b48bea89aa3176042d3db43d2a09d03fd3fb769ed1659288e1cdb13f0f6ce44009f49a0ba394a031cd1df16de589a412ee4585ca3248461dc33410ce69f03
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYZEGU:hDXWipuE+K3/SSHgxmZU

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM1122.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM679E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEMBDEC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM1449.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEMBA76.exe

Executes dropped EXE 6 IoCs

pid	Process
4964	DEMBA76.exe
2796	DEM1122.exe
3244	DEM679E.exe
1976	DEMBDEC.exe
3124	DEM1449.exe
3896	DEM6AC6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBA76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM679E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBDEC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6AC6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 4964	3056	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe	90
PID 3056 wrote to memory of 4964	3056	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe	90
PID 3056 wrote to memory of 4964	3056	JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe	90
PID 4964 wrote to memory of 2796	4964	DEMBA76.exe	94
PID 4964 wrote to memory of 2796	4964	DEMBA76.exe	94
PID 4964 wrote to memory of 2796	4964	DEMBA76.exe	94
PID 2796 wrote to memory of 3244	2796	DEM1122.exe	96
PID 2796 wrote to memory of 3244	2796	DEM1122.exe	96
PID 2796 wrote to memory of 3244	2796	DEM1122.exe	96
PID 3244 wrote to memory of 1976	3244	DEM679E.exe	98
PID 3244 wrote to memory of 1976	3244	DEM679E.exe	98
PID 3244 wrote to memory of 1976	3244	DEM679E.exe	98
PID 1976 wrote to memory of 3124	1976	DEMBDEC.exe	100
PID 1976 wrote to memory of 3124	1976	DEMBDEC.exe	100
PID 1976 wrote to memory of 3124	1976	DEMBDEC.exe	100
PID 3124 wrote to memory of 3896	3124	DEM1449.exe	102
PID 3124 wrote to memory of 3896	3124	DEM1449.exe	102
PID 3124 wrote to memory of 3896	3124	DEM1449.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9cf2715d4e9834207635d8660629a6d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\DEMBA76.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBA76.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\DEM1122.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1122.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\DEM679E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM679E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\DEMBDEC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBDEC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\DEM1449.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1449.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\DEM6AC6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6AC6.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1122.exe

Filesize
16KB

MD5
5d6d3ba1b83f0da957af2e7d97d2d078

SHA1
f3ba927b32d9112099468cac272a43a23a2fba60

SHA256
32bb610a72f749547af118c5f6102875cad6079a206dca9386346519e2ba4ffc

SHA512
feb30a291fb823e900e6809ec689193a1c7ef5854b736a5abd6e0300b4a5e07f232c9f5caeb0f26fa782f137af6a211988f646b5656b03f952bdafd2d44dad78

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1449.exe

Filesize
16KB

MD5
283a0614f97f5fb2029f33fb471895fb

SHA1
afd31de9987ef2471a490b869d86da6906813d9e

SHA256
30d49f7c550c93cc05f992dfd3438e12dd190e1e7b402118a68ac7538b807585

SHA512
91cfd8600c04bd92b60796c2d40d3f3fe2f10b3846440451ae912f0fd7c8de4c89a955ded58092548643d2e3434168282251bd2ce00ee250af446102b44dddb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM679E.exe

Filesize
16KB

MD5
43e9d417967ecfeaf029a20858707e6a

SHA1
e423d0e163b3aa4a1ae2eb3c4db0943b9398c905

SHA256
70f56932bd8933dc0ce65a9965b59f537cd87edfce3e62b1e7e405333c94a7b2

SHA512
7a9119b74157025e4a861a05f049cbdad57036f66f11954fdcd494a49cca4470a7df64b34278017845c7b91e46c9696664360a1bbf516af5e2b15fbb07a69e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6AC6.exe

Filesize
16KB

MD5
7865b33193c51ee28713f9a49626d425

SHA1
5d13ec260379bfbd79ab5dceadc2a1730ee11e92

SHA256
d72714abc9a31b64f7b5454769c72aefc8b542d35d8a543c817e1973b38cc393

SHA512
88482107397e4ad3434b5ba9efb7782d229d28526eec335469b0cb0d3e5eb833bdc2715f6769c6312d773a6c5b43223ebdb2bfd978c06382a50135b0433bb306

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA76.exe

Filesize
16KB

MD5
384ed80bf2922a30a5414bd289d595f0

SHA1
a8fd513d03a8e9115d8f6368a430dee6261bbe42

SHA256
c95204c95464aea17d99bb923f37ac59dd5c6df8963394bb86c7389c7994053e

SHA512
1428e4fb6d3d8a61e0eb1e51bbeb3a4c94da098e84fb5f5a10d89ad610f354ada2bdb253ac8fbc851432d4df750811195fcef8adcbf74a1c4262afbf41dc1697

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBDEC.exe

Filesize
16KB

MD5
5170fe239a564059f709a7ec761a19e4

SHA1
dfbf45a4a2e6b247aea64f541fa26b44c1726ba3

SHA256
984df330caf7d8511f49cbc75c3c4e9f413a017ef6271c08954e3f66ceacdd2c

SHA512
a0fadc59a8cb4c9b46d5a13edf89921b52a9e88ada56d0a79ee69c738a2b6d93e898b9c0535cf5b08f9643491dd83071b05d828e88ab88d3652f5ba49955082a

Download Submit

Analysis

Sharing