adfc2b34fa603d40ec7b692c2bba35449ec1a7af955ea79a8460b8e543ef4388

General

Target

JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe
Size

15KB
MD5

f9d2634a8a19bb3ad99f339577eff0ee
SHA1

e1015e531dbedee6c3a136abc446bf71bf0def9a
SHA256

adfc2b34fa603d40ec7b692c2bba35449ec1a7af955ea79a8460b8e543ef4388
SHA512

e2177744c13e17ba2f31c5b79a386711f8425843d27d69354fcc8c0e54017f18a6e4017d67fb9d159dce4f6358bec5b54c41d3a9d8862e1fe44e145f0087a750
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0mWDK:hDXWipuE+K3/SSHgxm0JDK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEMC208.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM1865.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM6EF1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEMC4E1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM1B4E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe

Executes dropped EXE 6 IoCs

pid	Process
4988	DEMC208.exe
4008	DEM1865.exe
4484	DEM6EF1.exe
4328	DEMC4E1.exe
32	DEM1B4E.exe
1116	DEM719C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6EF1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC4E1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1B4E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM719C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC208.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1865.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 4988	1756	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe	90
PID 1756 wrote to memory of 4988	1756	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe	90
PID 1756 wrote to memory of 4988	1756	JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe	90
PID 4988 wrote to memory of 4008	4988	DEMC208.exe	94
PID 4988 wrote to memory of 4008	4988	DEMC208.exe	94
PID 4988 wrote to memory of 4008	4988	DEMC208.exe	94
PID 4008 wrote to memory of 4484	4008	DEM1865.exe	96
PID 4008 wrote to memory of 4484	4008	DEM1865.exe	96
PID 4008 wrote to memory of 4484	4008	DEM1865.exe	96
PID 4484 wrote to memory of 4328	4484	DEM6EF1.exe	98
PID 4484 wrote to memory of 4328	4484	DEM6EF1.exe	98
PID 4484 wrote to memory of 4328	4484	DEM6EF1.exe	98
PID 4328 wrote to memory of 32	4328	DEMC4E1.exe	100
PID 4328 wrote to memory of 32	4328	DEMC4E1.exe	100
PID 4328 wrote to memory of 32	4328	DEMC4E1.exe	100
PID 32 wrote to memory of 1116	32	DEM1B4E.exe	102
PID 32 wrote to memory of 1116	32	DEM1B4E.exe	102
PID 32 wrote to memory of 1116	32	DEM1B4E.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d2634a8a19bb3ad99f339577eff0ee.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\DEMC208.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC208.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\DEM1865.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1865.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\DEM6EF1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6EF1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\DEMC4E1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC4E1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4328
      - C:\Users\Admin\AppData\Local\Temp\DEM1B4E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1B4E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\DEM719C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM719C.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1865.exe

Filesize
15KB

MD5
2743583646f91863675a58c5900c940e

SHA1
0ac0371bd108c67fb9cde117f5293e383f4789c6

SHA256
c1ad76bbd580f596d22599380802a9f1d941afd909a229faa7659fb5b8152c74

SHA512
159c72e8c5a36c08b8f01db4b57e60d1191abcf875458729978478464ccdcca2882628d1d69c5fa7888ad79e8c188be7e1bd73fc2bb83bf4faa59b89e5471204

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1B4E.exe

Filesize
15KB

MD5
c101f196ae028ee3faad7f6ab5cbf55c

SHA1
0f6730253dccb39e00cf9562bca42db1dd176f56

SHA256
cb2d082d6556645522bf5b4f08b6e3f9a6fe660158055a7e7d38f6ea6cc595d8

SHA512
0587c58e3c7fee9e8f1163712a21ce817b7950c0364f46a7c95f23b6293def5e32e9ed10964c977a9c16ed808e06fc39945160bc0e89aabfb39936870ab34643

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6EF1.exe

Filesize
15KB

MD5
39076cbf5c2d3b5d61838786642e9983

SHA1
301ac0f255cf8a0e82b82b387cf8f76926002a42

SHA256
3bafd3bb62ba55b07b43fcdcb2693c272792deba69fa8f2de0f7d9facb9aed67

SHA512
60d73b4b1b8b9f98a16f7922096fed6e8484a2fc7bc8bd89842c3be55f72928904a274fea5a78003b20fc019db5861d9e86698ae819e3c8117c13ad540acab4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM719C.exe

Filesize
15KB

MD5
5399f2761fe7544416b9486a4b619a7f

SHA1
08356f058f6ea91325b774f667405e2c7d4cb96c

SHA256
2fa03a2c0de51dd9e9d1aa3fa56efe674f477029dff935314c698c8417e011a2

SHA512
df10cc21f01d3e0b9f5557b60cf12ed11090de8a8dd76edffc836bd5cb6ee46887c48446336c78538fa281888e35cf2ef5032afbfa2232a7636cedecbf143ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC208.exe

Filesize
15KB

MD5
fc44bcffc346068682ad23f8f9aa21e2

SHA1
b0f32b7c62d83cebedd56b6eb7b6d276826f45b1

SHA256
7ed37cfcfb5f4e920c30a0b98652b33a458606247266ad53ddec0440773da36e

SHA512
0e8a2593255fb42c3aeb42ce1c15648f68fb25f322db4ffcc4d3d51d710280b2ae464581e29673e592988064d1458b5293fd3728c67671dcc40105a0763e4081

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC4E1.exe

Filesize
15KB

MD5
15c96d762aa0dd1dc21d19cdaf81e4f5

SHA1
779cbfe51a91947c9e1c99691f66b129a70fc6b4

SHA256
4d6c07ce733058e694823a7b390f72d267b53ac405d6d6b76e211463c0ea916e

SHA512
fbb14532f2f5ec9926a4b2e6912b75b4e2313706cc4c3700a69577df27feacf3e01020304d5bc6219b92b6d30387c974b4d8891c73a174623f029abedcad0503

Download Submit

Analysis

Sharing