d559f1fab9b764655802134093695ea64e0e6b2312f44a2a4313bff0cb537e25

General

Target

JaffaCakes118_f9df9e4debd65763912364666a964472.exe
Size

15KB
MD5

f9df9e4debd65763912364666a964472
SHA1

75069a5516019a2e9a354b2a5d2b6ae5a51cf9e9
SHA256

d559f1fab9b764655802134093695ea64e0e6b2312f44a2a4313bff0cb537e25
SHA512

2f88abad025a57526dded702728b299b548e93672c45b41902d70b8b2461e30c16bab2dae2efcd8a3059d2c36f73dc3f11bfc8d4ea6699e0d472f4aa422ffb30
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYuSJg:hDXWipuE+K3/SSHgxmTe

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM24F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM7AD8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMD0F7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f9df9e4debd65763912364666a964472.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM782D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMCEE9.exe

Executes dropped EXE 6 IoCs

pid	Process
1068	DEM782D.exe
4752	DEMCEE9.exe
3632	DEM24F8.exe
4972	DEM7AD8.exe
2476	DEMD0F7.exe
4328	DEM2745.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2745.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9df9e4debd65763912364666a964472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM782D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCEE9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM24F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7AD8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD0F7.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1068	2268	JaffaCakes118_f9df9e4debd65763912364666a964472.exe	90
PID 2268 wrote to memory of 1068	2268	JaffaCakes118_f9df9e4debd65763912364666a964472.exe	90
PID 2268 wrote to memory of 1068	2268	JaffaCakes118_f9df9e4debd65763912364666a964472.exe	90
PID 1068 wrote to memory of 4752	1068	DEM782D.exe	94
PID 1068 wrote to memory of 4752	1068	DEM782D.exe	94
PID 1068 wrote to memory of 4752	1068	DEM782D.exe	94
PID 4752 wrote to memory of 3632	4752	DEMCEE9.exe	96
PID 4752 wrote to memory of 3632	4752	DEMCEE9.exe	96
PID 4752 wrote to memory of 3632	4752	DEMCEE9.exe	96
PID 3632 wrote to memory of 4972	3632	DEM24F8.exe	98
PID 3632 wrote to memory of 4972	3632	DEM24F8.exe	98
PID 3632 wrote to memory of 4972	3632	DEM24F8.exe	98
PID 4972 wrote to memory of 2476	4972	DEM7AD8.exe	100
PID 4972 wrote to memory of 2476	4972	DEM7AD8.exe	100
PID 4972 wrote to memory of 2476	4972	DEM7AD8.exe	100
PID 2476 wrote to memory of 4328	2476	DEMD0F7.exe	102
PID 2476 wrote to memory of 4328	2476	DEMD0F7.exe	102
PID 2476 wrote to memory of 4328	2476	DEMD0F7.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9df9e4debd65763912364666a964472.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9df9e4debd65763912364666a964472.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\DEM782D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM782D.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\DEMCEE9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCEE9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\DEM24F8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM24F8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3632
    - - C:\Users\Admin\AppData\Local\Temp\DEM7AD8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7AD8.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Users\Admin\AppData\Local\Temp\DEMD0F7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD0F7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\DEM2745.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2745.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM24F8.exe

Filesize
15KB

MD5
8d93b5c7be6c901167f066c2ccaaf466

SHA1
f967b823d2ac0fe0bdded5fce33fe2d3bf59537b

SHA256
d4ec9a9899d8b0e2d66e0855039c985741e71950ac0dc34c2369b3068ea2e1f7

SHA512
29eed378c95f22c1734631e20085806a6f5bbd1fe9d9c9cc4ce72c31572d4b676eeaa48cf625f6c8c56e951a9eb3bc151dfc90ece95c9c4f0a8d3980c79e2f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2745.exe

Filesize
15KB

MD5
e3adc744d585cf3a42c5f6727ee2152f

SHA1
9d34ce00a4adfc395b7622dddc00c763091935dc

SHA256
c9c76425a4db5942ee5194e89542389a993377d4a49e6693bf6e8aac6dd6a414

SHA512
6c0f00e5b46100b98df18ac11b62e2283e34f2e89fc1e9529f8d92813a668ab642730ade342f352c65b9564adc99e69ba6bdcd0c5b35e9aa6b1fda9bd443d429

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM782D.exe

Filesize
15KB

MD5
66ca1b1432a3f1a1fa1e9ce9725e527a

SHA1
02ea66296121de1df62a47534beb531c53d2fbd1

SHA256
8654a94273084ef011978442000285861a1d03e875da6b53ba1f8f4df7037cff

SHA512
9809f9fb6a25bc37fe302f1432b479e75b369bf46da3fddb775d4451661c064b3529e164f3adfd93b6b6a102e99435c291a2dff0af1c762b2606c7d54ca98e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7AD8.exe

Filesize
15KB

MD5
987065d9782402fadc8fa4bec1e98c91

SHA1
52f58f42a9162b1d4a5e1dd595a560610d0718c2

SHA256
92ab4c8b6bc8c9680565542efec9284ddd799fd5b8a22ebe42bc5dbca7f7073e

SHA512
ed6c399f60dffe2acd2fb93db7116a7d64f7e9e24ccc2452c4c7082f9e875ca848803feadac22b0d278d5c9a1e66ba832855fc5a5822c121701629533e954af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCEE9.exe

Filesize
15KB

MD5
6cb79c12011d3da6e1f00ebf466df8ca

SHA1
3f12fdb92dd8cdfa37f061eb6e2c761355151393

SHA256
e0b1e6dbf9b9f44220201b4e6bdc91a4ee4f3663fb69af3ce7002d61aff08836

SHA512
cdd082cc18d893e79401a947d253b8aacc9f8672d255ebb8a8b63ff2bd5cf1765e80303f8760c501e01816f02a07c6a6b14a0aa71d8c87b98a20dca23a8bb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD0F7.exe

Filesize
15KB

MD5
8c25c33b473013758dd2eb60830db985

SHA1
087cde99018f72e597ab7e07c291100b95cadd52

SHA256
4ec9a6cbb4315dc586412432ce4aeedc863771831f67904c0b5f3d2ababd8dc2

SHA512
13fb180eed096263537d9850afa3adc805c8c7c5aa3ff22cbb1665c59bd6a87ba5c237b0d20631c3582009f6a43c9a7e2bee4cc64816023daf76256e0fe870ec

Download Submit

Analysis

Sharing