436f321b2662495c3eeff0fa9b9c06eeede24a5a3d90ee5795dffa107dbef609

General

Target

JaffaCakes118_f9dff9bd2d2d28264bc3a89d1f0d60df.exe
Size

15KB
MD5

f9dff9bd2d2d28264bc3a89d1f0d60df
SHA1

1048cbd57062927730189f4f04bb071231764347
SHA256

436f321b2662495c3eeff0fa9b9c06eeede24a5a3d90ee5795dffa107dbef609
SHA512

0af9be47056ba77c56651927d1bf4a23123a98384eb02b7eea6635185a6169126b9573017ebfe51fc126f5993cf7157a428266904827f1c5823f196059fd93a5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJX:hDXWipuE+K3/SSHgxmlOl

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f9dff9bd2d2d28264bc3a89d1f0d60df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM9829.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEMEF03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM4513.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEM9BCE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DEMF20C.exe

Executes dropped EXE 6 IoCs

pid	Process
4528	DEM9829.exe
4072	DEMEF03.exe
4584	DEM4513.exe
2744	DEM9BCE.exe
2196	DEMF20C.exe
1812	DEM4879.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEF03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4513.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9BCE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF20C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9dff9bd2d2d28264bc3a89d1f0d60df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9829.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 4528	3220	JaffaCakes118_f9dff9bd2d2d28264bc3a89d1f0d60df.exe	90
PID 3220 wrote to memory of 4528	3220	JaffaCakes118_f9dff9bd2d2d28264bc3a89d1f0d60df.exe	90
PID 3220 wrote to memory of 4528	3220	JaffaCakes118_f9dff9bd2d2d28264bc3a89d1f0d60df.exe	90
PID 4528 wrote to memory of 4072	4528	DEM9829.exe	94
PID 4528 wrote to memory of 4072	4528	DEM9829.exe	94
PID 4528 wrote to memory of 4072	4528	DEM9829.exe	94
PID 4072 wrote to memory of 4584	4072	DEMEF03.exe	96
PID 4072 wrote to memory of 4584	4072	DEMEF03.exe	96
PID 4072 wrote to memory of 4584	4072	DEMEF03.exe	96
PID 4584 wrote to memory of 2744	4584	DEM4513.exe	98
PID 4584 wrote to memory of 2744	4584	DEM4513.exe	98
PID 4584 wrote to memory of 2744	4584	DEM4513.exe	98
PID 2744 wrote to memory of 2196	2744	DEM9BCE.exe	100
PID 2744 wrote to memory of 2196	2744	DEM9BCE.exe	100
PID 2744 wrote to memory of 2196	2744	DEM9BCE.exe	100
PID 2196 wrote to memory of 1812	2196	DEMF20C.exe	102
PID 2196 wrote to memory of 1812	2196	DEMF20C.exe	102
PID 2196 wrote to memory of 1812	2196	DEMF20C.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9dff9bd2d2d28264bc3a89d1f0d60df.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9dff9bd2d2d28264bc3a89d1f0d60df.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\DEM9829.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9829.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\DEMEF03.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEF03.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\DEM4513.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4513.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4584
    - - C:\Users\Admin\AppData\Local\Temp\DEM9BCE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9BCE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Users\Admin\AppData\Local\Temp\DEMF20C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF20C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\DEM4879.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4879.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4513.exe

Filesize
15KB

MD5
8428b4f5ec77ce7e043bbe3c6ceaa561

SHA1
1205d4de2eb5d481ad0acfc087c96d642b7e11d2

SHA256
5bf7ff3f9aa4fd5f21e7ded3c2503803550c71670eb9f0f4775735a9904bb320

SHA512
2fc1749e5b89f2de13a0f5f0c8665357aae1903822850d020a96bad8c951083e9da4841593af8a6c60d63392e9759004661a41235d53d947c27e68e45ef9fe19

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4879.exe

Filesize
15KB

MD5
8cacf7ae542b0ffbe87c86c623c3898d

SHA1
985baac1673fa15622f2bea22c57e6eb5d38e4a2

SHA256
2663071522d130dd664a9f7062b60ae38c71301054f7ecd9e57b073c36edd4b1

SHA512
53716fc550def8e171f0bbb20431b9d521a35dd2255da365881bccd40200aaa942e4bafa92855d431684ea91c52c694a0658d2a29e4cf16131828df1bc9631c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9829.exe

Filesize
15KB

MD5
da43181a301c95f13077505e57347039

SHA1
fe837554f2343e95fbaf8d6e19977f70e33767c7

SHA256
295569db7893a74c62b7c2289c941dbc03c6c0354d69442cdb71fec1bbac7158

SHA512
2fb0d18a471d55824b92d3fd6177064796a1ea12eb8021ea9fdc8e082d0af68c061541ec3b6548e1289ef86b09cb3fce137a19b337770cbade0e70a9194fe878

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9BCE.exe

Filesize
15KB

MD5
37fe8b49875ad07018b9616b18e52020

SHA1
9296fb91886a074280e9f6d6b3d5b8e51df32ccb

SHA256
756fd20648e78f71651c34244b809437c26211476d4d5455fb21e886c22a9e3b

SHA512
7aee173fb530a5870d2b4ebc1faed66869a3a3dd691a2abed7cbd906816c7e0ebc5024958177b141fc7b6dd8d91e48fb949015df6d1848c4f9e0161ca2c7b211

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEF03.exe

Filesize
15KB

MD5
1a7ae5475305166cee6b6ffb89e78064

SHA1
1c288942b06079529038398ceeda849ccf6f3423

SHA256
3f6fb85afc3e838dd3d0a591be424c5b6c7ccfedd7cd83ae7e9c93568f2dbbf5

SHA512
7c7dc6c8f1929b61856d20729efa67e94db78bed9d583a97991e77332c1581b44c546a626ae8143d26bfd6519bb12fd55c9565b9b94ac6b3aeb789f53e978163

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF20C.exe

Filesize
15KB

MD5
84e1a93857a2ec12eaa81e014d69309e

SHA1
5ccdaad72733b98b7887610afda5f8600f7d28f4

SHA256
9a9d88e7f8c2b6a3d01d5f07a581a814947e51690d15eb6d4354b1feb7cefd4c

SHA512
cc60b4a4e76f16bd23aadd5df16c3589b9aaa3eda3356a2f540a25e0288c009670c350aa5d6c83ae4b47c4a77c42d4b69d97b7f43288dc1b1ced269b5c0da0c8

Download Submit

Analysis

Sharing