6290d583c1b37bf5819406a8128a76ef284040b96aef789de4f3aab8818455e6

General

Target

JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe
Size

16KB
MD5

f9e0fd5dfff8c99764144f1d7ab15853
SHA1

921995bd52e980f264d773be02ec6fe667963a11
SHA256

6290d583c1b37bf5819406a8128a76ef284040b96aef789de4f3aab8818455e6
SHA512

4c7d0ff49323462f5419ca73583eb49b48dbfeecca0a4ec8823193ac85655b72876c66fec9c95fb39a066d044d124acea0fefbc804eb48384a6ffc46cd0fc31d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcn:hDXWipuE+K3/SSHgxmkn

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMB798.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEME72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM653D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMBB6B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM1227.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe

Executes dropped EXE 6 IoCs

pid	Process
4916	DEMB798.exe
4704	DEME72.exe
4288	DEM653D.exe
2188	DEMBB6B.exe
4144	DEM1227.exe
4076	DEM6855.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM653D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBB6B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1227.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6855.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB798.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4916	4396	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe	96
PID 4396 wrote to memory of 4916	4396	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe	96
PID 4396 wrote to memory of 4916	4396	JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe	96
PID 4916 wrote to memory of 4704	4916	DEMB798.exe	101
PID 4916 wrote to memory of 4704	4916	DEMB798.exe	101
PID 4916 wrote to memory of 4704	4916	DEMB798.exe	101
PID 4704 wrote to memory of 4288	4704	DEME72.exe	103
PID 4704 wrote to memory of 4288	4704	DEME72.exe	103
PID 4704 wrote to memory of 4288	4704	DEME72.exe	103
PID 4288 wrote to memory of 2188	4288	DEM653D.exe	105
PID 4288 wrote to memory of 2188	4288	DEM653D.exe	105
PID 4288 wrote to memory of 2188	4288	DEM653D.exe	105
PID 2188 wrote to memory of 4144	2188	DEMBB6B.exe	107
PID 2188 wrote to memory of 4144	2188	DEMBB6B.exe	107
PID 2188 wrote to memory of 4144	2188	DEMBB6B.exe	107
PID 4144 wrote to memory of 4076	4144	DEM1227.exe	109
PID 4144 wrote to memory of 4076	4144	DEM1227.exe	109
PID 4144 wrote to memory of 4076	4144	DEM1227.exe	109

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9e0fd5dfff8c99764144f1d7ab15853.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\DEMB798.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB798.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\DEME72.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME72.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\DEM653D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM653D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Users\Admin\AppData\Local\Temp\DEMBB6B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB6B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Users\Admin\AppData\Local\Temp\DEM1227.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1227.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\DEM6855.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6855.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1227.exe

Filesize
16KB

MD5
08b87ea2a6ce8ddf1dc31bd5f7d9ccc6

SHA1
16d96da55c23a6b01437b2e6d767b57f84b2154c

SHA256
beceee201490608cb0c731e3bc41a6126b7ed4a51d6d9ae7ba353496918a49b0

SHA512
5f12e3c8fa7e82bc3fc5434fbdbbaac2a5d846d0f1f581f8a2b598116ad6134ce200b3335ea2e2658d49bf722798ab01d838f1c092c8e498da106cc9afb387f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM653D.exe

Filesize
16KB

MD5
eda2e9f7270a69eb3b5cd5a4c3b8f36b

SHA1
538fb6f3f82cc117f05a89303e47e7d622ffd7bf

SHA256
f8864dee7c3093db0554a92a03aa3f2ee447ff3e2631efbdedd5dbcf0521fb87

SHA512
648031ad70a26a63fbf11d46b75fb45f53a234bee31d02800ab893a027e517f05239a7ea7a6a4a7ee3b5f06093562495b4d5286007704436d8d3e2fbf163aaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6855.exe

Filesize
16KB

MD5
8d7b5ee7c36e3ab7f3dc87267167ab80

SHA1
2c8772dca51cb570fe6a6faa534e4ced74eb55e0

SHA256
fb241ae51eb242a38ecc3665a85b7b4bf592100b3ca9555e86123fd59bb3bf16

SHA512
29a85c36e631af69d34d818f8b4e0dc5a96f7ce965c8779612fcb50475bba209dc968a27c1fe5e4d81b5b0f0e65c794547a9fcb54b0cbf063754161aa7c544f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB798.exe

Filesize
16KB

MD5
d16e2cf2b4ca167ac38090a7edc0771d

SHA1
c8817e11fc945b2bb79bb7c50ed1a6fb4e52cc9f

SHA256
a82fcbe5c7a8a0dfb8c6274ca8cb86c528d9a3e169c46dc8296c48541b4b12c6

SHA512
0a28ded86e381c615585297e919f39ab28cfc018c2de259cc7306d3235b9733f5450a0a5c6b1fdd5d5b3acf3b5eb24d651f66b3349335a878c86a01d1e5c0140

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB6B.exe

Filesize
16KB

MD5
898278a506ac6b4b8f8dd77c48ce4c06

SHA1
599bb1ddd91e9092f79dc3cc137efd47e42c9ff4

SHA256
8cdf28ccd39e76f03b811af603773728c90d6cb05c8b160f6c9f52e340a6d96c

SHA512
6d2b4b8939332ae6d51db56bddcaeaa65eafe5a1bb2061f6f7f1529361418fec3c5f629f0af6b6a73d072048f7f30cec916bc2fab803bb69a3298e6767e04bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME72.exe

Filesize
16KB

MD5
1b986bd139eb3b3e32a4d25cab612be6

SHA1
7296f3ecf2380945fac8dc0f5b37f644da7b2c17

SHA256
6150278587afe1086e4fe361ffb13ee7530a013602ba36abfb1886c4b594a6e7

SHA512
77f52259cf9ce9460eda03943a87713ff8b38faa87bd8968cb175c10efe3af1bfbbf95710ff8989670dc50f35396e7a259493e0fca9ac2f56be057d0ec069f0f

Download Submit

Analysis

Sharing