f68879b1b17ece33516365893e7d10cc149e3ce2e93fcbbdc4a7c6c7fe7dd415

General

Target

JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe
Size

14KB
MD5

f9ec4ebf625e99b681fd01f794be27d0
SHA1

45cfbe707ae9a9035f47d82443607cd97e4897af
SHA256

f68879b1b17ece33516365893e7d10cc149e3ce2e93fcbbdc4a7c6c7fe7dd415
SHA512

81abda48d10e39cf8aa7e4cc46d4b57e15bf5843c1f5c505b2587ea64c0f63ab49c40924555525b76bb9fa2b29939d8c88c4f006a211b4519333ae9f7b46b850
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHuS:hDXWipuE+K3/SSHgx3NHHB

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMB4B9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMB84.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEM6165.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMB7B2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEME3F.exe

Executes dropped EXE 6 IoCs

pid	Process
3112	DEMB4B9.exe
2708	DEMB84.exe
3224	DEM6165.exe
2564	DEMB7B2.exe
4428	DEME3F.exe
4308	DEM64FA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB4B9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6165.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB7B2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME3F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM64FA.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3112	3000	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe	90
PID 3000 wrote to memory of 3112	3000	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe	90
PID 3000 wrote to memory of 3112	3000	JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe	90
PID 3112 wrote to memory of 2708	3112	DEMB4B9.exe	94
PID 3112 wrote to memory of 2708	3112	DEMB4B9.exe	94
PID 3112 wrote to memory of 2708	3112	DEMB4B9.exe	94
PID 2708 wrote to memory of 3224	2708	DEMB84.exe	96
PID 2708 wrote to memory of 3224	2708	DEMB84.exe	96
PID 2708 wrote to memory of 3224	2708	DEMB84.exe	96
PID 3224 wrote to memory of 2564	3224	DEM6165.exe	98
PID 3224 wrote to memory of 2564	3224	DEM6165.exe	98
PID 3224 wrote to memory of 2564	3224	DEM6165.exe	98
PID 2564 wrote to memory of 4428	2564	DEMB7B2.exe	100
PID 2564 wrote to memory of 4428	2564	DEMB7B2.exe	100
PID 2564 wrote to memory of 4428	2564	DEMB7B2.exe	100
PID 4428 wrote to memory of 4308	4428	DEME3F.exe	102
PID 4428 wrote to memory of 4308	4428	DEME3F.exe	102
PID 4428 wrote to memory of 4308	4428	DEME3F.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9ec4ebf625e99b681fd01f794be27d0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\DEMB84.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB84.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\DEM6165.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6165.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\DEMB7B2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB7B2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Users\Admin\AppData\Local\Temp\DEME3F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME3F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\DEM64FA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM64FA.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6165.exe

Filesize
14KB

MD5
57f560f651dce0bc55a519055bc290bc

SHA1
d4a29403381423b2bce066c32c872e07f2f8ecea

SHA256
c4ff90e5ac4c1f7abcb880e2516828750efa72accca11b839c23f1091179eb90

SHA512
3c80f79b2fd0656cef0b7c5b2f0f905216fc7241e5ec87cae376da55be1587146160f02d89f2f49d5eca52152734f770764af7e1e1121d659af07f2bd3f8e346

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM64FA.exe

Filesize
14KB

MD5
8dd03bc79e3ac2afc1211c551a3e5d7e

SHA1
37c51c45a8db27f895b7aef8255b16fdd43807d4

SHA256
0a954a7168d4cee4eb15d8af67204e5ab967b281c8145ba67eefa0305248b595

SHA512
cd4f4f4d08bcf6ba74a6ac9b264366af5444d41eb51e49cc502c8e75714650af463e7e92b143214f2bdd4a5feed58bb0b167827bd03f3034801b4fdbe46fae34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe

Filesize
14KB

MD5
927f93941f6838f85e21c6c7c6e953b7

SHA1
e244b2e8c950d6f4582599569665ae9b508e9147

SHA256
33024eefe2b51e374c7a00f4b5ada08e164ad44a97065810a7b8cab1afa42f06

SHA512
3fc382514d2912591a93dacdbb9785de1e892bca1fb431f7d269c6b017e89a3a09b49fb9b10e5ef9eba0278d69437199fa260a939c14d639f384ea7605b498e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB7B2.exe

Filesize
14KB

MD5
cda640e22172d0dbe6ce441416872774

SHA1
3dae8ef3fec99afe0f29fd1a15284047fdd1192f

SHA256
c2dfd83439698e9a32ec9fe0f4a802b0d67b08f6b388b260010fd14ca98d01a1

SHA512
e7a83b9571c3399ab8a20ed962270172f8f8f27e30978876386d40b6728eb092968811a5f78fd0a9df3e674574e7826c961a8c775c4b91aae8d1f716b48578e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB84.exe

Filesize
14KB

MD5
c251765cb1e31a8cd8eb62aaff04cac6

SHA1
84986afa19ff30087108e46496a997a38ef3e533

SHA256
62ef533f7d2075505e915ec5c3d1e72691fd43d04978a54ae5c58c5ddef6c43a

SHA512
f0a59d9aae66553d99d76bc0b3ff22b857f34a86bdc46885fde215210da571293ae66a440c30abead1d80f0058d43a3cbdd2a9c062d4071a1fb7e5a129491798

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME3F.exe

Filesize
14KB

MD5
343d560a9e6de73efb3b535a99d95fa6

SHA1
15141b9167d73ce8f7967b01ef00e11344a3a522

SHA256
7e1fa3521c9969222582363f802a5f616cd1e639027c4b870c23c864d2918133

SHA512
319f647811126d0b2170e3b80ce3bb08b5884f2ab4ae732e51f65df641586e2e2b0c0ca5a63788af5bc2a6f8b3727aa99428ccaa9d26525c66d6dfb73be9f2fd

Download Submit

Analysis

Sharing