3d615a756c1bff2d17fc837ad0a7147466b0d8b96986dc3c8f7c16df76e6e59c

General

Target

JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe
Size

15KB
MD5

f9e4724d8c0420ca64d7f092dc48c2b7
SHA1

12ccb6299b339b7db145b991627a985ecd5b15b8
SHA256

3d615a756c1bff2d17fc837ad0a7147466b0d8b96986dc3c8f7c16df76e6e59c
SHA512

145fc7ebb4d367563c0f0a772bc04d3063d114a1fa4249f8ca2ead8aaf7e944fe6043f8c347da7d951ac1859eb64bc39acaaab9c2cc731bc2bfc418e1b4b3527
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJd8Z:hDXWipuE+K3/SSHgxh8Z

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM8750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEMDE3A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM3469.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM8B05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEME181.exe

Executes dropped EXE 6 IoCs

pid	Process
3268	DEM8750.exe
4368	DEMDE3A.exe
2308	DEM3469.exe
1576	DEM8B05.exe
3140	DEME181.exe
4880	DEM37B0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE3A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3469.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8B05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME181.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM37B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8750.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 3268	4768	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe	90
PID 4768 wrote to memory of 3268	4768	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe	90
PID 4768 wrote to memory of 3268	4768	JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe	90
PID 3268 wrote to memory of 4368	3268	DEM8750.exe	94
PID 3268 wrote to memory of 4368	3268	DEM8750.exe	94
PID 3268 wrote to memory of 4368	3268	DEM8750.exe	94
PID 4368 wrote to memory of 2308	4368	DEMDE3A.exe	96
PID 4368 wrote to memory of 2308	4368	DEMDE3A.exe	96
PID 4368 wrote to memory of 2308	4368	DEMDE3A.exe	96
PID 2308 wrote to memory of 1576	2308	DEM3469.exe	98
PID 2308 wrote to memory of 1576	2308	DEM3469.exe	98
PID 2308 wrote to memory of 1576	2308	DEM3469.exe	98
PID 1576 wrote to memory of 3140	1576	DEM8B05.exe	100
PID 1576 wrote to memory of 3140	1576	DEM8B05.exe	100
PID 1576 wrote to memory of 3140	1576	DEM8B05.exe	100
PID 3140 wrote to memory of 4880	3140	DEME181.exe	102
PID 3140 wrote to memory of 4880	3140	DEME181.exe	102
PID 3140 wrote to memory of 4880	3140	DEME181.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9e4724d8c0420ca64d7f092dc48c2b7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\DEM8750.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8750.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\DEMDE3A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDE3A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\DEM3469.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3469.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Users\Admin\AppData\Local\Temp\DEM8B05.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B05.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\DEME181.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME181.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\DEM37B0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM37B0.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3469.exe

Filesize
15KB

MD5
2dd2a23437f5e380f5ce988b4de1fe69

SHA1
a924b347305e097795db4375c62037ff2e629c97

SHA256
79c39e9366b2bce8e2f7fb3cad031240c5ef1fed5904b6b0aa54a2ab365d3cde

SHA512
988eeef75f4ad9aea08e1ec7ef91b103f764e4b4e1e4ce3931888f29c87cfa15683af41e227f8396fa5c8839336f7a64934d682a95729fef2c8551c87ace7d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM37B0.exe

Filesize
15KB

MD5
886bcfa2e23181b8fab76fb38603aecb

SHA1
9f4207a04f0c016e0997781d97c1316102218bf3

SHA256
c9c6255ed19ac5d2582e09547eaae7849c263bbc00c0fc12c8178777f65d44b2

SHA512
ab3e3fd66d34efedcd7a1497786fd64ba3a3e2a55bb2f7e669521a419e69f04042f86e1ec5ea664d3680ad3bf65d9706248bd829618a98849bc8c978160bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8750.exe

Filesize
15KB

MD5
b6d6402b8243335ed2240f84c1e53f60

SHA1
6bfbca4e25c66b669f03896339b2c81394389fa9

SHA256
d8f47491509ea27e6d909c1408cc335e348a9db2d032fcf0ce7d854bf275d45e

SHA512
6e37bc17cb2e84cf41072798519f261ce68f33101876b76f3f6cfb8da7418c922ae5dde48212200158fe621b9d3e75f9448a39df5dc68d821a356d1a9980e655

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B05.exe

Filesize
15KB

MD5
ad66525e27ea2d29c67c5efd114fa9ea

SHA1
f12b7bcac1b5b679dbbcd47fc042b149c92197b6

SHA256
54f01f4a18236ca49d87a854347db00915a84ba626c7861138ba472bcbf72ffa

SHA512
63f95c36e19f34a9d886fc5eaf4c620506696fdb5f50095fd56f4c40463c039324b372e59bf45b49fe1acb4519c02336842b2626ef3bc5d2f2b014e1dcb9b4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE3A.exe

Filesize
15KB

MD5
d2038ae11d5aed307eb53ad27accb9c2

SHA1
7dc0c4e949754a3f49d1893ab4b88eebfe3b4f90

SHA256
4a9ec266bc3cbb85b07d7ba64d3613550d30f8e0893c3d1be7a7f54dba369419

SHA512
c60e725c61ceeacba26a9d3538b48364f351bc84bdb145e8bb8df960fb9b0d96c99ad971c0f41d1815549019ff4f2cf4097cbeeaf5f6932543b3d4be8c25efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME181.exe

Filesize
15KB

MD5
a6fbd191f5372b1e860c72d97909e9cb

SHA1
137c83632c4861427ca5527029e1e84bb1c8e29d

SHA256
a27edfaa0836d779552cf9d4c38b003a3a2d4a202babe065da3ea7256270108b

SHA512
b1bb5f7d72206419793d527a4497eb80dd57f6932756adbde96f0d7a26ad1b63009370d247b784c8845d6d943e597423ce7109a38c63f60a07a62be0c609d140

Download Submit

Analysis

Sharing