03f5bb9657f3509ade7b7c9d998a11f7f922489aa8de906fa94f70c5487c2901

General

Target

JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
Size

13KB
MD5

f9feddb8d9d2e15ef6a9d53e7014a152
SHA1

97bed1b600d6d402db7e53de8a3681e5d5918537
SHA256

03f5bb9657f3509ade7b7c9d998a11f7f922489aa8de906fa94f70c5487c2901
SHA512

71e48c41901fc3156fad55c2f5c8878d455c2d326ab47fafc04e65e4efb720970a05c9a49c8d6db6511292c55619d413a299c068e3874bf3ce59f36a56a2d680
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhbuQK:hDXWipuE+K3/SSHgxcQK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMA2C8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMF954.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM4FA2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMA5C1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMFC0E.exe

Executes dropped EXE 6 IoCs

pid	Process
3156	DEMA2C8.exe
876	DEMF954.exe
4548	DEM4FA2.exe
2028	DEMA5C1.exe
4120	DEMFC0E.exe
4300	DEM521E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4FA2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA5C1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFC0E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM521E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA2C8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF954.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3156	3492	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe	92
PID 3492 wrote to memory of 3156	3492	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe	92
PID 3492 wrote to memory of 3156	3492	JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe	92
PID 3156 wrote to memory of 876	3156	DEMA2C8.exe	96
PID 3156 wrote to memory of 876	3156	DEMA2C8.exe	96
PID 3156 wrote to memory of 876	3156	DEMA2C8.exe	96
PID 876 wrote to memory of 4548	876	DEMF954.exe	98
PID 876 wrote to memory of 4548	876	DEMF954.exe	98
PID 876 wrote to memory of 4548	876	DEMF954.exe	98
PID 4548 wrote to memory of 2028	4548	DEM4FA2.exe	100
PID 4548 wrote to memory of 2028	4548	DEM4FA2.exe	100
PID 4548 wrote to memory of 2028	4548	DEM4FA2.exe	100
PID 2028 wrote to memory of 4120	2028	DEMA5C1.exe	102
PID 2028 wrote to memory of 4120	2028	DEMA5C1.exe	102
PID 2028 wrote to memory of 4120	2028	DEMA5C1.exe	102
PID 4120 wrote to memory of 4300	4120	DEMFC0E.exe	104
PID 4120 wrote to memory of 4300	4120	DEMFC0E.exe	104
PID 4120 wrote to memory of 4300	4120	DEMFC0E.exe	104

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\DEMA2C8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA2C8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\DEMF954.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF954.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\DEM4FA2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4FA2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Users\Admin\AppData\Local\Temp\DEMA5C1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA5C1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\DEMFC0E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFC0E.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\DEM521E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM521E.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4FA2.exe

Filesize
14KB

MD5
3a5870071b5b66dbf7bd9e247e66a61a

SHA1
f71a24d8870554dfa4e1a573497637804a2d4e25

SHA256
4a8f324b9c69b3eee64350036a873c0c39154039bbba5e01b5e0f3f37147ef80

SHA512
f2070305523b0c9224dbc1e43b6921c72814b970df346938be32019143105f074479fae4bd4525657fe8b8539458588f410f86f6c178d06101892d0b60235ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM521E.exe

Filesize
14KB

MD5
05205ca2249fbbb37cfe00674bff910d

SHA1
4da4509efafa90a179d199391bd4e33e2fce2ced

SHA256
1474ded8ac32e74fba236159c4097f5056c6ba0b9a58bae5abf9b71406311051

SHA512
4984510610b374115b173af2f71ee54902d9df664286bfa837314a45f56f8f2e3c25c53d7ed78d639383e41fa9e67422a01a2bdcd697c5b25f4572977c4a32ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2C8.exe

Filesize
13KB

MD5
bfed50944015dad363e3e46e2ac1b3ad

SHA1
6cff4a66403960e434826f0d0ee837c4213ab468

SHA256
f7c00022ac7d4f974c7980dba4f4c21225dbdd16e9375b0feda5e2f09161d548

SHA512
e0ade4c87557d76fe2744bae546f8085edb03da072f84c144716cb3c57f969e3037ed5ef50e74e096ee5af36e457ddb8dcc2953cda7976cbad66eb44b0b1c4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA5C1.exe

Filesize
14KB

MD5
83e8e8031abc682dbda239cf39045e65

SHA1
3219c3ce58cbde2b37e282f59963737aac3eadab

SHA256
733b20976c48d7725f77c75eca8666fcc4e53f0869351d9bf6a0f5ac59969316

SHA512
d04891c1fd51da1fc7272342f01efb11f38b1380a1d1e2ac2b6096cecff9d0e1f6834dfbd90177930ce42bc325da29dcaf7e94a24fe60df41041941a47a9a2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF954.exe

Filesize
14KB

MD5
a9c244dcb23fa6d95b61f1e6d74f0a67

SHA1
ebda89b75c3722f372a1ffff1321f2f31311a07f

SHA256
49750ef2ec7f477d3ea15cecc7ba330de2225e612d7e6a7e6a1b02a93a34ed60

SHA512
d2dd0b3184b68124416c947256200034fc4422bc6238903be635f66e266eaa5386c4c2c15a6aebdf1d5fd7432e22daad2f6fa0be35fced2c4d60e0fd189cdd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFC0E.exe

Filesize
14KB

MD5
777a2a4e23a6b0072004dc2efb8fdacf

SHA1
ac5c670e5b7ced73d1650f555f8310e833767d70

SHA256
8caded0c7517735acad688b2e2a948d0420e3dde74ac0538ed470bcdf4447883

SHA512
98bc8b64f0edbc0e1feee158846009aabf9a0119b5c5728852b7d127a163ea4f34d7c9c14b331d6f2ada1f3a7f3b635cc79e041d1d6549d6eec1b5b3b8b8dab4

Download Submit

Analysis

Sharing