f045a9eca55ba45e06dbadc664190dcbb61c22e07a64a17fe5c05bd99dd28e19

General

Target

JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe
Size

20KB
MD5

fa0bda39bd5bb8c5b35950a27156bcc9
SHA1

3ceec14f46fba6389d0b315cc8a302ebb2eaff25
SHA256

f045a9eca55ba45e06dbadc664190dcbb61c22e07a64a17fe5c05bd99dd28e19
SHA512

ebda50653458d6fe2c8714c8560dcb86aff40624ef22abaab821ddb8600dd77bafaf4514b921e49deba7af8991ee9f96236ba6077fd2fbd5e6e063d16626a1f3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4ogiA:hDXWipuE+K3/SSHgxmHZoy

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMB1DB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM8C5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM5EC5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMB512.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMB51.exe

Executes dropped EXE 6 IoCs

pid	Process
2792	DEMB1DB.exe
2964	DEM8C5.exe
1404	DEM5EC5.exe
2956	DEMB512.exe
1556	DEMB51.exe
4892	DEM617F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB512.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM617F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB1DB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8C5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5EC5.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2792	2276	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe	93
PID 2276 wrote to memory of 2792	2276	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe	93
PID 2276 wrote to memory of 2792	2276	JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe	93
PID 2792 wrote to memory of 2964	2792	DEMB1DB.exe	102
PID 2792 wrote to memory of 2964	2792	DEMB1DB.exe	102
PID 2792 wrote to memory of 2964	2792	DEMB1DB.exe	102
PID 2964 wrote to memory of 1404	2964	DEM8C5.exe	104
PID 2964 wrote to memory of 1404	2964	DEM8C5.exe	104
PID 2964 wrote to memory of 1404	2964	DEM8C5.exe	104
PID 1404 wrote to memory of 2956	1404	DEM5EC5.exe	106
PID 1404 wrote to memory of 2956	1404	DEM5EC5.exe	106
PID 1404 wrote to memory of 2956	1404	DEM5EC5.exe	106
PID 2956 wrote to memory of 1556	2956	DEMB512.exe	108
PID 2956 wrote to memory of 1556	2956	DEMB512.exe	108
PID 2956 wrote to memory of 1556	2956	DEMB512.exe	108
PID 1556 wrote to memory of 4892	1556	DEMB51.exe	110
PID 1556 wrote to memory of 4892	1556	DEMB51.exe	110
PID 1556 wrote to memory of 4892	1556	DEMB51.exe	110

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa0bda39bd5bb8c5b35950a27156bcc9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\DEMB1DB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB1DB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\DEM8C5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8C5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\DEM5EC5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5EC5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Users\Admin\AppData\Local\Temp\DEMB512.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB512.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\DEMB51.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB51.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\DEM617F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM617F.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5EC5.exe

Filesize
20KB

MD5
f22fbc096f0c5af1e54f71b1a11bff56

SHA1
aff0fb695d44dc3313346f1512b7ed04e1c60fb1

SHA256
4ccee9d0841dcd8dc6ba16dc6068db26c71cc6ed675cc4f83970f616debef0d0

SHA512
b44b4a517990511617a7c84c6738565008cf90cd1b85705522fdebbcbb0a3a3602cce758f901e8433f1c72021756b6ccfc66fc0d1edd482ed63a4485934f05cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM617F.exe

Filesize
21KB

MD5
9f73de80c9805b9a35e703da1bd48c82

SHA1
7d72971454731fab465f92a3698258b419d8c0a4

SHA256
f70d67252d739942c42a2bbcb9152df37951cd22d76a6adc68a704d9b8c9bb8b

SHA512
70cfbc6c484a37c2f816aba74270d7ddf13940a41aa25859e781e53ac5d29a8c24ae707e4652ed9737919602e24fd5fca48b95f320409494b00dc96dff00aa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C5.exe

Filesize
20KB

MD5
ee251c539d37df3fe4b80067c4633d7a

SHA1
680fe2fe9acd5b764661ca256c22a0bfb5d93286

SHA256
b7b746de599c0a5fc2b7af0b8994e6946bbe6542343b41c484b45c092472a77b

SHA512
1f161aea99d7c652ffaf8b22a16f2c4a872e59ad2f04208eed7c88f362954f768ccf0d385822747576a5a7b8a4baffe6350f423b74a8e88390431c16642d6727

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB1DB.exe

Filesize
20KB

MD5
82980e169de0fcce9837bbdc289c8a2d

SHA1
d26c4806657cad28d2c17b1e66a2f70edeebf6fd

SHA256
df51cf643fe7a5e3344951708851eda311c1bb2d1ac0087b389d80a42f646b97

SHA512
c1d96bd56a9c8ede3a69fd17e072dfad99b7e0302bf95cfb85a79f59e7352b09511ee82849675315cd0a2c68c69027763df68b656db0e7caa85c6ef6cac8f1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB51.exe

Filesize
20KB

MD5
a32f64a92f03c26fc0d94ca5e2385df4

SHA1
f84bf9736a8b3694e88b827450759d05e718ba2e

SHA256
64433f470b9da8ceaccb77837cb3c332cda38e11ea1d3e7629e318784e2acd3e

SHA512
09b22b6f1a53df8c013befeaab6106cc08541976dd5f644ae45b26bfd81eda9dea99a00f7c48802d71b9d6e525491335babade44d093df9ff3ea9aa5c9bb9c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB512.exe

Filesize
20KB

MD5
c2a64e025ea8ee93f9d6b52fd257f618

SHA1
849f1d792f98d9f0672bebf140fc6ad3550434ff

SHA256
8ada1fc6452ab2c7f5ed765b4710c53b16a801033308ed9e18a523854e48c837

SHA512
c1bbb5f15a42d4f99cecf21e00db043f1df4a16b617fd92f22ad812da4564fbad6c2d93f3592af9abe8aac715cd831a4082b215157668c578cb451dfacf86039

Download Submit

Analysis

Sharing