53cb45eb4276a529f7365cb9f4595a91c1ef825d21a069442060d8949df8d439

General

Target

21da71794face3dcaacb2633ce306328_JaffaCakes118.exe
Size

16KB
MD5

21da71794face3dcaacb2633ce306328
SHA1

8f62603b89c8c8460d41d15bd2c7edd7f5abc1cd
SHA256

53cb45eb4276a529f7365cb9f4595a91c1ef825d21a069442060d8949df8d439
SHA512

d364242120fcfbd50a0ce761fecb228cd3c6f3fa08ae1d3085512f8897e806438169502a4d09ddb664aeee77a04c5e0fab4a6d27a575b295704cd4031620a490
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYETKkV:hDXWipuE+K3/SSHgxmOTV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM197A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM718C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	21da71794face3dcaacb2633ce306328_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMFBE4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEM6889.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DEMC186.exe

Executes dropped EXE 6 IoCs

pid	Process
3804	DEMFBE4.exe
3196	DEM6889.exe
452	DEMC186.exe
3764	DEM197A.exe
1564	DEM718C.exe
3024	DEMCA4B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 3804	3904	21da71794face3dcaacb2633ce306328_JaffaCakes118.exe	103
PID 3904 wrote to memory of 3804	3904	21da71794face3dcaacb2633ce306328_JaffaCakes118.exe	103
PID 3904 wrote to memory of 3804	3904	21da71794face3dcaacb2633ce306328_JaffaCakes118.exe	103
PID 3804 wrote to memory of 3196	3804	DEMFBE4.exe	106
PID 3804 wrote to memory of 3196	3804	DEMFBE4.exe	106
PID 3804 wrote to memory of 3196	3804	DEMFBE4.exe	106
PID 3196 wrote to memory of 452	3196	DEM6889.exe	108
PID 3196 wrote to memory of 452	3196	DEM6889.exe	108
PID 3196 wrote to memory of 452	3196	DEM6889.exe	108
PID 452 wrote to memory of 3764	452	DEMC186.exe	110
PID 452 wrote to memory of 3764	452	DEMC186.exe	110
PID 452 wrote to memory of 3764	452	DEMC186.exe	110
PID 3764 wrote to memory of 1564	3764	DEM197A.exe	112
PID 3764 wrote to memory of 1564	3764	DEM197A.exe	112
PID 3764 wrote to memory of 1564	3764	DEM197A.exe	112
PID 1564 wrote to memory of 3024	1564	DEM718C.exe	114
PID 1564 wrote to memory of 3024	1564	DEM718C.exe	114
PID 1564 wrote to memory of 3024	1564	DEM718C.exe	114

C:\Users\Admin\AppData\Local\Temp\21da71794face3dcaacb2633ce306328_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21da71794face3dcaacb2633ce306328_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\DEMFBE4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMFBE4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\DEM6889.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6889.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\DEMC186.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC186.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Users\Admin\AppData\Local\Temp\DEM197A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM197A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Users\Admin\AppData\Local\Temp\DEM718C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM718C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\DEMCA4B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCA4B.exe"
        7⤵
        Executes dropped EXE
        
        PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM197A.exe

Filesize
16KB

MD5
98d59e8fe139bc056906eb20de072da9

SHA1
48e17026a40e06fd1a63a2aee0f96b4cb5a45dd6

SHA256
a417ed6eb7b4f1074ffc9c7f777d22a526fce5cc783ffe61f6fe9d855b17ae96

SHA512
fbc2d74e96c27f229843ab4de85d201ff2cb6e7d1a2de2cf63e7ec5b0f6aa5b270e8d10de7bdbad668c24a2702f53654644d0b69126af5a8d914d93da11d6723

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6889.exe

Filesize
16KB

MD5
28b424647bf49a39a9de70081102f740

SHA1
4cfe1f7b9ddb638ab47518bce8a0e2976726f98e

SHA256
5f10d26ec6ce08e21b0bd7772abc55555508b47ced6e70d742bda5e34898e865

SHA512
10da4d7a8f49b817b2de67794731e5598ade3c9aa13748d0477f651d4a411ea480c9f9ac7a606b6f3ecde835e2a08c576cd2ed86f460b8378de54319ab097c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM718C.exe

Filesize
16KB

MD5
f88ab42786994f9ba15a13597ca86835

SHA1
f39431da9d26e7ad05bd7e06fcffac75bffaf121

SHA256
af073653593d854c0c23f7e180c6b9243e4212b342d0bf02e000443f67c3e454

SHA512
ef713346a73be02c41e3f7a312ca61be8d605c7ab9a81209e80ba8e8b13c2194bc234f90c471395e1c6edf39dc4e4cb561c9498c9acf050b438d3a5d87970715

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC186.exe

Filesize
16KB

MD5
8185ca5af2e94f3074cd4faaf886a759

SHA1
78c3a773e4476650ad4eeaa462bedff72658e80b

SHA256
376f673969f384ff15e7d0b01f875f2bbfe7120098038a5f1099a55cae5206c5

SHA512
44985afadfe972308df40ecc500a9208c83c17f7dd78facf79f2f45656cdd491aa2890478da81aba20377ae76bd6e2fb543f9361f9e6f70e61dee2f494c691a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCA4B.exe

Filesize
16KB

MD5
1c3158e12906dfb23acd7c47093553cc

SHA1
b39df336e075a89a19e5e75ff3e211d9466fb47b

SHA256
8ae370911f69017c4214466d4d00a0701455dc6d255365eb20bda94d02908ea6

SHA512
9a7fdef790d18d12e4f53b2d03eb9bcfec288f09ef6df4cbbc0103e832a068a9d47f8360281529b60aaa139dbf0ceaefc106873fdd90cade32a551f8c0d25495

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFBE4.exe

Filesize
16KB

MD5
e661afed971360b878077f2bdfb97fe3

SHA1
33ba9d4091297e5435776bed7188289dde37a3c4

SHA256
c77375d938bd25bcbc8e76bb574c4d1c1d0da5161f4b5f7e19b4aea9ba7731cd

SHA512
6e046c380ddf927841e08645459442a91d7246e6b3e23668f3662f786cf2670d0094ba3325250633109065beac4ebcfdfa1d25bb7021b23e305d30ce7e55697b

Download Submit

Analysis

Sharing