c4dc5d4b05c3e8f463004bd8437ab36356cea6c5ac303d01bddc939624424a41

General

Target

121cb64cfbafc04a67befb3a4e1d5d71_JaffaCakes118.exe
Size

13KB
MD5

121cb64cfbafc04a67befb3a4e1d5d71
SHA1

436102e5c1a9742a03a1217444702441e5e1b26b
SHA256

c4dc5d4b05c3e8f463004bd8437ab36356cea6c5ac303d01bddc939624424a41
SHA512

93a5b562b3fe491bfa1a1e6c0c32bcf8d0e6d5312267e9fbe1f4372bbb9cb22b650b0a69750c92754841fccfc2e38ddada1cfbfebb756c8323259c95e55c0dcc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv:hDXWipuE+K3/SSHgxx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEMB9B6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEM1081.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEM671D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEMBE35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	121cb64cfbafc04a67befb3a4e1d5d71_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEM624F.exe

Executes dropped EXE 6 IoCs

pid	Process
2316	DEM624F.exe
2764	DEMB9B6.exe
3860	DEM1081.exe
1260	DEM671D.exe
2084	DEMBE35.exe
3884	DEM151F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB9B6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1081.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM671D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBE35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM151F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	121cb64cfbafc04a67befb3a4e1d5d71_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM624F.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2316	1676	121cb64cfbafc04a67befb3a4e1d5d71_JaffaCakes118.exe	98
PID 1676 wrote to memory of 2316	1676	121cb64cfbafc04a67befb3a4e1d5d71_JaffaCakes118.exe	98
PID 1676 wrote to memory of 2316	1676	121cb64cfbafc04a67befb3a4e1d5d71_JaffaCakes118.exe	98
PID 2316 wrote to memory of 2764	2316	DEM624F.exe	101
PID 2316 wrote to memory of 2764	2316	DEM624F.exe	101
PID 2316 wrote to memory of 2764	2316	DEM624F.exe	101
PID 2764 wrote to memory of 3860	2764	DEMB9B6.exe	104
PID 2764 wrote to memory of 3860	2764	DEMB9B6.exe	104
PID 2764 wrote to memory of 3860	2764	DEMB9B6.exe	104
PID 3860 wrote to memory of 1260	3860	DEM1081.exe	106
PID 3860 wrote to memory of 1260	3860	DEM1081.exe	106
PID 3860 wrote to memory of 1260	3860	DEM1081.exe	106
PID 1260 wrote to memory of 2084	1260	DEM671D.exe	108
PID 1260 wrote to memory of 2084	1260	DEM671D.exe	108
PID 1260 wrote to memory of 2084	1260	DEM671D.exe	108
PID 2084 wrote to memory of 3884	2084	DEMBE35.exe	110
PID 2084 wrote to memory of 3884	2084	DEMBE35.exe	110
PID 2084 wrote to memory of 3884	2084	DEMBE35.exe	110

C:\Users\Admin\AppData\Local\Temp\121cb64cfbafc04a67befb3a4e1d5d71_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\121cb64cfbafc04a67befb3a4e1d5d71_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\DEM624F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM624F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\DEMB9B6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB9B6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\DEM1081.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1081.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\DEM671D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM671D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Users\Admin\AppData\Local\Temp\DEMBE35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBE35.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\DEM151F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM151F.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1081.exe

Filesize
13KB

MD5
d44b5ac4870eded1533ae2dd9aab4cbc

SHA1
4387bc7eecff4ab69c485c78e32a4790df927f7c

SHA256
fce23a0bf4ce7e616d7c13be7f1b82c8829dc23c67bbe0f4d4a1bec986a689a2

SHA512
84b84366d6184efb5d127dcd4e340bf320cf74897f7074361e80ad0207ad1d44fbed69af3ed012539800c03a43e3104892f42d4295d70d60063468156736dc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM151F.exe

Filesize
13KB

MD5
4830ee191829feaf9d328c69ec1993e9

SHA1
8ae2df361fd2dc364e39350b31a1cd9c25c31b46

SHA256
98d583fabc45909ef880614816846c570079d8a4b27c09e6d6df43f79a2dbd6b

SHA512
1e8f409ca0f3e5a093356a10b3761ed904e5c52c8fc0d6a132d751ad298415ce25ee0eecb9285abb54d959d0604d5827dec29c7ff11254461fca571d5702e0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM624F.exe

Filesize
13KB

MD5
9f43f97faf467d5bd84ae97654b65752

SHA1
674666760506d89088564130c02ec8397c457015

SHA256
84a782e1b31375dde5409e6edf750591d59e227df6ae01aecf5d574b9e6fca66

SHA512
67b2ef0141d3243373d9287c58c481dee9fdea39ab086418a9345d8924d9ca042e9f4799aed19fbddd5051e00ff7342a0e3eb72b00bbf5b54b30cdc2ef0ee363

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM671D.exe

Filesize
13KB

MD5
f9b7cfa072d012614ffc27e6bdc68a4f

SHA1
87ec7d1b4017ea67f26c11cb7282621929c81e11

SHA256
f3fe9cc6044dff105d1ead5335783c9cb851604808f380079a0882d4b89a427b

SHA512
fea3acc1b51057138ecd08b158c115a240fcffbc11242206cc036d2fd03de62ed17947783c165dadffaace0e26e02f364357940aa6b4c3dc8012c8689c061887

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB9B6.exe

Filesize
13KB

MD5
9d6f3335220f25e83129675a3b8f2abe

SHA1
8158cb8958a6e04e5dae30148642a1a31124cf79

SHA256
015cfe0ed735a5666ad282d5f21f3c9ffa13617af8f370845b84b2ad8563eaaa

SHA512
9d9a84c18cfd832df681e3b192d754877b931f79ca3f68800c6e4d43ba7a0a1d2a74452a30ccadcc623dafd30837b566dda7ef7191adccf3c527a06167840c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE35.exe

Filesize
13KB

MD5
5e9014b8f05c5954f5c256bfc0a18f7f

SHA1
b8b006cbcc21634ea2fde83173d2bdfffe113b2c

SHA256
626098283e7b702082dbd1d2a23edc826ca1e10b9b4e17b6b8abd4365312f0ef

SHA512
9c9620afbecc036a6d19eadbc02341967a0450a7171a1542ae12d6d133c8b773b0228570d5379a497f87801a54fa5386390ded647e7bf54ac446e96d3b6c0db4

Download Submit

Analysis

Sharing