f6396c9bde6f7fbaa8923e8b4fe6f5425da03d17ee5f51478e0ccfafd9298c71

General

Target

6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe
Size

14KB
MD5

6829cd44c4455b477d6b05d169164f42
SHA1

fc463f3c5c939adc99f39c9a8d3199e6abd5303d
SHA256

f6396c9bde6f7fbaa8923e8b4fe6f5425da03d17ee5f51478e0ccfafd9298c71
SHA512

f7553fd54424e1b1231849e0d76f86f4684eb402149493e4cf991e94e268e2b593eafd3d153814bef3e10239800416f3b2cab837294b0da768a40f32f2503f39
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhi6z:hDXWipuE+K3/SSHgx1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2620	DEME2D0.exe
2416	DEM3830.exe
2656	DEM8DBF.exe
1916	DEME38C.exe
1908	DEM392A.exe
2896	DEM8E7A.exe

Loads dropped DLL 6 IoCs

pid	Process
1688	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe
2620	DEME2D0.exe
2416	DEM3830.exe
2656	DEM8DBF.exe
1916	DEME38C.exe
1908	DEM392A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME2D0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3830.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8DBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME38C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM392A.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2620	1688	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2620	1688	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2620	1688	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2620	1688	6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe	31
PID 2620 wrote to memory of 2416	2620	DEME2D0.exe	33
PID 2620 wrote to memory of 2416	2620	DEME2D0.exe	33
PID 2620 wrote to memory of 2416	2620	DEME2D0.exe	33
PID 2620 wrote to memory of 2416	2620	DEME2D0.exe	33
PID 2416 wrote to memory of 2656	2416	DEM3830.exe	35
PID 2416 wrote to memory of 2656	2416	DEM3830.exe	35
PID 2416 wrote to memory of 2656	2416	DEM3830.exe	35
PID 2416 wrote to memory of 2656	2416	DEM3830.exe	35
PID 2656 wrote to memory of 1916	2656	DEM8DBF.exe	37
PID 2656 wrote to memory of 1916	2656	DEM8DBF.exe	37
PID 2656 wrote to memory of 1916	2656	DEM8DBF.exe	37
PID 2656 wrote to memory of 1916	2656	DEM8DBF.exe	37
PID 1916 wrote to memory of 1908	1916	DEME38C.exe	39
PID 1916 wrote to memory of 1908	1916	DEME38C.exe	39
PID 1916 wrote to memory of 1908	1916	DEME38C.exe	39
PID 1916 wrote to memory of 1908	1916	DEME38C.exe	39
PID 1908 wrote to memory of 2896	1908	DEM392A.exe	41
PID 1908 wrote to memory of 2896	1908	DEM392A.exe	41
PID 1908 wrote to memory of 2896	1908	DEM392A.exe	41
PID 1908 wrote to memory of 2896	1908	DEM392A.exe	41

C:\Users\Admin\AppData\Local\Temp\6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6829cd44c4455b477d6b05d169164f42_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\DEME2D0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME2D0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\DEM3830.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3830.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\DEM8DBF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8DBF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\DEME38C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME38C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Users\Admin\AppData\Local\Temp\DEM392A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM392A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\DEM8E7A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E7A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3830.exe

Filesize
14KB

MD5
53dcd66100a18f1f264bbcfa8c1dd53c

SHA1
5952e64fb768c4918945bedb429a46be1a88cdc2

SHA256
c17d1c3f64ec823fad86c9731b681d89b03bba01ffc117aae11a1da3ce593b06

SHA512
a29e241c86f630784b0480a6b14c59117783a17ede748ebf4da25f7eedbc23e4d25b0bb2cf642a113b07305fe60dc08f13cfed6ad97a69d8e8b7f1612732d96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM392A.exe

Filesize
15KB

MD5
282b302e05f0165333adf838a9f83c2d

SHA1
1479ab40a68a9cdd3eb46865f031155fbf740928

SHA256
a35391b523db58510a90bfe5375fab763a3b0319636cdd5df3204a6a0e196095

SHA512
c7bb3e96711df726f29357fb5e06b65271f6f5a5c89777a7fd3534b65439d5db1a7cfab647439e3c5d9fa99079aecae5690609ab0115d9928ea5d3973ad03d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME2D0.exe

Filesize
14KB

MD5
79776dd8dcccf3c29cbdaf05d80d8e0e

SHA1
39cfec99a5d60398f1b53dba9dd211352d75afbb

SHA256
d3169736bad023c4d30eab4e51a5b99b707d5436269aa90d370aa95079022b02

SHA512
9bc41a1995c30c65dbc9df90e5cd2a52ad6604c1de23b3d93b6ff9643af203035039e0c5936734ea348508e4c7079241425289cb087a253fa41e1a77f1f6a832

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8DBF.exe

Filesize
15KB

MD5
c45f0085b282954e78be1ea474918a4a

SHA1
79c7d4504b270b3440806683389605c34719a9b0

SHA256
5054222f99ef6e405ee939e46bf77071a1c5c8da466baefe5153d2f1a52704fb

SHA512
f73947e47314f5358ea5cb26f0fd42c41acbb7f4c1ca1946d2c58affe51e538de41650466ed11eca2a5b974fc21342f58eeb03a3fa1cc5aa71f17146d2efb710

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E7A.exe

Filesize
15KB

MD5
52317a8758f974724b03b905d60d4381

SHA1
e9e4b9ef7a2abea973fadab6d6f454d2996df022

SHA256
47fd6b2fdde1e349c5caf137b5fd96918f731922c7de5101f3f285998c52ddc4

SHA512
59496df9cdd221d37ff0ec0dc98591b2711242f14d5e42b3ca54c6043cbb1f238c58d53781cc23045e8ccf2a5c958894e88727f67036e97566e8341fc3522c21

Download Submit
\Users\Admin\AppData\Local\Temp\DEME38C.exe

Filesize
15KB

MD5
14ca84bc165ab8ff8a49fe2f98b11f41

SHA1
77d1ec0ac492fe026f7f02880d82082669f89049

SHA256
8af24cc590dd72e971872f23936a353e23951012c98cd059f9d68a1de41de4fe

SHA512
926ca6bdd33538cae831d8e87dafe89f8d944df7526b6ab3e00c45902314c3a16447a2623991f20ea5000fa157d82aca185c0bc3d40873055da8309533e111af

Download Submit

Analysis

Sharing