0db28235d04adcc9a9ac5c700ba85985c3ce8312390e94d588404756feb6d1f1

General

Target

6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe
Size

14KB
MD5

6a75e303a9f3164de37fea71fcc61c7c
SHA1

77e61eede75b8c544b824f24a33e946cb26d3bf3
SHA256

0db28235d04adcc9a9ac5c700ba85985c3ce8312390e94d588404756feb6d1f1
SHA512

d30f504be45a41479565f4e78fcc24e0272a1098820cf96a20f29fbf2c492f95698600f542e8d0e54d39e5936814d60099f3bfbffac3e36e503e8c8233a9f071
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhw:hDXWipuE+K3/SSHgxy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2288	DEMCD7C.exe
2932	DEM2378.exe
2600	DEM78C8.exe
1676	DEMCE18.exe
284	DEM2379.exe
2944	DEM7964.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe
2288	DEMCD7C.exe
2932	DEM2378.exe
2600	DEM78C8.exe
1676	DEMCE18.exe
284	DEM2379.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD7C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2378.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78C8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2379.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2288	2528	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2288	2528	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2288	2528	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2288	2528	6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe	32
PID 2288 wrote to memory of 2932	2288	DEMCD7C.exe	34
PID 2288 wrote to memory of 2932	2288	DEMCD7C.exe	34
PID 2288 wrote to memory of 2932	2288	DEMCD7C.exe	34
PID 2288 wrote to memory of 2932	2288	DEMCD7C.exe	34
PID 2932 wrote to memory of 2600	2932	DEM2378.exe	36
PID 2932 wrote to memory of 2600	2932	DEM2378.exe	36
PID 2932 wrote to memory of 2600	2932	DEM2378.exe	36
PID 2932 wrote to memory of 2600	2932	DEM2378.exe	36
PID 2600 wrote to memory of 1676	2600	DEM78C8.exe	38
PID 2600 wrote to memory of 1676	2600	DEM78C8.exe	38
PID 2600 wrote to memory of 1676	2600	DEM78C8.exe	38
PID 2600 wrote to memory of 1676	2600	DEM78C8.exe	38
PID 1676 wrote to memory of 284	1676	DEMCE18.exe	40
PID 1676 wrote to memory of 284	1676	DEMCE18.exe	40
PID 1676 wrote to memory of 284	1676	DEMCE18.exe	40
PID 1676 wrote to memory of 284	1676	DEMCE18.exe	40
PID 284 wrote to memory of 2944	284	DEM2379.exe	42
PID 284 wrote to memory of 2944	284	DEM2379.exe	42
PID 284 wrote to memory of 2944	284	DEM2379.exe	42
PID 284 wrote to memory of 2944	284	DEM2379.exe	42

C:\Users\Admin\AppData\Local\Temp\6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a75e303a9f3164de37fea71fcc61c7c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\DEMCD7C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCD7C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\DEM2378.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2378.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\DEM78C8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM78C8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\DEMCE18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE18.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\DEM2379.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2379.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\DEM7964.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7964.exe"
        7⤵
        Executes dropped EXE
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2378.exe

Filesize
14KB

MD5
36439b8fa143ac21ba3a9b38a2720292

SHA1
cb380294e4dda1303ae605d7e4a680a65ee0e8b7

SHA256
e8d8d506aa64b30237b33511884e8c3da2afd5c3ee9ef580c21e8b669cd973cc

SHA512
92430816824396360ae3ceb1a6e92848cac84f3c7e3f7d3c2c56e73988b0e80bc7fa8abfb88dcd9ccb5c01a1d95b4c91fa27d8cfd61fa1369354e989551d87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCD7C.exe

Filesize
14KB

MD5
f2d52aaa342c37268792004823e5350b

SHA1
9866705035df818acc826a492e5b0bc03edb20f4

SHA256
5d4b793d13a09f0037d2a97c50f32664f8ef888b93b234090b16544a083707b7

SHA512
3c400518de8b41a70a17f0f515ed83b7457292b86c9e1ef8b4c147477f2616fe6466e82d1b97d23dddc8890fcbff6d575897f3830454e616d3c6ee0997aadb7e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2379.exe

Filesize
14KB

MD5
8e3e5cb865d5736ed8c689e09ba114c1

SHA1
a04bfa208f08920af9bd32322dfa0ccce4e3d46c

SHA256
ae3755d3817a88cb89a630ebe89584ec51d2d17b38f5447bd2d21e00bf3a09e2

SHA512
98784f754bcea9211f6bc4aee6523316566e48cbccf7a7eaffdb5f00c2ede8fd32ecc53d0e0363f43564c475684aea7e622dd6f7e94b9b57a0074762756d99d5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM78C8.exe

Filesize
14KB

MD5
d4ed8bdfc1ba2e35393178f398fec348

SHA1
fe2eb359cedf54d655f46bcc67d4ec99bd454c96

SHA256
258c9446a97ee250497238c4839bf95f0efb9c0178dc1326ba0ca32b1452f170

SHA512
708f86206756043cfe46bdc4f08fb9ada7c5281efd26f798526eba8a731530dfd3b1726355d5cbfdd85ea60bd77a2a1e74af6ddf14bf0b3f8ef418af0f9d6b10

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7964.exe

Filesize
14KB

MD5
1ded2df7afd30043d12b02219980286d

SHA1
ee6864ad30ac339c3dc062d8c6d9730164eb9f28

SHA256
7d62459df0d140f8631caf0884000630f209f9272c776bfaf5a49fd89b122507

SHA512
6b571ddd3992de1958d6d11d8b8e6418b940a4f1c1304686dfcc1617112cf26112c75442992cbce827f358e0aaa6d4b95b818104c0c6906b6e1778262b0d309f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCE18.exe

Filesize
14KB

MD5
757290453b03252104267bd33087bdd7

SHA1
ab922ab868334af63c26e019a9fe60b11b3239a9

SHA256
b883813002069670ad434b7a2775c5d07b72125aa43264a7796ba3b601059434

SHA512
cf9df000c542d823de927de20c53d7252309ce26d57af7d492968de80a1ef2db4748e584f3ce453c6ec80e9d4aa7a3bcc79a9ab5310fa297d4201f64bfc02e77

Download Submit

Analysis

Sharing