c5dd06bd644b18281fb1a83de17a7271cacc509aefb23c22604d54b8336a106d

General

Target

6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
Size

14KB
MD5

6f2144faca22863ea5b92ebc6af77e14
SHA1

cbc04bfec881f63ca60ede00ad12e87d1dd27a96
SHA256

c5dd06bd644b18281fb1a83de17a7271cacc509aefb23c22604d54b8336a106d
SHA512

850f03d135ece20c49d253cce90a7cd582877b4545380df41f0e3c28865964c2b839796f6daa52a5e7085797b86c89fc15bec6d02e88b61a7efbdc127104faa1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0m:hDXWipuE+K3/SSHgx9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2896	DEM739A.exe
576	DEMC909.exe
3028	DEM1E3A.exe
2392	DEM736B.exe
2220	DEMC89C.exe
2016	DEM1DFC.exe

Loads dropped DLL 6 IoCs

pid	Process
2752	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
2896	DEM739A.exe
576	DEMC909.exe
3028	DEM1E3A.exe
2392	DEM736B.exe
2220	DEMC89C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM739A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC909.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1E3A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM736B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC89C.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2896	2752	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2896	2752	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2896	2752	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2896	2752	6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe	31
PID 2896 wrote to memory of 576	2896	DEM739A.exe	34
PID 2896 wrote to memory of 576	2896	DEM739A.exe	34
PID 2896 wrote to memory of 576	2896	DEM739A.exe	34
PID 2896 wrote to memory of 576	2896	DEM739A.exe	34
PID 576 wrote to memory of 3028	576	DEMC909.exe	36
PID 576 wrote to memory of 3028	576	DEMC909.exe	36
PID 576 wrote to memory of 3028	576	DEMC909.exe	36
PID 576 wrote to memory of 3028	576	DEMC909.exe	36
PID 3028 wrote to memory of 2392	3028	DEM1E3A.exe	38
PID 3028 wrote to memory of 2392	3028	DEM1E3A.exe	38
PID 3028 wrote to memory of 2392	3028	DEM1E3A.exe	38
PID 3028 wrote to memory of 2392	3028	DEM1E3A.exe	38
PID 2392 wrote to memory of 2220	2392	DEM736B.exe	40
PID 2392 wrote to memory of 2220	2392	DEM736B.exe	40
PID 2392 wrote to memory of 2220	2392	DEM736B.exe	40
PID 2392 wrote to memory of 2220	2392	DEM736B.exe	40
PID 2220 wrote to memory of 2016	2220	DEMC89C.exe	42
PID 2220 wrote to memory of 2016	2220	DEMC89C.exe	42
PID 2220 wrote to memory of 2016	2220	DEMC89C.exe	42
PID 2220 wrote to memory of 2016	2220	DEMC89C.exe	42

C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\DEM739A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM739A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\DEMC909.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC909.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Users\Admin\AppData\Local\Temp\DEM1E3A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1E3A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\DEM736B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM736B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM739A.exe

Filesize
14KB

MD5
944c3e7e2946e7c9407f278901086da0

SHA1
29a0847bfee07ef016ca888b0c77a2244ffa3267

SHA256
3b186206e00d9afe076498b0b3aa7e2d442c91a70fae20dc316a89077f027fa5

SHA512
e13c3026825f05c06f3c76cb6ed5f9b1b4333f92444c9d94372bf8381248d9d4a1289b5670455c7754c6e45bc85e92c22422af13aa9523ce0e620979bd87e634

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC909.exe

Filesize
14KB

MD5
8e1ebc5d4b392c2561b84e764fd3cef8

SHA1
d41657dfa53856def5dc612e7912c04a67ddca7d

SHA256
ac10da42ae27b9fe38af10d1c9a25db37140e910ecd980a148a2c5ba434a6156

SHA512
3cceff694a6a09b10dd070488585b3a96b729c50d90d30ab96fa7ef61261145b3f11e14b4424fb2ff06351cc79d5f254d8740a37e9f3c0b5d4147fe9b627c275

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1DFC.exe

Filesize
14KB

MD5
76817db38cd6af980b8d0ae868f15f9e

SHA1
6848cedcce6157a1da4e6241f80e1088f5ce579b

SHA256
065256ec1514ecf7e32d4380c1a71b8045f58882bc5e2b8c394b9988f07c5d4c

SHA512
81383371e3dee986a6495fe66c4cd35b9b32dede6435aa0a04a53cc3e92243584fda5c2011cc29254bc18073743cddbe6ed7eb47d88f11ad8e6531267f414516

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1E3A.exe

Filesize
14KB

MD5
68711a0776ed107377eea25800c1ff95

SHA1
711f4b375715947e15f38433a2abaae2c60f5e21

SHA256
9dfd60ac34cc4a1c08a804602afcd70275f05e68d3a96ae0261a782dc38b5e5e

SHA512
13b9b08479eab0d451a573c80484bff61fd4d13f4b54bfb7e91e7d2283bd07a64229d848ed34abb75347d6f07c5120d311e23f72d47d59cd17c8b1f64670fd5b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM736B.exe

Filesize
14KB

MD5
2430a5742d11cc13fa6b078cd80458a0

SHA1
03a34ada4275da9036412eed69259db56d413eb8

SHA256
6baa634252a3d0b536974a0c70884c77e611cae9ca3779ac531ac640f305fcf5

SHA512
39f90f3289647a7cfc1433c3481f8484befdc1d4c1836b8e5925a745b69e643bc600b0cd4795898dade98730f2ee6918c8b6e9262fdc9b0e8eb53b0c6320ddcc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC89C.exe

Filesize
14KB

MD5
0af0cbbb10c0b4323e085b11defc2b79

SHA1
e5c49c55cad4a66379977e9ba1c8dcc3e82d19bf

SHA256
5154de62eb2df0251571094a5f21e01e92a9e826e1d8f1665862feef76c1d7a8

SHA512
c0ced697771b01e39dde0e158826cd548d0625d825ef309d45bbba3ee854ffbeb51f4c632299799d3b5f4514e43794e0d9b6b106a4bf5cb469bafab9e5a31128

Download Submit

Analysis

Sharing