45f71649cd81394ee497c2b16f82c1126275b689181b062a25a3d8276e4e36b2

General

Target

7215a779fc6e0554b7d9fef9737e56ec_JaffaCakes118.exe
Size

15KB
MD5

7215a779fc6e0554b7d9fef9737e56ec
SHA1

74aac8a6e9befcf41551a134ac402904d51fc92f
SHA256

45f71649cd81394ee497c2b16f82c1126275b689181b062a25a3d8276e4e36b2
SHA512

fff2fe442a392830cc194fe2ea16cc2771025b6878e609730eff165c873918407b6221fa0ed93f65496c704fada54228b50e32d2bd501d86280d36edf1b44e9d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlcU:hDXWipuE+K3/SSHgxmlcU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2956	DEMD5F5.exe
2932	DEM2BA2.exe
1736	DEM8121.exe
1208	DEMD70E.exe
1432	DEM2C8C.exe
2524	DEM81FC.exe

Loads dropped DLL 6 IoCs

pid	Process
2712	7215a779fc6e0554b7d9fef9737e56ec_JaffaCakes118.exe
2956	DEMD5F5.exe
2932	DEM2BA2.exe
1736	DEM8121.exe
1208	DEMD70E.exe
1432	DEM2C8C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2BA2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD70E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2C8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7215a779fc6e0554b7d9fef9737e56ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD5F5.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2956	2712	7215a779fc6e0554b7d9fef9737e56ec_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2956	2712	7215a779fc6e0554b7d9fef9737e56ec_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2956	2712	7215a779fc6e0554b7d9fef9737e56ec_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2956	2712	7215a779fc6e0554b7d9fef9737e56ec_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2932	2956	DEMD5F5.exe	34
PID 2956 wrote to memory of 2932	2956	DEMD5F5.exe	34
PID 2956 wrote to memory of 2932	2956	DEMD5F5.exe	34
PID 2956 wrote to memory of 2932	2956	DEMD5F5.exe	34
PID 2932 wrote to memory of 1736	2932	DEM2BA2.exe	36
PID 2932 wrote to memory of 1736	2932	DEM2BA2.exe	36
PID 2932 wrote to memory of 1736	2932	DEM2BA2.exe	36
PID 2932 wrote to memory of 1736	2932	DEM2BA2.exe	36
PID 1736 wrote to memory of 1208	1736	DEM8121.exe	38
PID 1736 wrote to memory of 1208	1736	DEM8121.exe	38
PID 1736 wrote to memory of 1208	1736	DEM8121.exe	38
PID 1736 wrote to memory of 1208	1736	DEM8121.exe	38
PID 1208 wrote to memory of 1432	1208	DEMD70E.exe	40
PID 1208 wrote to memory of 1432	1208	DEMD70E.exe	40
PID 1208 wrote to memory of 1432	1208	DEMD70E.exe	40
PID 1208 wrote to memory of 1432	1208	DEMD70E.exe	40
PID 1432 wrote to memory of 2524	1432	DEM2C8C.exe	42
PID 1432 wrote to memory of 2524	1432	DEM2C8C.exe	42
PID 1432 wrote to memory of 2524	1432	DEM2C8C.exe	42
PID 1432 wrote to memory of 2524	1432	DEM2C8C.exe	42

C:\Users\Admin\AppData\Local\Temp\7215a779fc6e0554b7d9fef9737e56ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7215a779fc6e0554b7d9fef9737e56ec_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\DEMD5F5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD5F5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\DEM2BA2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2BA2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\DEM8121.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8121.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\DEMD70E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD70E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\DEM2C8C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2C8C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\DEM81FC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM81FC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2BA2.exe

Filesize
15KB

MD5
6cdf31a99a05f71a8aa96fe26a49b01c

SHA1
cce93dffb8b8277ba064a21f42e27cd7066539c5

SHA256
859e96f800550726e935e9a3c1192234f8753fbd0c3d1e5ad25e6bb73bcb1a9f

SHA512
b9386c46e7ce27f4ad1343c267595cc7d54b1af302764d0ca62db9ac29bebb19041c79587dbd08348de6d7e0e4fc778169dcea9f84912b1ef8bd6cb2cf21e110

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8121.exe

Filesize
15KB

MD5
1dddc3b14279a06a910b4698a5d92a1c

SHA1
ea6300a9682ee484c5a8364f7f9fc0028f6d47ee

SHA256
03a7779e6e8fb034feb60c43c6207d12cc29e83083b53133109c47fb9d18764e

SHA512
6279962448785f9b5590bd824eff3359b0053cc64cd7132d20865f362eae1c7623601ae87c1f1691ec3602ce86e010d9176edcdbaadcf8c0f3045226e5c484cf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2C8C.exe

Filesize
15KB

MD5
02e8f53878cb550bb5e065f441626f08

SHA1
9d8a622deb595d9f741a2d8df444076305522dbe

SHA256
8c1a8d02ab2070ab7725ecd607980572f3e8ee45d6f11dc7fa076f95c7dec66f

SHA512
17ae465d7a055dfca3a2730b2940f687509871a014b9b199a0145088ff1e22d7264ac63c5b914a6fb0bf5b6dda0cacd3d61a500ed7b2e9e317b6d284a18e983e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM81FC.exe

Filesize
15KB

MD5
2c76567e0f1a9343f3b5e019c584942c

SHA1
b6e458d4f27ce08b053cb8c32a6ce5d23baa81b9

SHA256
7495a98b6323c1de91d26a886bbb576655f8decc4ebafb4cd7335109a174b3ff

SHA512
718df551cf20797d80ef9f4cb7beef94a6979bc7205bab07c07433fe5bd80afdfdcf1b21bb3ae19cae9f190760cfad784c4881876c75e5b2146228fed2cfd9ae

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD5F5.exe

Filesize
15KB

MD5
5aa5a6da91e109e9ee18a8db7c44dfc7

SHA1
4c581896dc9446a5674d83a3bacf3df6d2dad82d

SHA256
2914805fb021980aa40d8a16331be677f92ddf31823c5823202df62c4d4f7940

SHA512
df4c418c9611d488f8140d7796dbdcba65b4525f374e0168c5d25d5fc84df0f54a141d23783ad1de842d3095d58b866e4b44d9be54abb39bd4776a1f7c9ff100

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD70E.exe

Filesize
15KB

MD5
003a338a5ec3697a15a16d40e5c40c55

SHA1
83581ab664044aeefe9870dba9c2c1366a3dc07a

SHA256
0a582676d583e83d56384336b215da61c4c007213bb2e3cb55e9b6fad91572f9

SHA512
679346557db5d6c1a8d084d876455074b77b61c071436801c96cdd46d5c96ab8c2356341f03c10bb1478e86a27e823b214b5c1773b2a1568cadef8bb81a4f3a3

Download Submit

Analysis

Sharing