9ead0f018f36b74089aeb744169e5f2bc04e522fcc005e291bedf3c57f48cb66

General

Target

7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
Size

15KB
MD5

7414195f40555e41659f46399e6368e1
SHA1

519ba935c1d454ba4e75804d507ad10f48408a8d
SHA256

9ead0f018f36b74089aeb744169e5f2bc04e522fcc005e291bedf3c57f48cb66
SHA512

df38f01dc61a1099a9f2d7952059375a764b1704dba16d1334c24cf6479d1e2c4f581c41b556c84c665613afe22127e63e74bf566cf7dc8edb21eda369625134
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2HE:hDXWipuE+K3/SSHgxmKEk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2096	DEMDD06.exe
2584	DEM32F2.exe
2984	DEM8833.exe
1884	DEMDD83.exe
2472	DEM3302.exe
2180	DEM8871.exe

Loads dropped DLL 6 IoCs

pid	Process
2272	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
2096	DEMDD06.exe
2584	DEM32F2.exe
2984	DEM8833.exe
1884	DEMDD83.exe
2472	DEM3302.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDD06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM32F2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8833.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDD83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3302.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2096	2272	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2096	2272	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2096	2272	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2096	2272	7414195f40555e41659f46399e6368e1_JaffaCakes118.exe	32
PID 2096 wrote to memory of 2584	2096	DEMDD06.exe	34
PID 2096 wrote to memory of 2584	2096	DEMDD06.exe	34
PID 2096 wrote to memory of 2584	2096	DEMDD06.exe	34
PID 2096 wrote to memory of 2584	2096	DEMDD06.exe	34
PID 2584 wrote to memory of 2984	2584	DEM32F2.exe	36
PID 2584 wrote to memory of 2984	2584	DEM32F2.exe	36
PID 2584 wrote to memory of 2984	2584	DEM32F2.exe	36
PID 2584 wrote to memory of 2984	2584	DEM32F2.exe	36
PID 2984 wrote to memory of 1884	2984	DEM8833.exe	38
PID 2984 wrote to memory of 1884	2984	DEM8833.exe	38
PID 2984 wrote to memory of 1884	2984	DEM8833.exe	38
PID 2984 wrote to memory of 1884	2984	DEM8833.exe	38
PID 1884 wrote to memory of 2472	1884	DEMDD83.exe	40
PID 1884 wrote to memory of 2472	1884	DEMDD83.exe	40
PID 1884 wrote to memory of 2472	1884	DEMDD83.exe	40
PID 1884 wrote to memory of 2472	1884	DEMDD83.exe	40
PID 2472 wrote to memory of 2180	2472	DEM3302.exe	42
PID 2472 wrote to memory of 2180	2472	DEM3302.exe	42
PID 2472 wrote to memory of 2180	2472	DEM3302.exe	42
PID 2472 wrote to memory of 2180	2472	DEM3302.exe	42

C:\Users\Admin\AppData\Local\Temp\7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7414195f40555e41659f46399e6368e1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\DEMDD06.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMDD06.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\DEM32F2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM32F2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\DEM8833.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8833.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\DEM3302.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3302.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\DEM8871.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8871.exe"
        7⤵
        Executes dropped EXE
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM32F2.exe

Filesize
15KB

MD5
e82bd3dca4e19f18d79234cfad34846e

SHA1
5f9d606bd33d7a47c4d46ab549203aaca17b019a

SHA256
4ae978cc073383a3a6b246d82c705618f52699954b7b64c0cbbbd0b59bf14efe

SHA512
aea3720995b986d6bc3737bfe10719489205ae9b5fadae5e49761b4af9f34ac0ceddabbe430127191868043957c9eadc4a882e3966c94b289f2d3cb5a75fcbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8871.exe

Filesize
15KB

MD5
654fb3788f8ae88c2d35cc24e269a075

SHA1
d679aac889b52f69101601b656a09d21f3be059d

SHA256
15e76dc5f259894869fea28c4eedc08ad94a330b0ef401a7e74138ff330f0e1c

SHA512
294b0975dafa398b90a9277c930d2c147c73245f29c4e83720011ee95fbf2275d5a202dfac4c6240bb8da0c48d9bf333383b1800a6c0a01d189ec1d99e95ddbe

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3302.exe

Filesize
15KB

MD5
69bfe0e87c4b237548553e586a68561f

SHA1
cda3cf990ed8707ae4be83502cb3202b03c1f618

SHA256
d201c410b0f0a7f5d97b0c524bf07e3749249fb74390586a62ad1f56c06b7ac8

SHA512
b8ad13edc08c158702f8a63b8596baf72d5f163c7071f061db606844989b9a6627989b38b92d20c46d9d2526f0f3934e63f2f96a9e5973dde9e59a307639a107

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8833.exe

Filesize
15KB

MD5
6644d883f51e08cce53a9496b3ecab17

SHA1
98ad3dfbff895bb07b2c93248c5fe15e0277399b

SHA256
3fb7a89f0adf542b43653fb1c81949afe8e5f67b93a6c20135a91acdf200350a

SHA512
b1247eeb7a202c8cc5023e12050fef5081d282e0c5060a253ee491ce92c9a07f96f597924fe1e61d41efe2b6ecca2a78864f263e4d74c9df07277dcda500554a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDD06.exe

Filesize
15KB

MD5
d1067510e261d9cec919d660bc53de0c

SHA1
856f6cd532aeeb8bf0526db33016d08e96065fa5

SHA256
1823cd2512630d85475d9fa02014eab04ac906f20903b123c20a94e762f6ead6

SHA512
84a301e9c79267014b078f4e0dcace87932059528a2586f3ea91175ac18bf075c5866e617294619572ed9013583f41dd720b75773282fa94a3c22b10843cc4e3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDD83.exe

Filesize
15KB

MD5
5b5a7e8a60c7540292f3b042604bbe5c

SHA1
5c2726daccc070407d752a79958fe6bcaa0e5993

SHA256
f5e4c82d79248a401a4935c444e34e7321bbcec719f514144c4f7badde1786fa

SHA512
34f1a0e1571dfb4ad2e9266421b8e63fb68bc26cb0236a313f8e883b3d25a765adadde1600b4b264bef0dd237c0814948f5f9b70cd0b8547671ff53b7dca63d8

Download Submit

Analysis

Sharing