b0b1e4c19d83e28b2ee2fd347d7047a090d7a03b33c3cfe57ec540841b9c18a9

General

Target

77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe
Size

14KB
MD5

77ed125edd6928df9f4d00aca9126624
SHA1

638713255e43437fa7ce91f24426f1fc195b43a5
SHA256

b0b1e4c19d83e28b2ee2fd347d7047a090d7a03b33c3cfe57ec540841b9c18a9
SHA512

f3bc70fc1549580fdaf2a5edda5afa185d89ff5ab417c9d6fc8e21caf296511af54716eaa12ea84c8135bf2be4cd106a84e2de9f9809b2e790aa4bb96d73e638
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl5:hDXWipuE+K3/SSHgxml5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2716	DEMB25E.exe
2632	DEM78F.exe
2228	DEM5D6C.exe
1884	DEMB2CB.exe
1904	DEM81C.exe
2132	DEM5E17.exe

Loads dropped DLL 6 IoCs

pid	Process
2944	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe
2716	DEMB25E.exe
2632	DEM78F.exe
2228	DEM5D6C.exe
1884	DEMB2CB.exe
1904	DEM81C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5D6C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB2CB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM81C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB25E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78F.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2716	2944	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2716	2944	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2716	2944	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2716	2944	77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2632	2716	DEMB25E.exe	34
PID 2716 wrote to memory of 2632	2716	DEMB25E.exe	34
PID 2716 wrote to memory of 2632	2716	DEMB25E.exe	34
PID 2716 wrote to memory of 2632	2716	DEMB25E.exe	34
PID 2632 wrote to memory of 2228	2632	DEM78F.exe	36
PID 2632 wrote to memory of 2228	2632	DEM78F.exe	36
PID 2632 wrote to memory of 2228	2632	DEM78F.exe	36
PID 2632 wrote to memory of 2228	2632	DEM78F.exe	36
PID 2228 wrote to memory of 1884	2228	DEM5D6C.exe	38
PID 2228 wrote to memory of 1884	2228	DEM5D6C.exe	38
PID 2228 wrote to memory of 1884	2228	DEM5D6C.exe	38
PID 2228 wrote to memory of 1884	2228	DEM5D6C.exe	38
PID 1884 wrote to memory of 1904	1884	DEMB2CB.exe	40
PID 1884 wrote to memory of 1904	1884	DEMB2CB.exe	40
PID 1884 wrote to memory of 1904	1884	DEMB2CB.exe	40
PID 1884 wrote to memory of 1904	1884	DEMB2CB.exe	40
PID 1904 wrote to memory of 2132	1904	DEM81C.exe	42
PID 1904 wrote to memory of 2132	1904	DEM81C.exe	42
PID 1904 wrote to memory of 2132	1904	DEM81C.exe	42
PID 1904 wrote to memory of 2132	1904	DEM81C.exe	42

C:\Users\Admin\AppData\Local\Temp\77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77ed125edd6928df9f4d00aca9126624_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\DEMB25E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB25E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\DEM78F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM78F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\DEM5D6C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5D6C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\DEMB2CB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB2CB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\DEM81C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM81C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\DEM5E17.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5E17.exe"
        7⤵
        Executes dropped EXE
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5D6C.exe

Filesize
14KB

MD5
96e78a73d19f600de3eb4f732f46b220

SHA1
7aa528a8bb0dc600112828941dfa94c84dfe7914

SHA256
e3272652c1499e4d2b9945ee06b3dd4c6b3c1e37c6d5a080ed2a334c2dfe52ca

SHA512
881f233139edfb3d9323bdf7a7ebb235450dea51167096544124bcafaf295543478cc978d68fafa03d1c578972c25a582c3ef2180293a0f4e83edce94ee59182

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM78F.exe

Filesize
14KB

MD5
0edeca8711f4f850b79bb0afe6f92dc1

SHA1
11ddf4bc7b87e507a10af8af53b7da24ddcde2a6

SHA256
2a1ef7a1534f15c4b0fe13f83c8fce2b624370014554164dea827e44d23a4701

SHA512
1dce91b87023a26e6aa340d0ec5256def7e8b83d7f5152958961935948b9504d682b7beab172569b32e7ee5c6d9b50fdd764c7032cd46ff0940aad4232fbd2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB25E.exe

Filesize
14KB

MD5
c96970256ac5fe25446eb1a771638eae

SHA1
2ca305ddc67c5cac21cba805e9487289ac814761

SHA256
c62bcef76159fc9c11b65b1a5054218a0dc415f70b0a212deb37d94d479399c9

SHA512
6e92fc7bc5878f8baf3d89038d2c64202e3e98b4e77bcd79e7217b4dc368bb74ab1a317d8a38928f39e640f43fa3639e93f30cdfb866dd240fd56f46f4d28b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB2CB.exe

Filesize
14KB

MD5
94f9549de9bdfb2fb57d883f888aad04

SHA1
3cd5036c59e3c0d2fd2a4b5aaa69de36dfce89e7

SHA256
eb94657af2eaf7b4f13c376ccc633b659092fdd1156f0424a1eae3f47ab8cd8a

SHA512
44dd0265049ab638338ffa9f7c51773bd2c5c8dc35d0879aa823c7eb81268b66681ec9ceb0db95456786dc87f4ef3e0547aad81d275b33089891c30197f2073e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5E17.exe

Filesize
14KB

MD5
db0be3f1f990cc3dbff6134c10fd6273

SHA1
026ca11dfba742345339a509212728628a4c10c4

SHA256
8350e27b02c0e1e1cf1d00f3bb623f4655de996fb35150070937d384300a716a

SHA512
e05fa2925fc32bca17bb91c745aef8d09301884becd15e99b698568dba48d3a01fd07a3fa1a9b84d1ec8f656d9cba09eafdf5025d82787e3be8e7425e8aec8df

Download Submit
\Users\Admin\AppData\Local\Temp\DEM81C.exe

Filesize
14KB

MD5
6de5a3e093c9a55abfdd3ec12db6d58e

SHA1
8f9a5d0ac55391aadca7190662c372d653ae9f42

SHA256
c2cf04f2081860ee7b8d697e932137f9930999f6bc911ed0ecca3dfa6fce1e8b

SHA512
a6456194308f5b73b366bce25181fc61e95bc8436d8f3e648da26b5f386cedff0cea7143efe499efd5640616ee6b722a0abdf54242d7fdb563bbdb84d2b669b1

Download Submit

Analysis

Sharing