05d12e622222d17ce95c225f55caf4891736ccc31b78fd5df11fe2f0a7dc47da

General

Target

8817a856cc1c2f87296ba8b5f6080216_JaffaCakes118.exe
Size

14KB
MD5

8817a856cc1c2f87296ba8b5f6080216
SHA1

53cffef79b74a23bbf820a7b9e4ae726dd576859
SHA256

05d12e622222d17ce95c225f55caf4891736ccc31b78fd5df11fe2f0a7dc47da
SHA512

e92220590956f0c0606aa2f4445140e524064105837d9cc908022633956d297797f040e3c48e8165c79b7a9be51df99d4c0f2567e2926d72c557722693f86fba
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY7Zd:hDXWipuE+K3/SSHgxm7Zd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2784	DEME2FF.exe
2824	DEM386E.exe
2264	DEM8E89.exe
1352	DEME3E9.exe
2712	DEM3968.exe
1292	DEM8EC8.exe

Loads dropped DLL 6 IoCs

pid	Process
3068	8817a856cc1c2f87296ba8b5f6080216_JaffaCakes118.exe
2784	DEME2FF.exe
2824	DEM386E.exe
2264	DEM8E89.exe
1352	DEME3E9.exe
2712	DEM3968.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME3E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8817a856cc1c2f87296ba8b5f6080216_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME2FF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM386E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8E89.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2784	3068	8817a856cc1c2f87296ba8b5f6080216_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2784	3068	8817a856cc1c2f87296ba8b5f6080216_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2784	3068	8817a856cc1c2f87296ba8b5f6080216_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2784	3068	8817a856cc1c2f87296ba8b5f6080216_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2824	2784	DEME2FF.exe	32
PID 2784 wrote to memory of 2824	2784	DEME2FF.exe	32
PID 2784 wrote to memory of 2824	2784	DEME2FF.exe	32
PID 2784 wrote to memory of 2824	2784	DEME2FF.exe	32
PID 2824 wrote to memory of 2264	2824	DEM386E.exe	34
PID 2824 wrote to memory of 2264	2824	DEM386E.exe	34
PID 2824 wrote to memory of 2264	2824	DEM386E.exe	34
PID 2824 wrote to memory of 2264	2824	DEM386E.exe	34
PID 2264 wrote to memory of 1352	2264	DEM8E89.exe	36
PID 2264 wrote to memory of 1352	2264	DEM8E89.exe	36
PID 2264 wrote to memory of 1352	2264	DEM8E89.exe	36
PID 2264 wrote to memory of 1352	2264	DEM8E89.exe	36
PID 1352 wrote to memory of 2712	1352	DEME3E9.exe	38
PID 1352 wrote to memory of 2712	1352	DEME3E9.exe	38
PID 1352 wrote to memory of 2712	1352	DEME3E9.exe	38
PID 1352 wrote to memory of 2712	1352	DEME3E9.exe	38
PID 2712 wrote to memory of 1292	2712	DEM3968.exe	40
PID 2712 wrote to memory of 1292	2712	DEM3968.exe	40
PID 2712 wrote to memory of 1292	2712	DEM3968.exe	40
PID 2712 wrote to memory of 1292	2712	DEM3968.exe	40

C:\Users\Admin\AppData\Local\Temp\8817a856cc1c2f87296ba8b5f6080216_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8817a856cc1c2f87296ba8b5f6080216_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\DEME2FF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME2FF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\DEM386E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM386E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\DEM8E89.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8E89.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\DEME3E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME3E9.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Users\Admin\AppData\Local\Temp\DEM3968.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3968.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\DEM8EC8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8EC8.exe"
        7⤵
        Executes dropped EXE
        
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM386E.exe

Filesize
14KB

MD5
4f6e8b4f5820d967ab2ef107d6996e32

SHA1
4cc8382259f36c9c38930d01526a5c67d9e56aba

SHA256
14afdd79012c530cab5fb564af8626f8d2ef00becff6c840e4727d0c7cce6612

SHA512
3c4fbb3188c1b6c175121f55b35d1eb0233a216e2a1dc2c7534df3c9a67a30b394e038c6d1c291e8bc68931ac8b72f3ecef48b6784cad99cbc993791633a2b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME2FF.exe

Filesize
14KB

MD5
7a2c3ce2a1a17d25603a95e0cd21be08

SHA1
75a981f5f347e8eb6ff3ed68f790d6af8b192ef7

SHA256
daa4fe66ef235f6a8097ccea42905fb6df935c0ae68fc229bf6bd8faf7e1f79e

SHA512
a25e26d01488732532c95dc8fa30faee17c13e59005a644d5578676ea427a769c419a9c149029bfa28543b923c37f18ced6fd7138baeed72ee34f52ad097a2f0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3968.exe

Filesize
14KB

MD5
51c36a2bcf51a19e125074e969cbb5ad

SHA1
307922b999206c0ef7fdedc8a37d727faa051ee3

SHA256
c972dec9c5b785b06f15c827a785f58543ec623ba2dfd0621d77231740862524

SHA512
e7ee0a822b70eb8b50026fd06e8d5655b60d981e7ccce847d1461fa31d222f445c8f76b385a0e06194cc56164a62c023dcc54d3d85b5497da93782df7bfaf7a8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E89.exe

Filesize
14KB

MD5
3610b656a36fcf008fc2a9b189c79169

SHA1
b1afd400637d89905ef7e10f97e48fa5a2e97c98

SHA256
ace5da76c66b82117258590e28cb15d27c82fa918f19b60ee4d7a66ac89850a1

SHA512
c0a6b6c076f6f209bf0a83364f5b39487ddd3ed7a66ffbdcc1324ef1ca546d6ed9ec6baf00d40ddd31b22e82338cfb152b283a19b442667fcfc0b000f8604a94

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8EC8.exe

Filesize
15KB

MD5
cfb6f92007d1f88732985ec2f2a4f6b5

SHA1
6284aeef69d737f4d027341f146967bacd600ecc

SHA256
8def15b7d00098dd186b76a822f8cdbe177be3b0a42acd45899ee3bf27e61b39

SHA512
1e27a0a7efd807d90dac5ed8cbe64e5dae0ec65c2b66ddb5500427d9f8b36cd02abfcd9540086ff156a693c4d0189b5ccbfa090f50d1395f0e1e8e5931057393

Download Submit
\Users\Admin\AppData\Local\Temp\DEME3E9.exe

Filesize
14KB

MD5
97feabced9c9c028e990e08132821885

SHA1
995b3e86311c360213ebd2041119bf3c3b563123

SHA256
b7c3c33226e5c7db7d34bafed4540387325b6105860d0a6010bec57c3302ec67

SHA512
32a611bd67d547fe41b09a9affa1019eb51d338e6cc200cc9eaf44c01d451feaec6fd28a32a0c642fcd949116312eb752c9e348b90b29f573ef2686e34eabc3a

Download Submit

Analysis

Sharing