8c2f939e420cf3362e1105a36f9e5ef7ff17ef1fa6dc252a7284ddc07d5a8c21

General

Target

8b435334e13e9a27dd172ef3c52f6c24_JaffaCakes118.exe
Size

14KB
MD5

8b435334e13e9a27dd172ef3c52f6c24
SHA1

20ccf41bd50dc86d6201ddbdc7f8371d537e8f1b
SHA256

8c2f939e420cf3362e1105a36f9e5ef7ff17ef1fa6dc252a7284ddc07d5a8c21
SHA512

b8b4c31e8546d1cd3d11575939684502271d196fadb819570eb8e3618308c543c92e7f0e2a0a88628c4531db5c42a1c65999cf7dea099ca6a778eed09e6cf183
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhS0:hDXWipuE+K3/SSHgx00

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1752	DEMB461.exe
2684	DEM9A2.exe
1404	DEM5F11.exe
1484	DEMB471.exe
1808	DEM9C1.exe
2660	DEM5F12.exe

Loads dropped DLL 6 IoCs

pid	Process
2480	8b435334e13e9a27dd172ef3c52f6c24_JaffaCakes118.exe
1752	DEMB461.exe
2684	DEM9A2.exe
1404	DEM5F11.exe
1484	DEMB471.exe
1808	DEM9C1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5F11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB471.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9C1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b435334e13e9a27dd172ef3c52f6c24_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB461.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9A2.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1752	2480	8b435334e13e9a27dd172ef3c52f6c24_JaffaCakes118.exe	32
PID 2480 wrote to memory of 1752	2480	8b435334e13e9a27dd172ef3c52f6c24_JaffaCakes118.exe	32
PID 2480 wrote to memory of 1752	2480	8b435334e13e9a27dd172ef3c52f6c24_JaffaCakes118.exe	32
PID 2480 wrote to memory of 1752	2480	8b435334e13e9a27dd172ef3c52f6c24_JaffaCakes118.exe	32
PID 1752 wrote to memory of 2684	1752	DEMB461.exe	34
PID 1752 wrote to memory of 2684	1752	DEMB461.exe	34
PID 1752 wrote to memory of 2684	1752	DEMB461.exe	34
PID 1752 wrote to memory of 2684	1752	DEMB461.exe	34
PID 2684 wrote to memory of 1404	2684	DEM9A2.exe	36
PID 2684 wrote to memory of 1404	2684	DEM9A2.exe	36
PID 2684 wrote to memory of 1404	2684	DEM9A2.exe	36
PID 2684 wrote to memory of 1404	2684	DEM9A2.exe	36
PID 1404 wrote to memory of 1484	1404	DEM5F11.exe	38
PID 1404 wrote to memory of 1484	1404	DEM5F11.exe	38
PID 1404 wrote to memory of 1484	1404	DEM5F11.exe	38
PID 1404 wrote to memory of 1484	1404	DEM5F11.exe	38
PID 1484 wrote to memory of 1808	1484	DEMB471.exe	40
PID 1484 wrote to memory of 1808	1484	DEMB471.exe	40
PID 1484 wrote to memory of 1808	1484	DEMB471.exe	40
PID 1484 wrote to memory of 1808	1484	DEMB471.exe	40
PID 1808 wrote to memory of 2660	1808	DEM9C1.exe	42
PID 1808 wrote to memory of 2660	1808	DEM9C1.exe	42
PID 1808 wrote to memory of 2660	1808	DEM9C1.exe	42
PID 1808 wrote to memory of 2660	1808	DEM9C1.exe	42

C:\Users\Admin\AppData\Local\Temp\8b435334e13e9a27dd172ef3c52f6c24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b435334e13e9a27dd172ef3c52f6c24_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\DEMB461.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB461.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\DEM9A2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9A2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\DEM5F11.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5F11.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Users\Admin\AppData\Local\Temp\DEMB471.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB471.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\DEM5F12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5F12.exe"
        7⤵
        Executes dropped EXE
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9A2.exe

Filesize
14KB

MD5
c25818d509b1320ffa6dd7ae94d01123

SHA1
eac932469f9dcdbb5b117af5f67192270a8b3233

SHA256
b35b55e180aac55163e48d674ed12cc208ae088ea179e5aaf65f9a0ef6885204

SHA512
f3a607716b01d29e460ac4b2670863646201434fe6d2b5362b0f0fe020e5229b904c9e70198aeef509bc1f72871a1df5db6a541ef0f92dc53b33c5e44339ad82

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB461.exe

Filesize
14KB

MD5
f8bbc1da3c64de6f36aa02f75e518b8b

SHA1
75741f471fe7f7b3100a642b56474922a9ca3961

SHA256
ecde1f11bdcd8206a64c274bf6c2adfd35785b02defff259bc11b9d84afde549

SHA512
288cbdd71d0ec85c452e5d40043835407daa8a6aadd462857a757e60bf3fcd1a00335532d6fc4a099a870ad6e80d07a717bd7640b04e8e1f02e58a413e370519

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB471.exe

Filesize
14KB

MD5
8fd6039abb735b1f8028ac23da0bf7c3

SHA1
13bbf873a76c670e2811da6bfe3733b9ea43b2fa

SHA256
2a90433c4b804895d548d0f7c4d6f63310aecf617d90fc64f851254a48ddf56c

SHA512
a600dfc4c67882d00fefbf1b1cf7146847e4d838502e1092e95ce7ae32929a4e5606d3907ab484b424511a4de045ced4884e43910a758b333305f50f46402059

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5F11.exe

Filesize
14KB

MD5
2738257d9cd932d8755807856f15fe08

SHA1
523e7df4efcf9d43a0447b5361ffe8956e76ee4b

SHA256
cd1efc4e8f6f46b1d4a817501c737107c911083d02da7ea8b9f2f1ba0b01d3ed

SHA512
6a4df1c56708c9fb436128f93925ad9b09f1e340e0abf972e7f0d25f04bb948e66afc374d70e44b1b14748a9d4b6dd475e350871e02b46c744495bb1cc1d2a60

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5F12.exe

Filesize
14KB

MD5
04938b9282db2f5b5cd380c09daf6164

SHA1
4329d2bbea965f73c2256ade420fd5bd6d06d2a8

SHA256
21a36d1e04c366cbd2304050f59767504197bb20d72bf436823eca119b02b092

SHA512
ce7991daf2edef03cefa8ea67234b092d5f63313333cf898c3c6c90eb6fd79f5e2a7d8b70dcf267969777bc5e8aac7b70cb1dc2fc04a7787502a6a6750ef25c8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9C1.exe

Filesize
14KB

MD5
2bff60e16f811bda8e9a1e77579a7377

SHA1
045626c769e2eb87e20c11e3ba11ccf5d425d185

SHA256
dade4cc7e5a9fd2b95ed83e70b12a396ff9389477b23d1c3a695248ce52ce583

SHA512
9c3ae9579d51e3b50aa27257c4d6fb658033afde2c9a2b6b5c526314a9e7d8b039c8b791d3f128a79cf26f7af26a7beb4cfdeb1d9144b04ad4d3bc00d578f6ed

Download Submit

Analysis

Sharing