8e19a48a663fcf8d3282c7fa4c99d5a1bfb6d22cec482d9e3cca4bfa0350f6cc

General

Target

949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe
Size

14KB
MD5

949256b3ebba498f3347b5f1da8cd954
SHA1

6a861a4f011f6da8fb56cc7af3f0f671dba013e9
SHA256

8e19a48a663fcf8d3282c7fa4c99d5a1bfb6d22cec482d9e3cca4bfa0350f6cc
SHA512

55740efb0ac4a3e6fcaf1449d5507d223d3e969401abb614db6daed874caea0b5811a5b7c0383c3af606f61ed51802c4e59ed34d8ca149583b7065db56aff763
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZ:hDXWipuE+K3/SSHgxD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2740	DEMAA72.exe
2944	DEMFFF1.exe
3068	DEM55FC.exe
1208	DEMAC56.exe
1280	DEM1D5.exe
2312	DEM5735.exe

Loads dropped DLL 6 IoCs

pid	Process
2128	949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe
2740	DEMAA72.exe
2944	DEMFFF1.exe
3068	DEM55FC.exe
1208	DEMAC56.exe
1280	DEM1D5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAA72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFFF1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM55FC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAC56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1D5.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2740	2128	949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2740	2128	949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2740	2128	949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2740	2128	949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe	32
PID 2740 wrote to memory of 2944	2740	DEMAA72.exe	34
PID 2740 wrote to memory of 2944	2740	DEMAA72.exe	34
PID 2740 wrote to memory of 2944	2740	DEMAA72.exe	34
PID 2740 wrote to memory of 2944	2740	DEMAA72.exe	34
PID 2944 wrote to memory of 3068	2944	DEMFFF1.exe	36
PID 2944 wrote to memory of 3068	2944	DEMFFF1.exe	36
PID 2944 wrote to memory of 3068	2944	DEMFFF1.exe	36
PID 2944 wrote to memory of 3068	2944	DEMFFF1.exe	36
PID 3068 wrote to memory of 1208	3068	DEM55FC.exe	38
PID 3068 wrote to memory of 1208	3068	DEM55FC.exe	38
PID 3068 wrote to memory of 1208	3068	DEM55FC.exe	38
PID 3068 wrote to memory of 1208	3068	DEM55FC.exe	38
PID 1208 wrote to memory of 1280	1208	DEMAC56.exe	40
PID 1208 wrote to memory of 1280	1208	DEMAC56.exe	40
PID 1208 wrote to memory of 1280	1208	DEMAC56.exe	40
PID 1208 wrote to memory of 1280	1208	DEMAC56.exe	40
PID 1280 wrote to memory of 2312	1280	DEM1D5.exe	42
PID 1280 wrote to memory of 2312	1280	DEM1D5.exe	42
PID 1280 wrote to memory of 2312	1280	DEM1D5.exe	42
PID 1280 wrote to memory of 2312	1280	DEM1D5.exe	42

C:\Users\Admin\AppData\Local\Temp\949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\949256b3ebba498f3347b5f1da8cd954_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\DEMAA72.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAA72.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\DEMFFF1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFFF1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\DEM55FC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM55FC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\DEMAC56.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAC56.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\DEM1D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1D5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\DEM5735.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5735.exe"
        7⤵
        Executes dropped EXE
        
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMAC56.exe

Filesize
14KB

MD5
2edd7eca6c42d751eda0268af485bd50

SHA1
f6c6ad3a3e52cdd6ff39e079eae4b291f7eaf8ce

SHA256
b61f793852a8f7e3ef8e26dda0248a4034d4a1a8239790fecfd18c110b1b530f

SHA512
bdc85c240cdebbdaf8b302f202cb0f7b6924a0d6b7742056c81dc619b00ff1c927284b6f5acd94c99ac40406d8d4a08d6496adcd44cbb2a7e0ad0dd690fc586e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFFF1.exe

Filesize
14KB

MD5
6b430389c3a420bd23227f5c52481943

SHA1
70b1ff29656cf2c0625384867b19839dac60a1f1

SHA256
dc5900cd30f4de67ed5ff2cdcee64dc5c7a063a3c1732289746fa54a56b5e2a9

SHA512
67986ff565890d2f6d2837b99dc112bbe5a4c2be6238919b56f5569cd3dfbddbf361fdf815a7aef472d36e63a6390b212fca6ca980146cea22d9d65835415a54

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1D5.exe

Filesize
14KB

MD5
690065021abb839f0cdb3633968694e9

SHA1
d79f00d62c2fd34f1c719da16b3f47f89e756d03

SHA256
43456f266eea34a94599a4d2f1c26e829cdeed4b7e466b81424ca8fea0844fb9

SHA512
d01f253b16952558d9f755cc72b3928c1fd69216033a4fc41bdf94e44477355e4cb3bed3b46bc7afd07302ad6da65281944ebf77bc0577944f73ed4f8125d176

Download Submit
\Users\Admin\AppData\Local\Temp\DEM55FC.exe

Filesize
14KB

MD5
0fb9a3a6c1aed45413fdaa47dae507ce

SHA1
ba869158c719c70a4c7bf17b083ec1ed8c89caa6

SHA256
b39e2283aa9db3dfe216ee2cf2330ba86fdc16d4a5319ce1e726e9ec24ef67ad

SHA512
5574b39327c275a29f024e79e7142a75dc499ee31d417a10f5ece5e0c5300785c132d2b478401d124926f5833de7eeb1bba602426bd687403ec6a3dca82e0457

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5735.exe

Filesize
14KB

MD5
4f75df6115ab95e44ce4d5c6bbca723a

SHA1
da29822f3cbee585c4735308fb18b77071951f15

SHA256
52725bf31c069f924dca110a4e834a62fefe6650320a588b0ac50d223beea6df

SHA512
82f6e9ae0908c6a70743d5792f1576cd14584f7ff0848e8b1f78c7ace188c8c7c42027e86e8e351c9d8a7b3f11ed886a0637cd8188cdbdfe689ab8867c6870d8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAA72.exe

Filesize
14KB

MD5
253f0723bc8bae1a7af129a982cbd799

SHA1
0a0aae0114959123d5c922131cba8a06de3d3bad

SHA256
16eb0b6e8051e660f76e2e4877401e4d600781143f2edf52b38ad2cd02b559d5

SHA512
f3ea710e8644ac9e2272ab89e7269d0c7f11d26c2d9300708f7f6f7f8d845960d4e15b5f1da18e62a49435194ef1a9837edff7599ee66fa443266b198764b2b7

Download Submit

Analysis

Sharing