8fa4772008b82b6b7ce49602625479ef5a62521ccf8f6096131ec4c5982bedb2

General

Target

a2836a552705f43d0611c8ebebe4f28d_JaffaCakes118.exe
Size

15KB
MD5

a2836a552705f43d0611c8ebebe4f28d
SHA1

25b225ddbd4aed247faa447450b0f3d1c1610452
SHA256

8fa4772008b82b6b7ce49602625479ef5a62521ccf8f6096131ec4c5982bedb2
SHA512

61b2a9a7d58092bcd4cab1a365fe9ea59e259ee9b9fc87388bc43ca5e4a79090c7d32e1d6ee6ff308d47e32fcc156239c476dedf6e9a9cb5516bf99f908c2782
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEHT:hDXWipuE+K3/SSHgxWT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
700	DEMD5B6.exe
2760	DEM2B35.exe
2620	DEM8066.exe
2864	DEMD588.exe
2644	DEM2BD1.exe
2104	DEM8131.exe

Loads dropped DLL 6 IoCs

pid	Process
3032	a2836a552705f43d0611c8ebebe4f28d_JaffaCakes118.exe
700	DEMD5B6.exe
2760	DEM2B35.exe
2620	DEM8066.exe
2864	DEMD588.exe
2644	DEM2BD1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2836a552705f43d0611c8ebebe4f28d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD5B6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2B35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8066.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2BD1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 700	3032	a2836a552705f43d0611c8ebebe4f28d_JaffaCakes118.exe	32
PID 3032 wrote to memory of 700	3032	a2836a552705f43d0611c8ebebe4f28d_JaffaCakes118.exe	32
PID 3032 wrote to memory of 700	3032	a2836a552705f43d0611c8ebebe4f28d_JaffaCakes118.exe	32
PID 3032 wrote to memory of 700	3032	a2836a552705f43d0611c8ebebe4f28d_JaffaCakes118.exe	32
PID 700 wrote to memory of 2760	700	DEMD5B6.exe	34
PID 700 wrote to memory of 2760	700	DEMD5B6.exe	34
PID 700 wrote to memory of 2760	700	DEMD5B6.exe	34
PID 700 wrote to memory of 2760	700	DEMD5B6.exe	34
PID 2760 wrote to memory of 2620	2760	DEM2B35.exe	36
PID 2760 wrote to memory of 2620	2760	DEM2B35.exe	36
PID 2760 wrote to memory of 2620	2760	DEM2B35.exe	36
PID 2760 wrote to memory of 2620	2760	DEM2B35.exe	36
PID 2620 wrote to memory of 2864	2620	DEM8066.exe	38
PID 2620 wrote to memory of 2864	2620	DEM8066.exe	38
PID 2620 wrote to memory of 2864	2620	DEM8066.exe	38
PID 2620 wrote to memory of 2864	2620	DEM8066.exe	38
PID 2864 wrote to memory of 2644	2864	DEMD588.exe	40
PID 2864 wrote to memory of 2644	2864	DEMD588.exe	40
PID 2864 wrote to memory of 2644	2864	DEMD588.exe	40
PID 2864 wrote to memory of 2644	2864	DEMD588.exe	40
PID 2644 wrote to memory of 2104	2644	DEM2BD1.exe	42
PID 2644 wrote to memory of 2104	2644	DEM2BD1.exe	42
PID 2644 wrote to memory of 2104	2644	DEM2BD1.exe	42
PID 2644 wrote to memory of 2104	2644	DEM2BD1.exe	42

C:\Users\Admin\AppData\Local\Temp\a2836a552705f43d0611c8ebebe4f28d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2836a552705f43d0611c8ebebe4f28d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\DEMD5B6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD5B6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Users\Admin\AppData\Local\Temp\DEM2B35.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2B35.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\DEM8066.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8066.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Users\Admin\AppData\Local\Temp\DEMD588.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD588.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Users\Admin\AppData\Local\Temp\DEM2BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2BD1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\DEM8131.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8131.exe"
        7⤵
        Executes dropped EXE
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2B35.exe

Filesize
15KB

MD5
91600b3c6a168d30592c8941bf83c85e

SHA1
cea2104088efb8d4d2f02cc569efc542324cf605

SHA256
4cd68fdd25e1782542b00e8ef945baa4698e1c7f4a910e03ad7d24b33534d59b

SHA512
57f9557cc2c6101cce84b6b488a25fe071f69edbc4e4eaa736ad1221e1dbb1796412d723c092547c5ffa3f2653a001404823b332d8087a938c08163bbe06a23f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2BD1.exe

Filesize
15KB

MD5
d9fe5bb72679eb959f5a41a9cecf5d7d

SHA1
773aeb24fd6de5462386a0f488237075d3f950c9

SHA256
8e4d56a5ee71c2a85750345e09150a412aada161f529445b6436a31541972115

SHA512
528d90d0e4e642e61ca8154400dbace99c8be402c4d3ab6f2d0bedc964f5a05832713cf04c761cd70a58923f80cd97ba3a5df97c5081979633394e47a04da9d7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8066.exe

Filesize
15KB

MD5
0c95ca521af3c98188b3779307cd9fa4

SHA1
5e3068617c1a94949568bd3ce257773839011994

SHA256
20c7428d42d66ed37d2a643f62bb65864c131a317546b8cbbf869d7c9b5e61e7

SHA512
71c1da4b36effb415fc0247be3754e848dd429272b2d85323bfceef8560a6ee05c373706bb4aab2aa86263bb9d4a6c93d52fa282f2607f8a4f0ebbc8fce3c244

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8131.exe

Filesize
15KB

MD5
e0f07ea7910635d7e25780521c105373

SHA1
9b5a7a8a1bf289997ef3f4a2a1ffb6a98ba96296

SHA256
b691ccf2d90583dc025268ab2d36aea6e67f25f0cd9313d5b43b1c2caad8aa11

SHA512
b6193ec9c57d0cd44a895b1727d46f02db533ac255ee6e93f593604128d63e7f612c01d953dea6fd545d186e84ed962589fd3915d81e9aa071121b384674ba62

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD588.exe

Filesize
15KB

MD5
3cdce26c0758d79fe0b3f1e22281d3af

SHA1
d647543935814cdbb8e3c2b27c8e3be8b09431a1

SHA256
d11208f8ecfdd0946dd85752a5247d656e80391b3befdc173b6c0a1f1d9d3456

SHA512
1d3fda43da1f5e2b1edfe931796b083809dddaef7443a1032ce07732a57154ec6636068bf2b2301600cb1af8a130b28d767e7bc0fbdc162f337b7f80e0dc5533

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD5B6.exe

Filesize
15KB

MD5
8fb42077710fc06466c885ea11437cc3

SHA1
220724e849d39893ceac6fbf0b989a120ce34510

SHA256
c17dc84d7a67854fc4cba7d7e748ab66e25fce8db3c88e587b29ca54ba138f8b

SHA512
eb0c7768b844b8655680a976f6214c406cf69a3a1ddfdb4e854a57fbe5a1ed6ffda5fda926a95e47d153affa98a995d8fe710bc7a3fab0bfc6ffc750a1767329

Download Submit

Analysis

Sharing