2de5e45ce0349f4642306f4ee495a091473930fdc5eecb8ebcfa4f8d7dd949c7

General

Target

abd96c414be0ff455d720cd5041b4807_JaffaCakes118.exe
Size

15KB
MD5

abd96c414be0ff455d720cd5041b4807
SHA1

9590ecd0f94702df0149a83ce9f8d84f56617d79
SHA256

2de5e45ce0349f4642306f4ee495a091473930fdc5eecb8ebcfa4f8d7dd949c7
SHA512

88d5e375488df8b0cd93422cf9a0ac4a9c885fdefb9f22975b8022b12a8690e88c39d8a243cf602d5e1873ab45b7d05aee0c104855254bb32ab2bfcd80e9a4d9
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxu:hDXWipuE+K3/SSHgxmHs

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2812	DEM602A.exe
2772	DEMB57A.exe
448	DEMB56.exe
3016	DEM6097.exe
2088	DEMB606.exe
772	DEMBA4.exe

Loads dropped DLL 6 IoCs

pid	Process
2688	abd96c414be0ff455d720cd5041b4807_JaffaCakes118.exe
2812	DEM602A.exe
2772	DEMB57A.exe
448	DEMB56.exe
3016	DEM6097.exe
2088	DEMB606.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abd96c414be0ff455d720cd5041b4807_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM602A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB57A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6097.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB606.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2812	2688	abd96c414be0ff455d720cd5041b4807_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2812	2688	abd96c414be0ff455d720cd5041b4807_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2812	2688	abd96c414be0ff455d720cd5041b4807_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2812	2688	abd96c414be0ff455d720cd5041b4807_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2772	2812	DEM602A.exe	33
PID 2812 wrote to memory of 2772	2812	DEM602A.exe	33
PID 2812 wrote to memory of 2772	2812	DEM602A.exe	33
PID 2812 wrote to memory of 2772	2812	DEM602A.exe	33
PID 2772 wrote to memory of 448	2772	DEMB57A.exe	35
PID 2772 wrote to memory of 448	2772	DEMB57A.exe	35
PID 2772 wrote to memory of 448	2772	DEMB57A.exe	35
PID 2772 wrote to memory of 448	2772	DEMB57A.exe	35
PID 448 wrote to memory of 3016	448	DEMB56.exe	37
PID 448 wrote to memory of 3016	448	DEMB56.exe	37
PID 448 wrote to memory of 3016	448	DEMB56.exe	37
PID 448 wrote to memory of 3016	448	DEMB56.exe	37
PID 3016 wrote to memory of 2088	3016	DEM6097.exe	39
PID 3016 wrote to memory of 2088	3016	DEM6097.exe	39
PID 3016 wrote to memory of 2088	3016	DEM6097.exe	39
PID 3016 wrote to memory of 2088	3016	DEM6097.exe	39
PID 2088 wrote to memory of 772	2088	DEMB606.exe	41
PID 2088 wrote to memory of 772	2088	DEMB606.exe	41
PID 2088 wrote to memory of 772	2088	DEMB606.exe	41
PID 2088 wrote to memory of 772	2088	DEMB606.exe	41

C:\Users\Admin\AppData\Local\Temp\abd96c414be0ff455d720cd5041b4807_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\abd96c414be0ff455d720cd5041b4807_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\DEM602A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM602A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\DEMB57A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB57A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\DEMB56.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB56.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Users\Admin\AppData\Local\Temp\DEM6097.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6097.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\DEMB606.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB606.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\DEMBA4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBA4.exe"
        7⤵
        Executes dropped EXE
        
        PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMB56.exe

Filesize
15KB

MD5
aef9bbdf5cf3ea294883542b8942709d

SHA1
4e6437f72c93d00f5d26638fc506f6eadc1bbc47

SHA256
1315fa161d4820b3925fd81bce3d57802d55d7fcaa4ae6e59f02c2aed03f63e6

SHA512
eae8017b28769903617a4944dffa2df1e0a368f2d6baea93d7416ea63b39103cb27b2bb1c36d4b2550796c1dcec084a1d1568ca8b5bd8c985553057d9f903238

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB57A.exe

Filesize
15KB

MD5
b0641654ea442587caa51c73e95eef7a

SHA1
ee4ac7d3037a5cd7a45a95f520f49cab79e3d93e

SHA256
503aaae086fd5b2ee0a4a037829a1721d9ef6b67a2cb84144ca50a053781c93d

SHA512
f05c7290c30149950361716c4401ac1bc91a8eb8a9a0024db8905b784312895455f097c1251a3de6168269a94485f23ee11fae7871d983a46c4402b16a802ce7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM602A.exe

Filesize
15KB

MD5
0c7567a36924e0bb7a3a33cc2dc054c1

SHA1
efec7b3e391235c5298e354705bf0f806e5d5870

SHA256
d10e15cb46b023b60bc3762fab16e885b3cbfe8529a393f551ce0f287af58883

SHA512
8dda66304686f36c81cce407fe3ad1b58bac39a6ac40502c40c11e8825117ac46bc43a1592ba6c9a75e20e408eaf1e63d6f5b4afa751f1f75d1de35c95e6e5ad

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6097.exe

Filesize
15KB

MD5
7180c9f4764a0455c2cdfc7e192814fd

SHA1
e7195eda39da791603583ccdc1f777189f437398

SHA256
2e09e6d7618253de7cd901b0865dee58a62589c30c60c012a2224adea3a19535

SHA512
c9626e71e33d45ca619ee888475095e7fb0e9fc3dab1e56654348537d5f5202bfe54f61fdccf4f27d98225ff743201f506965b47af231d5a3885eaf54915a002

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB606.exe

Filesize
15KB

MD5
3b01125797e9b7e94ec0d51c4e408944

SHA1
7653067cca6d26632b9a6b325d6ef57f4e01860e

SHA256
c43e17fed19f2a5cb34c4e134ee69d015efedee249ec0779e2689a31170a1a71

SHA512
30b58df5f7eafa5fc3862b37ccec3135d64786f16aa0eb92e317a3402c0f8dfa658346308ff4a763dd6e5172d3bfab1aa5aeea3dc7a031dfc22538f3b351fd9e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBA4.exe

Filesize
15KB

MD5
bee99f45a192a7d5f9c05588af69bd81

SHA1
a8e1a709c47099c8172315d9542d59da3ab783f8

SHA256
88101f48c4864039c02eadf6b8af3dd8d87a3a3838dd853223e5ad310f191542

SHA512
d661de858b99ecea40aa5d7f9f8077a0b74f220de8523244c0252139659a6ffeb5e28bdb3e7bfa8cfaff9d29d61fea339ffa07e396e13b42c47808c173566fd7

Download Submit

Analysis

Sharing