07d0e3f84c38d4405030d28783b962a5152a72f7f6ad252fff36049c676581c9

General

Target

b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe
Size

15KB
MD5

b0a00049823fd8f4ad42f7cf91953b18
SHA1

80d1e4f23ca2ce8d1fc1afecc815e6972807b835
SHA256

07d0e3f84c38d4405030d28783b962a5152a72f7f6ad252fff36049c676581c9
SHA512

0e7cb9f6d6709f6074d3dfcfb0e60da848a7180f8721d4c4313e8348472a2f22d1a5b4195dc157e27d6129ee328f3b9d9844bb7e654cd153dd5289e905733083
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2HTyC:hDXWipuE+K3/SSHgxmKEzyC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2632	DEM4FD5.exe
2540	DEMA506.exe
2624	DEMFA27.exe
2912	DEM4FB6.exe
2880	DEMA4C7.exe
2348	DEMF9CA.exe

Loads dropped DLL 6 IoCs

pid	Process
2824	b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe
2632	DEM4FD5.exe
2540	DEMA506.exe
2624	DEMFA27.exe
2912	DEM4FB6.exe
2880	DEMA4C7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4FD5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA506.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFA27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4FB6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA4C7.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2632	2824	b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2632	2824	b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2632	2824	b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2632	2824	b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2540	2632	DEM4FD5.exe	33
PID 2632 wrote to memory of 2540	2632	DEM4FD5.exe	33
PID 2632 wrote to memory of 2540	2632	DEM4FD5.exe	33
PID 2632 wrote to memory of 2540	2632	DEM4FD5.exe	33
PID 2540 wrote to memory of 2624	2540	DEMA506.exe	35
PID 2540 wrote to memory of 2624	2540	DEMA506.exe	35
PID 2540 wrote to memory of 2624	2540	DEMA506.exe	35
PID 2540 wrote to memory of 2624	2540	DEMA506.exe	35
PID 2624 wrote to memory of 2912	2624	DEMFA27.exe	37
PID 2624 wrote to memory of 2912	2624	DEMFA27.exe	37
PID 2624 wrote to memory of 2912	2624	DEMFA27.exe	37
PID 2624 wrote to memory of 2912	2624	DEMFA27.exe	37
PID 2912 wrote to memory of 2880	2912	DEM4FB6.exe	39
PID 2912 wrote to memory of 2880	2912	DEM4FB6.exe	39
PID 2912 wrote to memory of 2880	2912	DEM4FB6.exe	39
PID 2912 wrote to memory of 2880	2912	DEM4FB6.exe	39
PID 2880 wrote to memory of 2348	2880	DEMA4C7.exe	41
PID 2880 wrote to memory of 2348	2880	DEMA4C7.exe	41
PID 2880 wrote to memory of 2348	2880	DEMA4C7.exe	41
PID 2880 wrote to memory of 2348	2880	DEMA4C7.exe	41

C:\Users\Admin\AppData\Local\Temp\b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0a00049823fd8f4ad42f7cf91953b18_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\DEM4FD5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4FD5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\DEMA506.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA506.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\DEMFA27.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFA27.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Local\Temp\DEM4FB6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4FB6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\DEMA4C7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA4C7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\DEMF9CA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF9CA.exe"
        7⤵
        Executes dropped EXE
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4FB6.exe

Filesize
15KB

MD5
77c99d99af9967777e53e026e252d2c3

SHA1
6f343132c535f235260f273299f470cd91cafc10

SHA256
fdc056e7799a95de13761fad336531b3b2d80b9af2fb513427a1d35c35e95956

SHA512
9ddbcf774b07e8be4190e8b4685a20c2d96fb7686b442fcadb48576cb9aa20edf350c1987c0039adec55325c658ddfc8373bab07b4abe48984809f186260cd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA506.exe

Filesize
15KB

MD5
0598d72182ca9073522d0e0ad70466ba

SHA1
7d1d20c0baccad9eb41168b7e898f140099df5ba

SHA256
77c43de663fc359f12c0e238300678fc245479470bf96cebeccfd0eab6af67c7

SHA512
854fbee70499b1f128d66f7b396ac02cc4f73cbc93737c03d0198e99757a5c88e3d89b2847ff59fbefc37a8f6fd371f8fa920c93d37d7eed92e30c9466bd7cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF9CA.exe

Filesize
15KB

MD5
c0eb134111f23b908250fa6bdc96abaa

SHA1
a5ffc39b76cb150805f32ff1beb009d33a0a780e

SHA256
afb7fe0375d3e6b47560b8a0cd0dfe24bc4869e3ab4d6a45b786bef8a0491d74

SHA512
8150d52c68fe49113eee1e41e49a2ec9348c0069a02843bf56928cebd576cabf5e66b4e1b375f96ef7498ef01b04fd737e7739f484a5dced93755eee24bc9eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA27.exe

Filesize
15KB

MD5
e24a17bd200fcb85fb4f297d6f0cf59c

SHA1
2ffc0a17f497bff8628ab338209612b3bcd4551a

SHA256
9209f6c39d0c55d7e3876ac45066e5b14d154227de3c05569472b589cc863f13

SHA512
b21ff3b7a86e2e033a538f5acb42c9d52662ae0522d3e783b81dec0ef25b883532a36940176160657997dbec0406c55c0b511970a4f09e62122eb6e9486c510b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4FD5.exe

Filesize
15KB

MD5
b6f5d3fae1c12c0d79bb8d5dce4f09aa

SHA1
dd7a2a647da40f97ca5e219619a9e6cbe90ebeaa

SHA256
8af13babab4448ddf92f961ed22f9b20158540878e0cf4e75f4bbda922eebc91

SHA512
41cadb995f2dc9052cf043046dc966df71530c415413f0969fd49fef60e051adecb21a06e677927ee206c008d43ca1d474fcdaf6ee93d7dd2a40b99b124c3827

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA4C7.exe

Filesize
15KB

MD5
81b0675cd27ffe0e065a0e401e9f1a5f

SHA1
5626a29a51b6cd9d024e0c09cee7d39d8652ef41

SHA256
a69d8a73eb7a8e64d0dedec803ed42a20fc23019c58ab808e14e0e422b4bef4d

SHA512
15de5af960c2744484bdf19478a9ce168fe6a88ef2833b0d9c23cbc800d8bee8abc7910e4253468ffc8e190b5fd552205969beef52f814fb7032043466d3fe91

Download Submit

Analysis

Sharing