fb2fe060667566ffc162ba609be240251d42e3d50fda5b9aa543cd74ba5880bc

General

Target

b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe
Size

14KB
MD5

b0bd37795c70a73d0ae768e65e910a31
SHA1

834bd5be729b11d985f0bfe11a003a31851ac5b3
SHA256

fb2fe060667566ffc162ba609be240251d42e3d50fda5b9aa543cd74ba5880bc
SHA512

bf0b5a8a0aeb9cb75d4a5dee125dd691400a38faf1b2818cf73499621f53f3504ca6944c151311b54103275f07bc13a7640b8cbc8c6aeae14f7390aa5a0f03e5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY52S:hDXWipuE+K3/SSHgxml

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2692	DEM1842.exe
2540	DEM6DE0.exe
2468	DEMC311.exe
2880	DEM1870.exe
1772	DEM6E1E.exe
2348	DEMC330.exe

Loads dropped DLL 6 IoCs

pid	Process
2624	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe
2692	DEM1842.exe
2540	DEM6DE0.exe
2468	DEMC311.exe
2880	DEM1870.exe
1772	DEM6E1E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6E1E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6DE0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC311.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1870.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2692	2624	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2692	2624	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2692	2624	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2692	2624	b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2540	2692	DEM1842.exe	33
PID 2692 wrote to memory of 2540	2692	DEM1842.exe	33
PID 2692 wrote to memory of 2540	2692	DEM1842.exe	33
PID 2692 wrote to memory of 2540	2692	DEM1842.exe	33
PID 2540 wrote to memory of 2468	2540	DEM6DE0.exe	35
PID 2540 wrote to memory of 2468	2540	DEM6DE0.exe	35
PID 2540 wrote to memory of 2468	2540	DEM6DE0.exe	35
PID 2540 wrote to memory of 2468	2540	DEM6DE0.exe	35
PID 2468 wrote to memory of 2880	2468	DEMC311.exe	37
PID 2468 wrote to memory of 2880	2468	DEMC311.exe	37
PID 2468 wrote to memory of 2880	2468	DEMC311.exe	37
PID 2468 wrote to memory of 2880	2468	DEMC311.exe	37
PID 2880 wrote to memory of 1772	2880	DEM1870.exe	39
PID 2880 wrote to memory of 1772	2880	DEM1870.exe	39
PID 2880 wrote to memory of 1772	2880	DEM1870.exe	39
PID 2880 wrote to memory of 1772	2880	DEM1870.exe	39
PID 1772 wrote to memory of 2348	1772	DEM6E1E.exe	41
PID 1772 wrote to memory of 2348	1772	DEM6E1E.exe	41
PID 1772 wrote to memory of 2348	1772	DEM6E1E.exe	41
PID 1772 wrote to memory of 2348	1772	DEM6E1E.exe	41

C:\Users\Admin\AppData\Local\Temp\b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0bd37795c70a73d0ae768e65e910a31_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\DEM1842.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1842.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\DEM6DE0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6DE0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\DEMC311.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC311.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\DEM1870.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1870.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\DEM6E1E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E1E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\DEMC330.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC330.exe"
        7⤵
        Executes dropped EXE
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6DE0.exe

Filesize
14KB

MD5
451ead19b97ebd4abe3f9b5c6f76ce4c

SHA1
6f79ce9604ced755bbde50dbdb1687fbcff4c9b4

SHA256
1d5b96ab38b5a24bef434cb0256e0c83f5c8b85e96d0b26e40bb3d43f3f84f90

SHA512
b15019da9cdf44b9a5723917284909452ac24410bc9790f0beaa103f7f8ab40a56dc60a42deb4ffda97a6f658a656f0103a02778e9cf6d35510729a502062806

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC330.exe

Filesize
15KB

MD5
7bc42736c23dc7066ce588de23e940fe

SHA1
8013519203b154626e57c1f7b1e88541d09790f2

SHA256
ed7411ceea8012a2ea6a11d3830486dd90261e34a524f9f0b9c45b30c0e1c0b8

SHA512
920ab584710049f9793c294d1464e5a0107c302efc90509a7d34e0276a334b0ee6370aa6e5e573f548e0ff46cb369e2a36066538bc0750b20f05cb90c5417c40

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1842.exe

Filesize
14KB

MD5
e950d376caf019683befff50e12f0287

SHA1
25ca1281ba8e5343a17934ab63be233d80328055

SHA256
e562a5696c304f51d4ef7e64d8be36a297ad69dd88fd32263384d340abb498db

SHA512
f6c4595cba43dadf116e528f73c8e96ea40772a25046720aac94eed761e473467fb80c4d41935b01832233b531b2a4c02bc2a837592a05a46a252d859c091564

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1870.exe

Filesize
14KB

MD5
515768115cfd4d8df9c5a6bc5e24824c

SHA1
38d11eeb079ff8898fde6ca38afc3a254cefb464

SHA256
8a663098cc0eeba4cc5eadbe30e781c21fa3edcac1f091233ef97725c86935a6

SHA512
ad5e8f5db40e04220f4b0f392842ee5ed93252675ee8cdbac5ff92158851e68bbbe6ce2c1a9972355fcb8e8940fc7e2eaa807e28ce53a8cecafca0fc21c1b4dd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6E1E.exe

Filesize
14KB

MD5
6996d3d5e7db07c77bd5e7fd4e92993f

SHA1
06c421ad22f2c185e321c3f9db4dcd91c618c906

SHA256
3683c36a866fdd514c165b339cf09f8a59b28264c435ff0977c03933d8d14786

SHA512
a1023aaff4629eebb4f23cc3e5d90d9fb87d9ee514fffcdf524dcb29f6756f1a91b5131b4ee6adcc670785fbf12e3b72cb320c09fa723983faaa83f5b6155bee

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC311.exe

Filesize
14KB

MD5
24bd07853a059537615b42947a7117d4

SHA1
7c39e33d7cba7cf3c10b283fbfbcc215de9fbf32

SHA256
3cabc3866e9c52537b701b42bd09abf125fc94e8d527095a65027e08b4962b9e

SHA512
e9c2d3efff099b6545e6eb828461b5fb8ad37fd35c026fc63220eedaff8ec4392c68f34899dad72def50ced14b9e529b5d40c46d85bdc6ba9bcf2e285f9bc5e0

Download Submit

Analysis

Sharing