88f935011dabbd40a56f9deb317a2c0cc364597fe6334d55eac5959d854e9b7f

General

Target

b866cabccd18e4e2245813111d46b36e_JaffaCakes118.exe
Size

14KB
MD5

b866cabccd18e4e2245813111d46b36e
SHA1

3317033042e33f2e23aff74428329b31346eea4a
SHA256

88f935011dabbd40a56f9deb317a2c0cc364597fe6334d55eac5959d854e9b7f
SHA512

04c06b55bd2b8662ef04260af278ea14422fbd43e204901e632985051d16fc27cb45f2040a713b570cd581a3671b918b1d228560c1b997d5fa6dc94f91ba0196
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0p8:hDXWipuE+K3/SSHgx4u

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2760	DEM8DAF.exe
2748	DEME3DA.exe
3052	DEM3958.exe
1268	DEM8E6A.exe
1988	DEME38C.exe
264	DEM389D.exe

Loads dropped DLL 6 IoCs

pid	Process
2092	b866cabccd18e4e2245813111d46b36e_JaffaCakes118.exe
2760	DEM8DAF.exe
2748	DEME3DA.exe
3052	DEM3958.exe
1268	DEM8E6A.exe
1988	DEME38C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b866cabccd18e4e2245813111d46b36e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8DAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME3DA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3958.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8E6A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME38C.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2760	2092	b866cabccd18e4e2245813111d46b36e_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2760	2092	b866cabccd18e4e2245813111d46b36e_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2760	2092	b866cabccd18e4e2245813111d46b36e_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2760	2092	b866cabccd18e4e2245813111d46b36e_JaffaCakes118.exe	32
PID 2760 wrote to memory of 2748	2760	DEM8DAF.exe	34
PID 2760 wrote to memory of 2748	2760	DEM8DAF.exe	34
PID 2760 wrote to memory of 2748	2760	DEM8DAF.exe	34
PID 2760 wrote to memory of 2748	2760	DEM8DAF.exe	34
PID 2748 wrote to memory of 3052	2748	DEME3DA.exe	36
PID 2748 wrote to memory of 3052	2748	DEME3DA.exe	36
PID 2748 wrote to memory of 3052	2748	DEME3DA.exe	36
PID 2748 wrote to memory of 3052	2748	DEME3DA.exe	36
PID 3052 wrote to memory of 1268	3052	DEM3958.exe	38
PID 3052 wrote to memory of 1268	3052	DEM3958.exe	38
PID 3052 wrote to memory of 1268	3052	DEM3958.exe	38
PID 3052 wrote to memory of 1268	3052	DEM3958.exe	38
PID 1268 wrote to memory of 1988	1268	DEM8E6A.exe	40
PID 1268 wrote to memory of 1988	1268	DEM8E6A.exe	40
PID 1268 wrote to memory of 1988	1268	DEM8E6A.exe	40
PID 1268 wrote to memory of 1988	1268	DEM8E6A.exe	40
PID 1988 wrote to memory of 264	1988	DEME38C.exe	42
PID 1988 wrote to memory of 264	1988	DEME38C.exe	42
PID 1988 wrote to memory of 264	1988	DEME38C.exe	42
PID 1988 wrote to memory of 264	1988	DEME38C.exe	42

C:\Users\Admin\AppData\Local\Temp\b866cabccd18e4e2245813111d46b36e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b866cabccd18e4e2245813111d46b36e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\DEM8DAF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8DAF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\DEME3DA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME3DA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\DEM3958.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3958.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E6A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E6A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\DEME38C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME38C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\DEM389D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM389D.exe"
        7⤵
        Executes dropped EXE
        
        PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEME3DA.exe

Filesize
14KB

MD5
75f7a9b61cfb300b94f7d7db6fb08a5f

SHA1
960369da2ff24a01e2122aa64c73e55a302befa7

SHA256
943a920f246f6b57ed4cb494b5b7d7fa9350065791a2393e76a81122675dd53d

SHA512
9635c48bddbcc413e4d6491b919ff03915330bd01500d0e2682a2628e2e69d3bae57314e1240df3311fd8ae455b7279a4c5ceeec35a42721c52599110552661f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM389D.exe

Filesize
14KB

MD5
5aae3811c2a2a7f2dd90b2e6026580ac

SHA1
641b2247fc8e7ad044775560221beaccd622089b

SHA256
356b20fb3db315a75b36f798ac10770447a739cfa31c0c3d7b1a3c4b3019cdc5

SHA512
41b2b30b6853e3c22c7f50442dd67212e6c26cc4b320b84520395aa3ff1e8245a4f7b9ba1b2fbbe148f77f8b605b0b778cd9dc7affbc48c75ad5706a253be6cc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3958.exe

Filesize
14KB

MD5
0fa96a2b4851fc4dbf24af3bdb432b83

SHA1
6e9ea3012889f12dcaab753d43ab5a1255c3de82

SHA256
6217a51a8411a547faeac0d96b6538919ef2661683a02c797faf9e993c9a34e3

SHA512
01c75b7f5974252f3a9dbc011f5f9cd02c9e56fc2fbacd38fd583c1c6f29c22103ff7735684e966a72bdeaf6b2648edd75508640ade8176eb21e6259f3460e81

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8DAF.exe

Filesize
14KB

MD5
0c20057300e76e492fa04f1205a3cbf3

SHA1
7996253e03ba222b5bd9ea7f4fc79fafe51212e6

SHA256
03e4b9729806e763eb37f5097b60a87905f2a90a0f89822b67622c70501ff6d6

SHA512
8068b12e3c9170e671e03a5dbda50222608a8e9c06a76bc3bdbfe0fcbc68f89b309628a8fae69664606260f402854c9f81ced2f1e23528cc95e4038e9ceff9d4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E6A.exe

Filesize
14KB

MD5
d01f4b074fd44d18764f16cd180ffe0d

SHA1
55008b874bee6e6cf8bf8e83ab0aa307d4e2d59b

SHA256
bb2b6ef95d38d394ea6f313d326300d1c06f1665e552c6ac4ee097d2cec9a0b1

SHA512
8a8881a771f29b031239065faab1004f6cb32e0d33752b77e3895778b47fa02009c8fdda336b211fd28f3ad87a13127e0d2d9ef1944fb4d7fe802d8ca1ae67df

Download Submit
\Users\Admin\AppData\Local\Temp\DEME38C.exe

Filesize
14KB

MD5
8fabcbbaab5ea6c1c0b9494cf817a557

SHA1
5e64dee7f712bb9928b59d32dbdec4b4b8f52695

SHA256
470d06d3f3341c6968b3433ae3df473e626e5d9362c38735e2c7c2157d5f0ecd

SHA512
ad8af7f1ebf6995839bed241d00ecfaa5ee946e1a804b22caf67e0fd539d3ec20d64e331f4cf641f294ba67980e62a9dc47bbc30c37168bafd1c636695cd23f6

Download Submit

Analysis

Sharing