a5cb8ff4801beaec3fee3ffb3204301d364a883f352cae8d89fea28697c7566f

General

Target

b91911d2e214d68547cabd63c4b6fbac_JaffaCakes118.exe
Size

14KB
MD5

b91911d2e214d68547cabd63c4b6fbac
SHA1

1b49e14d44bf388004f5b5432cac19911a829efd
SHA256

a5cb8ff4801beaec3fee3ffb3204301d364a883f352cae8d89fea28697c7566f
SHA512

014efdbfc9a85cd9bead46bfef7814dce258eeb2f10a436efcf90bdc7f4ffb7c3a3559ffdf3c8f3a602b47aa6272d9db3e75eb14a7cd642ce467481a3c2e7f68
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhvq:hDXWipuE+K3/SSHgxlq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2924	DEM7FF9.exe
2692	DEMD53A.exe
2452	DEM2A3C.exe
2792	DEM7FBB.exe
2292	DEMD4DC.exe
2136	DEM29DE.exe

Loads dropped DLL 6 IoCs

pid	Process
2164	b91911d2e214d68547cabd63c4b6fbac_JaffaCakes118.exe
2924	DEM7FF9.exe
2692	DEMD53A.exe
2452	DEM2A3C.exe
2792	DEM7FBB.exe
2292	DEMD4DC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b91911d2e214d68547cabd63c4b6fbac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7FF9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD53A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2A3C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7FBB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD4DC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2924	2164	b91911d2e214d68547cabd63c4b6fbac_JaffaCakes118.exe	31
PID 2164 wrote to memory of 2924	2164	b91911d2e214d68547cabd63c4b6fbac_JaffaCakes118.exe	31
PID 2164 wrote to memory of 2924	2164	b91911d2e214d68547cabd63c4b6fbac_JaffaCakes118.exe	31
PID 2164 wrote to memory of 2924	2164	b91911d2e214d68547cabd63c4b6fbac_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2692	2924	DEM7FF9.exe	33
PID 2924 wrote to memory of 2692	2924	DEM7FF9.exe	33
PID 2924 wrote to memory of 2692	2924	DEM7FF9.exe	33
PID 2924 wrote to memory of 2692	2924	DEM7FF9.exe	33
PID 2692 wrote to memory of 2452	2692	DEMD53A.exe	35
PID 2692 wrote to memory of 2452	2692	DEMD53A.exe	35
PID 2692 wrote to memory of 2452	2692	DEMD53A.exe	35
PID 2692 wrote to memory of 2452	2692	DEMD53A.exe	35
PID 2452 wrote to memory of 2792	2452	DEM2A3C.exe	37
PID 2452 wrote to memory of 2792	2452	DEM2A3C.exe	37
PID 2452 wrote to memory of 2792	2452	DEM2A3C.exe	37
PID 2452 wrote to memory of 2792	2452	DEM2A3C.exe	37
PID 2792 wrote to memory of 2292	2792	DEM7FBB.exe	39
PID 2792 wrote to memory of 2292	2792	DEM7FBB.exe	39
PID 2792 wrote to memory of 2292	2792	DEM7FBB.exe	39
PID 2792 wrote to memory of 2292	2792	DEM7FBB.exe	39
PID 2292 wrote to memory of 2136	2292	DEMD4DC.exe	41
PID 2292 wrote to memory of 2136	2292	DEMD4DC.exe	41
PID 2292 wrote to memory of 2136	2292	DEMD4DC.exe	41
PID 2292 wrote to memory of 2136	2292	DEMD4DC.exe	41

C:\Users\Admin\AppData\Local\Temp\b91911d2e214d68547cabd63c4b6fbac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b91911d2e214d68547cabd63c4b6fbac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\DEM7FF9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7FF9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\DEMD53A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD53A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\DEM2A3C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2A3C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\DEM7FBB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7FBB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\DEMD4DC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD4DC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\DEM29DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM29DE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM29DE.exe

Filesize
14KB

MD5
7823e6368c9575048b06452a02cb2bad

SHA1
40eb3de08a1e64571bafd321ef4d94c8506c0bdb

SHA256
5d4e54f763ab6e5bbbfaa3bc8b9ead5bb9d5be3b734d7c0cc9f24b57cccb7ca0

SHA512
15b64a92dc91051d5826132c20b3816310fdc0d6f56fd8bdf5d9c871230173f3ce5d7827a571e5d9cd4d64df12a95aba97d480f2e1ee79e39ff55025f7ab2cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD4DC.exe

Filesize
14KB

MD5
c30805873b9a023350fd231347789802

SHA1
b7364b1476e119f22b1721653791ec303ca0eb92

SHA256
a86f997be80efc787d3cc9a7a4f7d798896067d73e627a216f57f852905afa32

SHA512
2f4c785a5c621a0627d4802d1b2e57e45bed0147cae1c6cc9f6592cf1c999c21d0832bd1029b917d3f0107313f08a79ce4c97d4c54335e5a3e2f6dce8fa41254

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD53A.exe

Filesize
14KB

MD5
0762086cc08d0a1ded3ba0df4b494442

SHA1
60902664b0289957d89cfd25d18e9958ab37bfda

SHA256
486803719f43d4e02707ef510dcac7b6947066ec487cb12722b8ac86cc73de87

SHA512
dea8a178985f83bb4327f21393dd875e38885d1d01e4f75e07efe7c0f481b4697bc6e3776c290e8b7bf057407ac2e880453c534db0eba645747d120a6331de8b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2A3C.exe

Filesize
14KB

MD5
25e94a1efe7f77c0dcb835f1207645ac

SHA1
dca79ea596e65f80eba30b3cb926e5048fb6e00a

SHA256
aee89f96ea12ec43bc90720ee87068684e009ad0ebf9080b10278a5602c6daf1

SHA512
c1e481cc251566bafbabb1bb443277f6b136c7e4661e5ea6cbd6a2cc511afc4d48e96cc23a05faa02a7740e336f3bc8a31d0e0c2efe5826f0eccf2a2a91c4209

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7FBB.exe

Filesize
14KB

MD5
af9b1b23754b254d63c8479f103fc4be

SHA1
5297ba84e2dec827f5f2e9adb079ff14bad449af

SHA256
e566ade31ddd484e13c09a8cb3d02898536e3979699fe7a2d91961e8ff3d948f

SHA512
e51bdbc0adf77bb8f7442bd7bdf796312729bfca37b12be05ff8e6941456a224fc97cc6f24642479e98d3d14a6c571aad8d93949afbe6ee8da0ecda0defef513

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7FF9.exe

Filesize
14KB

MD5
f636ba473fd1e5b4657bc5c41c6d6db8

SHA1
c2cd17eb98716acb1325f87c3398065067df8c5b

SHA256
2ade37075c6f945a929ad1a734f9170eaf572a8555c847f96c842bb845ee7d97

SHA512
4fb8a0fc2f6434fade8aa1abb87b0ca5efdb10a22ee0f8312ab3eaec02c4704917e7fd96e837ddac84bb1d191b7b4718a3f173e21756c51c182f85eef066c6a4

Download Submit

Analysis

Sharing