b4c0314f6770de6628320fa5a94bf3bfa2ae45de92855a7cf5b779b9ec456dd4

General

Target

c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe
Size

14KB
MD5

c1db69663ea261de5d2b73d56cbac089
SHA1

85b40bf985f91e88d4598e5b3bae659468676e9b
SHA256

b4c0314f6770de6628320fa5a94bf3bfa2ae45de92855a7cf5b779b9ec456dd4
SHA512

03a922d68789c06ba3f27a3587ca211ed1e5db248012c3391008a96108632415617eedd4bb4e75510494dba9836951cb001ce6d250c84b9ff0ba39a0914e72e2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYWmbZk:hDXWipuE+K3/SSHgxmWmbu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2964	DEMB8F3.exe
2868	DEM1075.exe
280	DEM6680.exe
2024	DEMBC6C.exe
1804	DEM12E5.exe
2244	DEM693E.exe

Loads dropped DLL 6 IoCs

pid	Process
1900	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe
2964	DEMB8F3.exe
2868	DEM1075.exe
280	DEM6680.exe
2024	DEMBC6C.exe
1804	DEM12E5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM12E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB8F3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1075.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6680.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBC6C.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2964	1900	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2964	1900	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2964	1900	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2964	1900	c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2868	2964	DEMB8F3.exe	33
PID 2964 wrote to memory of 2868	2964	DEMB8F3.exe	33
PID 2964 wrote to memory of 2868	2964	DEMB8F3.exe	33
PID 2964 wrote to memory of 2868	2964	DEMB8F3.exe	33
PID 2868 wrote to memory of 280	2868	DEM1075.exe	35
PID 2868 wrote to memory of 280	2868	DEM1075.exe	35
PID 2868 wrote to memory of 280	2868	DEM1075.exe	35
PID 2868 wrote to memory of 280	2868	DEM1075.exe	35
PID 280 wrote to memory of 2024	280	DEM6680.exe	37
PID 280 wrote to memory of 2024	280	DEM6680.exe	37
PID 280 wrote to memory of 2024	280	DEM6680.exe	37
PID 280 wrote to memory of 2024	280	DEM6680.exe	37
PID 2024 wrote to memory of 1804	2024	DEMBC6C.exe	39
PID 2024 wrote to memory of 1804	2024	DEMBC6C.exe	39
PID 2024 wrote to memory of 1804	2024	DEMBC6C.exe	39
PID 2024 wrote to memory of 1804	2024	DEMBC6C.exe	39
PID 1804 wrote to memory of 2244	1804	DEM12E5.exe	41
PID 1804 wrote to memory of 2244	1804	DEM12E5.exe	41
PID 1804 wrote to memory of 2244	1804	DEM12E5.exe	41
PID 1804 wrote to memory of 2244	1804	DEM12E5.exe	41

C:\Users\Admin\AppData\Local\Temp\c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1db69663ea261de5d2b73d56cbac089_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\DEMB8F3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB8F3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\DEM1075.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1075.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\DEM6680.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6680.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:280
    - - C:\Users\Admin\AppData\Local\Temp\DEMBC6C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC6C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\DEM12E5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM12E5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\DEM693E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM693E.exe"
        7⤵
        Executes dropped EXE
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1075.exe

Filesize
14KB

MD5
b6424df0567c27bd7c5a7e8e6887fff4

SHA1
f15b6f3aa72a2b4dea1f740079bc1830a0db0179

SHA256
dc303e5c8ec52da9cdf659adf4eb210377b7df60281bc5422cb6bb8ef7355d3c

SHA512
df1340335d4097f90560dbaed8f5e2f807d07cc3b2bfa1113513b9f4265ebbcabffaf5b8ef5acc60236ae77148d58f77e13ac4e4bf52f6db6557775833e04064

Download Submit
\Users\Admin\AppData\Local\Temp\DEM12E5.exe

Filesize
14KB

MD5
dfd266ff99c12f274fd28c99e984cb37

SHA1
391dbbf6ce1216f67b93df84a72192a79c83db51

SHA256
aebddb2d6fbdfe5fd2ee47db43b227129fc387e14fa92bc1bcc032d21601b68c

SHA512
f7a6cfb55369531e1b777f2e7b8ad9ae5333f3a170b43fe49f18a6b5079cca619bffd5b551c1c83ba204b27a86ec8474faa361450bba0589f659beebbd7dbfb2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6680.exe

Filesize
14KB

MD5
26c0729a4bb81f8fae089696fc19ccd3

SHA1
a97937a7e754fa2969a5b4be1b4da00f4e3f35d8

SHA256
33f7ccc70e6791713d71f5be3f7c3db5bdf85524ab9e4efb2f7bade15af6ddc4

SHA512
c70a4fa297a2b0764258b07c57adb84252a5ca83cc70f37d94a68c570204693fa49a55b6e1f301ea1de0b7f69373c6bcfbc89368415bdc72b72535de1a398037

Download Submit
\Users\Admin\AppData\Local\Temp\DEM693E.exe

Filesize
14KB

MD5
cff3b7bbcf4ef5b71b89151a38906004

SHA1
4e39f0674d0daa7b0a17ee3efad8265bee53023d

SHA256
29343abb5ffceb00d39a85e59c2ec7680238df583582996e35ee35ab4d0479bf

SHA512
e7620149d14b4df168314900d5453f192110adc7dcff8a1facd2f7d3659ca3a42aa529c415e30e8e1a7623f99b4167358471dd169ee1e13fbbcf0c51cf2ebc2f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB8F3.exe

Filesize
14KB

MD5
07062867e8c09fd5819b3d3ba2a2cacf

SHA1
4a6e4ddf9d54a748f9c47519975d3aa8d3aa47d2

SHA256
9865ceedaf4cc571ca93d83c4eb16faf369ac2dc2cd83fcab24a46c30278c349

SHA512
636261cce646a7932035c883e078b53a892d89c13f08285c98e72534b301511d152faf7fa793eafecf44d97686b8b6080d31748fa1bda6daa75e62ab54cf238f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC6C.exe

Filesize
14KB

MD5
3b8ab1980bb775f53e8ac88330bc6215

SHA1
905c6ecac15f17099902dd3c1880df8ee6b6cced

SHA256
26a6c2645e52079a1e08c463204ee86fb6be8654b61d8a78b1dfb31fcd97c412

SHA512
c80960b688d938cc93774a0cb223eeffbb255012788a6ba4a8a193c05c09ef9f48cc94db6c4e171ea0577dc11be3a7917489b8114788483132714db6919d984f

Download Submit

Analysis

Sharing