1730317f3ddf55d364e16a17c635cd42bdc8bb4187a550a4c0ecdf59ee1c51a9

General

Target

c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
Size

15KB
MD5

c8367169b75166b43f8cdc9464ada72e
SHA1

a90d22340bc0147537003f4776991964920b6ff8
SHA256

1730317f3ddf55d364e16a17c635cd42bdc8bb4187a550a4c0ecdf59ee1c51a9
SHA512

e4a7af837fe793af3d2e2c89bcf8708ee92dd41946ea9cb2cb97b1e2cb69f9b789f0370d07128fc046ae3f6d9c33475c7fc15a6ef8d670edb48c146f9e0c120e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5JB:hDXWipuE+K3/SSHgxl5L

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2760	DEM78F7.exe
2196	DEMCE57.exe
480	DEM2368.exe
1632	DEM78F8.exe
1924	DEMCE37.exe
2192	DEM2378.exe

Loads dropped DLL 6 IoCs

pid	Process
2092	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
2760	DEM78F7.exe
2196	DEMCE57.exe
480	DEM2368.exe
1632	DEM78F8.exe
1924	DEMCE37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78F7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE57.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2760	2092	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2760	2092	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2760	2092	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2760	2092	c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe	32
PID 2760 wrote to memory of 2196	2760	DEM78F7.exe	34
PID 2760 wrote to memory of 2196	2760	DEM78F7.exe	34
PID 2760 wrote to memory of 2196	2760	DEM78F7.exe	34
PID 2760 wrote to memory of 2196	2760	DEM78F7.exe	34
PID 2196 wrote to memory of 480	2196	DEMCE57.exe	36
PID 2196 wrote to memory of 480	2196	DEMCE57.exe	36
PID 2196 wrote to memory of 480	2196	DEMCE57.exe	36
PID 2196 wrote to memory of 480	2196	DEMCE57.exe	36
PID 480 wrote to memory of 1632	480	DEM2368.exe	38
PID 480 wrote to memory of 1632	480	DEM2368.exe	38
PID 480 wrote to memory of 1632	480	DEM2368.exe	38
PID 480 wrote to memory of 1632	480	DEM2368.exe	38
PID 1632 wrote to memory of 1924	1632	DEM78F8.exe	40
PID 1632 wrote to memory of 1924	1632	DEM78F8.exe	40
PID 1632 wrote to memory of 1924	1632	DEM78F8.exe	40
PID 1632 wrote to memory of 1924	1632	DEM78F8.exe	40
PID 1924 wrote to memory of 2192	1924	DEMCE37.exe	42
PID 1924 wrote to memory of 2192	1924	DEMCE37.exe	42
PID 1924 wrote to memory of 2192	1924	DEMCE37.exe	42
PID 1924 wrote to memory of 2192	1924	DEMCE37.exe	42

C:\Users\Admin\AppData\Local\Temp\c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\DEM78F7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM78F7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\DEM2368.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2368.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:480
    - - C:\Users\Admin\AppData\Local\Temp\DEM78F8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM78F8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Users\Admin\AppData\Local\Temp\DEMCE37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE37.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\DEM2378.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2378.exe"
        7⤵
        Executes dropped EXE
        
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2378.exe

Filesize
15KB

MD5
8f84babb936a2a834938eae17c555560

SHA1
85d42e62711ef02e71639a4e7aeb01beb8d0cec5

SHA256
b264f571b30d9aef4ab013ce40b934e78a2c75027bf36181e4c1fa4119481c32

SHA512
86cdc18327010b6e17ceaa882d8e048637a63923f78eb81e63f0e28da4d7e655243e5aacaf47a3322e4ef67ae81ac764bc266b2ea60d16139f20cdc2890ae3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe

Filesize
15KB

MD5
d38a3db5d3cb7fc8e0596f82abc78826

SHA1
3127cc270ceef40e76ad1ab1d445b3cc46bcc19e

SHA256
f5b40e1310bb01e16d65638962d370fabf2abb78f5fe559e275861c574970963

SHA512
82a8d0f0cfa5a9b80e8302a086150c3a3851a61092725d32279dffda9bb08c5de29603c270d51f0ea48bd867bff5ca8b90a73ad173e2e2a85d5e4a4ba8ddc8f2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2368.exe

Filesize
15KB

MD5
ed0af5bc68b33292ebac30b1dc305669

SHA1
5ce4794751fab8f5d9ab3a49f8fb1941498b6a44

SHA256
8eac139e6f5c326e6bd8a94438cbe34cf7b2f9733fa2b019f9bc4e424271916c

SHA512
31fb04bc7ec2b2f9a148ac4d11e62111292d21a3116c44ed7ba68c2c186b1a5f6a478e6d7b70480020df105217e53d9636fcd4d8c2cdab61c46abdb03d65ef7e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM78F7.exe

Filesize
15KB

MD5
6466566809ed0308be297e7ce22b1223

SHA1
b4fcecef285c96303365ec39974ad877e1904567

SHA256
2929540780499669c39dc1a920e3ad31cc4076d7de7a63df025569326edd753a

SHA512
16c4ecbc940a6210440cf9736c46e3175d1c6828e917daae7cad289c7b5da34023d8080190d45a0b75c7d582c7502f09bdbbf97d6fc1d7886e2eaf4d4370a35d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM78F8.exe

Filesize
15KB

MD5
45f2a1e7e4514b28c3fa427ae46fe426

SHA1
2b8b7cd5500e6d1cb16d6450383842b254d7715b

SHA256
ac3927a274eeb62937221b2b70e832f3941c56e0a3ccab82d96df99df027fffb

SHA512
6af7ebb15485a87b6580ed8f5a07194c7c6a53ff49fab55accd00e10232f8640ff411d5fd60309cff036db8115e2b5be01041812d8259f73048c3789c17b6355

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCE37.exe

Filesize
15KB

MD5
4216c35dcb975d3f9a20f3cfbeded49e

SHA1
826ec06a893ef49b5c7cc2d8ab25d8fcfc812ce0

SHA256
c5e939d1fc26525539b886ebce0bcbccef6db5deee7159404f6e3c257af89eac

SHA512
cf52c2efe87c4255f71368804abe19d836dbda6ce35d99e2bbe23648a31b473148eb4ab39c656538347593f935dbfe1f6d4f2d3881fa84032e4dab954c8596e7

Download Submit

Analysis

Sharing