beff6663477809d0d4396b7324315ab4347bcc3a589dc8159065469d97a113e5

General

Target

d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe
Size

15KB
MD5

d08cb2d1c9ac7ca15a3cf22fa3e4c8c9
SHA1

7e4983d30e8ea2262c3b5a93c94a206aa9390a95
SHA256

beff6663477809d0d4396b7324315ab4347bcc3a589dc8159065469d97a113e5
SHA512

35cfeaa39a5594dc7f7f591e8768d9aab90b2b3add285392e01a98fc09e480f76a2f238e21bb2190b312e34ad560bd97d83eb7a163d3eaed3950a80afbddb899
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2Hc:hDXWipuE+K3/SSHgxmKE8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2872	DEMFD72.exe
2828	DEM5310.exe
448	DEMA89E.exe
1508	DEMFE3C.exe
1904	DEM534E.exe
2988	DEMA87F.exe

Loads dropped DLL 6 IoCs

pid	Process
2440	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe
2872	DEMFD72.exe
2828	DEM5310.exe
448	DEMA89E.exe
1508	DEMFE3C.exe
1904	DEM534E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFD72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5310.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA89E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFE3C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM534E.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2872	2440	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2872	2440	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2872	2440	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2872	2440	d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe	30
PID 2872 wrote to memory of 2828	2872	DEMFD72.exe	32
PID 2872 wrote to memory of 2828	2872	DEMFD72.exe	32
PID 2872 wrote to memory of 2828	2872	DEMFD72.exe	32
PID 2872 wrote to memory of 2828	2872	DEMFD72.exe	32
PID 2828 wrote to memory of 448	2828	DEM5310.exe	34
PID 2828 wrote to memory of 448	2828	DEM5310.exe	34
PID 2828 wrote to memory of 448	2828	DEM5310.exe	34
PID 2828 wrote to memory of 448	2828	DEM5310.exe	34
PID 448 wrote to memory of 1508	448	DEMA89E.exe	36
PID 448 wrote to memory of 1508	448	DEMA89E.exe	36
PID 448 wrote to memory of 1508	448	DEMA89E.exe	36
PID 448 wrote to memory of 1508	448	DEMA89E.exe	36
PID 1508 wrote to memory of 1904	1508	DEMFE3C.exe	38
PID 1508 wrote to memory of 1904	1508	DEMFE3C.exe	38
PID 1508 wrote to memory of 1904	1508	DEMFE3C.exe	38
PID 1508 wrote to memory of 1904	1508	DEMFE3C.exe	38
PID 1904 wrote to memory of 2988	1904	DEM534E.exe	40
PID 1904 wrote to memory of 2988	1904	DEM534E.exe	40
PID 1904 wrote to memory of 2988	1904	DEM534E.exe	40
PID 1904 wrote to memory of 2988	1904	DEM534E.exe	40

C:\Users\Admin\AppData\Local\Temp\d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d08cb2d1c9ac7ca15a3cf22fa3e4c8c9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\DEMFD72.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMFD72.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\DEM5310.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5310.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\DEMA89E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA89E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Users\Admin\AppData\Local\Temp\DEMFE3C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE3C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Users\Admin\AppData\Local\Temp\DEM534E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM534E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\DEMA87F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA87F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5310.exe

Filesize
15KB

MD5
fb4c403a48be5f788145c9956272d87c

SHA1
187d564615af4d74019d52c6b064404fca2472dd

SHA256
e7c680ca4fbe71b7cac6f6cc12e89499888233f4f0c1fb415fa61322bdeba1d7

SHA512
2334c33f6cbab451adda4a43b856f504d3f7a2d3266a22c9efa9991bba6eb122a29618245a90aa7037c002b8504865c1daed238e31563ca37ef2a18d025d02d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM534E.exe

Filesize
15KB

MD5
8cdf329be9fe7a9ca3665f3f07bd3b10

SHA1
9ac126760d4888fb6ff1ff826ab51fc6a864a230

SHA256
1e6c16078ac267dc73b9e00aaf591f3305f38a8ec6ccfe086d543ca48c100a1b

SHA512
9d323cbdac3b14420b213cc5ec17238687fe14be21b2ab4475c16a91c4109403a9d1c46f889408ae11f3e918c8af37d98f02e42887d696d2bc6384356754b7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA87F.exe

Filesize
15KB

MD5
ae204ab59c2a7fb958e937c218722ecf

SHA1
ccffcefdc9f126878636a9fbe26be98fd607afa3

SHA256
a5c2d9102bc8dab31283c06dce50572b7533e4f0fb3fc7ab14819e2a724dd4e3

SHA512
656d815b880487f0a9c0adcc4ac4210fea05a2e3cbf7caa4b423e327d4a301644c14ad154cde07072436cba18e60937e149d5260141e6f647b01a8f3df8e8d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFD72.exe

Filesize
15KB

MD5
4c751a3c55002b0371be69da74a387aa

SHA1
8c0296ed814498d3d1d864514a117b86a68ee9d6

SHA256
3c9d511b87e58104d60d5a6ebb44280424715dd406b2006186ed47a183ccb69c

SHA512
a2e6b08d8fa41a0db28aaf90277872ad97e08af700cbfcb838350a7a7ba51fee80dddf2bcc1d5b7f7628e9b39bdd27b4e458b17436990eeebc0ed9561e5f630f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA89E.exe

Filesize
15KB

MD5
1de6df60f9b50725dbcad2a23b0e0a9d

SHA1
143367f52b2bb2367952b75521d2584e5011f409

SHA256
443a0c6a18cce92c4d61113f2c86c2e2f2dd19272ffa7c71a21fb8373b9c8fec

SHA512
70dc4f8e7ea7271905c709133572d5d3f3149dc31bb50c5fe8f3a784af32da5815fc4f37b42de2e295c56fce78162e353066d08bfba1eeee313421c73cb58246

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFE3C.exe

Filesize
15KB

MD5
d2a16728fc1724df811e48b7c2630781

SHA1
6bfc85130772662dcd8f4ce070ab3c07a7790543

SHA256
6b3787f0b738d4e3f893f5ae65d56aa071c4d8dc955db15a94b1dd78ae6dd547

SHA512
0babe2848944ea05803e529b60f0e1fa5a1a411fff4a3ac4b59b814167e04f2666ae6427a981768eafa21fa039491ddeb726674bf480edef9b632a00fcb5686a

Download Submit

Analysis

Sharing