5ae4126201c172a8e85f883da2c9b657fd09b068d6cf47f3e119e1fbd069c0e9

General

Target

cf08fcfeff9ec16e5844af10099ab307_JaffaCakes118.exe
Size

14KB
MD5

cf08fcfeff9ec16e5844af10099ab307
SHA1

283eeeb7b069b91e9c8cdd6e2f9eb04c53034d5b
SHA256

5ae4126201c172a8e85f883da2c9b657fd09b068d6cf47f3e119e1fbd069c0e9
SHA512

a819b7a35198c3aee6d806a718230ec7399f37918992ba518a396217645b8e0dba20b9302c966c82acd1ba43992a7320a429f5ec3e4fbc6fa6f824db00a527f4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhp:hDXWipuE+K3/SSHgxb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2860	DEM416.exe
2876	DEM5976.exe
2352	DEMAF33.exe
2896	DEM493.exe
1000	DEM59E3.exe
2228	DEMAF14.exe

Loads dropped DLL 6 IoCs

pid	Process
1308	cf08fcfeff9ec16e5844af10099ab307_JaffaCakes118.exe
2860	DEM416.exe
2876	DEM5976.exe
2352	DEMAF33.exe
2896	DEM493.exe
1000	DEM59E3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM59E3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf08fcfeff9ec16e5844af10099ab307_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5976.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAF33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM493.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2860	1308	cf08fcfeff9ec16e5844af10099ab307_JaffaCakes118.exe	30
PID 1308 wrote to memory of 2860	1308	cf08fcfeff9ec16e5844af10099ab307_JaffaCakes118.exe	30
PID 1308 wrote to memory of 2860	1308	cf08fcfeff9ec16e5844af10099ab307_JaffaCakes118.exe	30
PID 1308 wrote to memory of 2860	1308	cf08fcfeff9ec16e5844af10099ab307_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2876	2860	DEM416.exe	32
PID 2860 wrote to memory of 2876	2860	DEM416.exe	32
PID 2860 wrote to memory of 2876	2860	DEM416.exe	32
PID 2860 wrote to memory of 2876	2860	DEM416.exe	32
PID 2876 wrote to memory of 2352	2876	DEM5976.exe	34
PID 2876 wrote to memory of 2352	2876	DEM5976.exe	34
PID 2876 wrote to memory of 2352	2876	DEM5976.exe	34
PID 2876 wrote to memory of 2352	2876	DEM5976.exe	34
PID 2352 wrote to memory of 2896	2352	DEMAF33.exe	37
PID 2352 wrote to memory of 2896	2352	DEMAF33.exe	37
PID 2352 wrote to memory of 2896	2352	DEMAF33.exe	37
PID 2352 wrote to memory of 2896	2352	DEMAF33.exe	37
PID 2896 wrote to memory of 1000	2896	DEM493.exe	39
PID 2896 wrote to memory of 1000	2896	DEM493.exe	39
PID 2896 wrote to memory of 1000	2896	DEM493.exe	39
PID 2896 wrote to memory of 1000	2896	DEM493.exe	39
PID 1000 wrote to memory of 2228	1000	DEM59E3.exe	41
PID 1000 wrote to memory of 2228	1000	DEM59E3.exe	41
PID 1000 wrote to memory of 2228	1000	DEM59E3.exe	41
PID 1000 wrote to memory of 2228	1000	DEM59E3.exe	41

C:\Users\Admin\AppData\Local\Temp\cf08fcfeff9ec16e5844af10099ab307_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf08fcfeff9ec16e5844af10099ab307_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\DEM416.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM416.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\DEM5976.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5976.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\DEMAF33.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAF33.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\DEM493.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM493.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\DEM59E3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM59E3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\DEMAF14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAF14.exe"
        7⤵
        Executes dropped EXE
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM416.exe

Filesize
14KB

MD5
a0a4d55b9c05b25c1849128730f340c9

SHA1
0b7977ca84f5d192df8755322f6baf00585a2cba

SHA256
b38e1e1ae60c22f6902e91807275e4601c31398a3df5cdde1d249c58508176cb

SHA512
e5f74e523f780cc4f2436bd30e99e90839f3dbbbcfb25be81eb4753908d665e736d0619a7c10d7595364a86e5434a2e60580b554ad7f95b82232a459c79d6d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5976.exe

Filesize
14KB

MD5
e1aed77183e35da26022401d25e418a9

SHA1
2d75f75698ab806d0ea926ddc47b7fc0530437cc

SHA256
6e9f3574957635fed1bd6a188adf471980594d26284bccc6cb6e6cbf076b20b7

SHA512
a76f488967026f91b7ab613779bef0cd7bb9a49690450293175af62644f9cf74004ee282a12397566840b629360eff615984b9fa4dd38b5b72191c90a1a74c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM59E3.exe

Filesize
14KB

MD5
497a7c63f3fa7389d0c4ce261cb9f4c3

SHA1
285580c0c1618ff89935ee1099ae4ad3b1721b79

SHA256
7777c182e3df0579bf22183f562108fefc5e6b4c90ac02797dcc615ab19a14c2

SHA512
437f798582194f2172500ed2b33cedceade42b66627588ceb786065281d0330692a54ffba54e785259801387581ef861d24b9fab5b777f6a864e4bd3048cb39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAF14.exe

Filesize
14KB

MD5
f4cb41dc8a1c67d591f2dc748f2a2b8d

SHA1
8300c89c34382871d0bc7e83fa4934f35616a9e9

SHA256
8d4833f37a3c2944be4c52b53b896b44a690c916eb35f48c495b00774d4d345a

SHA512
6ac8ae08004cebc2e4e2e97950381571f668f95312875ae8926c72d021d44172932bb3e733cdb5a10bb6f3b60510490d4656ed7b889529cff87fdaf128d0a33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAF33.exe

Filesize
14KB

MD5
932c822d663cf5b6e5bacba467b69427

SHA1
20440b0f1fab84411f48fc26e1c036e514f64a32

SHA256
ab0bb5e23f4ca2e53f75acaa0f7936ea4b1a5df5917f61ecd3ddb445a7cf852a

SHA512
827fd9dbf5ed4f078f31f6c103b4d3c82eadfda7502d149f06b23ca086ec3c276dba9dfb0358eecf273776602f4f2193f6664d5a8c842c0e4306e48d41df99eb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM493.exe

Filesize
14KB

MD5
c4cf3d1c88e0d00fa3e224b67d0d013f

SHA1
48acbc87a2a10934a17a8a240122d7f6251bfe67

SHA256
bdc8e89bfd58cee8e0b0cb578bb56548c151aef87281ae0cad5acbdecf7b837e

SHA512
e745aca8588ec5610e7b3997b04a725d02064c257e8fa412e99129cd6243a295aac0411400a73a9512b0d3159c78bd2d6eeacdbade798c4b034ef8bedcc48197

Download Submit

Analysis

Sharing