38a8c7a5cca896f9d484eec7573787ab66e3cb4d0babda8529901498fe396935

General

Target

d2a487fbe4952fa66ba9ffa14d53ccae_JaffaCakes118.exe
Size

14KB
MD5

d2a487fbe4952fa66ba9ffa14d53ccae
SHA1

5439256765ec5ed0dd065ec821c83e1ea5a1ec14
SHA256

38a8c7a5cca896f9d484eec7573787ab66e3cb4d0babda8529901498fe396935
SHA512

5382e39d2f5c0bc5c25b0aa2b835e69b6da640bdbd5db9193b965940908810b0b53fec50b12875f3882540d5aa9289abaa5271afdf9f8b62128d5fad33be2706
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hXp:hDXWipuE+K3/SSHgxmqp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2920	DEME3CA.exe
2600	DEM39B6.exe
2876	DEM8ED7.exe
2012	DEME418.exe
856	DEM392A.exe
2264	DEM8E89.exe

Loads dropped DLL 6 IoCs

pid	Process
2640	d2a487fbe4952fa66ba9ffa14d53ccae_JaffaCakes118.exe
2920	DEME3CA.exe
2600	DEM39B6.exe
2876	DEM8ED7.exe
2012	DEME418.exe
856	DEM392A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2a487fbe4952fa66ba9ffa14d53ccae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME3CA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM39B6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8ED7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME418.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM392A.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2920	2640	d2a487fbe4952fa66ba9ffa14d53ccae_JaffaCakes118.exe	32
PID 2640 wrote to memory of 2920	2640	d2a487fbe4952fa66ba9ffa14d53ccae_JaffaCakes118.exe	32
PID 2640 wrote to memory of 2920	2640	d2a487fbe4952fa66ba9ffa14d53ccae_JaffaCakes118.exe	32
PID 2640 wrote to memory of 2920	2640	d2a487fbe4952fa66ba9ffa14d53ccae_JaffaCakes118.exe	32
PID 2920 wrote to memory of 2600	2920	DEME3CA.exe	34
PID 2920 wrote to memory of 2600	2920	DEME3CA.exe	34
PID 2920 wrote to memory of 2600	2920	DEME3CA.exe	34
PID 2920 wrote to memory of 2600	2920	DEME3CA.exe	34
PID 2600 wrote to memory of 2876	2600	DEM39B6.exe	36
PID 2600 wrote to memory of 2876	2600	DEM39B6.exe	36
PID 2600 wrote to memory of 2876	2600	DEM39B6.exe	36
PID 2600 wrote to memory of 2876	2600	DEM39B6.exe	36
PID 2876 wrote to memory of 2012	2876	DEM8ED7.exe	39
PID 2876 wrote to memory of 2012	2876	DEM8ED7.exe	39
PID 2876 wrote to memory of 2012	2876	DEM8ED7.exe	39
PID 2876 wrote to memory of 2012	2876	DEM8ED7.exe	39
PID 2012 wrote to memory of 856	2012	DEME418.exe	41
PID 2012 wrote to memory of 856	2012	DEME418.exe	41
PID 2012 wrote to memory of 856	2012	DEME418.exe	41
PID 2012 wrote to memory of 856	2012	DEME418.exe	41
PID 856 wrote to memory of 2264	856	DEM392A.exe	43
PID 856 wrote to memory of 2264	856	DEM392A.exe	43
PID 856 wrote to memory of 2264	856	DEM392A.exe	43
PID 856 wrote to memory of 2264	856	DEM392A.exe	43

C:\Users\Admin\AppData\Local\Temp\d2a487fbe4952fa66ba9ffa14d53ccae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2a487fbe4952fa66ba9ffa14d53ccae_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\DEME3CA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME3CA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\DEM39B6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM39B6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\DEM8ED7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8ED7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\DEME418.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME418.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\DEM392A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM392A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\DEM8E89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E89.exe"
        7⤵
        Executes dropped EXE
        
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM39B6.exe

Filesize
14KB

MD5
ba64509b4195e753bc18f4ec5b5308bb

SHA1
0fb1300b58ab07b18e6df0d2c7ef89243905fba6

SHA256
2f5a6c020e8187153fa0958ecde041a77f4184deed673215f476b74662d203cd

SHA512
f32b84400ea1a55a4c1105eae15043b9b46bee21e2af94a15cce7872f15350ded7a358c6471cb8395fa6524f3a588cee1b9b5764452da84e3709879874c63118

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8ED7.exe

Filesize
14KB

MD5
351cc642990fd7afc389bc6ba63086d1

SHA1
5fc18ed025b1433f890b1151535c341a6dd203da

SHA256
f0355f6aec3f7dc35f78d4fbb7c8ca5f55236dcb7daaade2bbf3a6a4c70f2189

SHA512
1531e2d81429a35cf604f84eb5338cec249538a8ff32036a3e2dccce7ef9a6f754d392ca1669a1e7562710cc6a662d536d32a4ffc1af98e30ded13306f5ebd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME3CA.exe

Filesize
14KB

MD5
592d4dea7d8efeff3cc57caf8280bc05

SHA1
f3a861d03abb4e08f8e1f5ba12274bd16e9978ae

SHA256
8627bf60be62d264ee54138b2b5456e8553f2cccd9d60a8bff511b5d12d17c56

SHA512
88e3074434e2fc1e90264a8b9dbf6b1f4545231c85134dcfb8a37ab51e6363b4fa60afde77c48fd371aa6840e08c7ae8e76ffd9ef8f54964b864f525f30853dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME418.exe

Filesize
14KB

MD5
583f2169f7058ac3b81cd1afe5ef79aa

SHA1
51a43c819083af7f34cfc2bcd15251d95bbe0c0b

SHA256
64aba2b0e22ef6a84e75333b3b0bf784dca6fdc3e05075dd0f6f31cd83f0a31b

SHA512
6da4a07dcda41d64e246ba331a28e645bfb35499dc4068d7ce5a2b222cb25a436396d54096eed6ddfb88b7e39bf623174bebb05e767e1752a5572016d726b4fd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM392A.exe

Filesize
14KB

MD5
6bd790d93233fe4ae533ad5fb046546c

SHA1
b5b2bab61f000da0b495d2c2dba994ceedff4bb9

SHA256
8daa3c76bd74156f247cb74115557b1679617d599d5ca75f5853fcc26adef564

SHA512
219fe8621611a0d945592a7b1e79f4ab1710f37f4ac4039e3c003dbfb73b59f9792c6e490c420e356b7ee45cbba88ea0eb309257b83aa4c283d2be363e037aa5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E89.exe

Filesize
14KB

MD5
fe085519579b43e2e31370b4b6649655

SHA1
2fa48ff4bbf627a655a0f4a594d560c78c474a79

SHA256
8f4047e3bd94a5acde51ff433280d6ddf638856d30a37d7280192fe6bffec10a

SHA512
5c76e6f1418685e7bf69171b1854e5bc3aa3f0c20fbaee30698f2161396e2353e5813a19b34bd1dc1144b96170f3e6ce8f14d1a8cdd46bf8f425574aeb289176

Download Submit

Analysis

Sharing