e66f6ab3e0630d6880bb5e21e7b8a7b6eebfea17465dec7821cdc363cbbb84d0

General

Target

dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe
Size

14KB
MD5

dbb85b9244959b5360d72fc0346fdcf6
SHA1

f6c336be718869709391893ee991e8c61c66db61
SHA256

e66f6ab3e0630d6880bb5e21e7b8a7b6eebfea17465dec7821cdc363cbbb84d0
SHA512

f7e209a421cdd340f64b47677c41bb14d427c59d73700dba5734daaf67a6e804a364d20127bfd5b7fdf148aa8a9f492c10bdc59cdf7a3f213014132fef7e5efd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/wj:hDXWipuE+K3/SSHgxm/4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2664	DEM25D8.exe
2552	DEM7BA5.exe
2368	DEMD0B7.exe
648	DEM25D9.exe
1080	DEM7AEA.exe
2160	DEMD01B.exe

Loads dropped DLL 6 IoCs

pid	Process
2488	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe
2664	DEM25D8.exe
2552	DEM7BA5.exe
2368	DEMD0B7.exe
648	DEM25D9.exe
1080	DEM7AEA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM25D8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7BA5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD0B7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM25D9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7AEA.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2664	2488	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2664	2488	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2664	2488	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2664	2488	dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2552	2664	DEM25D8.exe	33
PID 2664 wrote to memory of 2552	2664	DEM25D8.exe	33
PID 2664 wrote to memory of 2552	2664	DEM25D8.exe	33
PID 2664 wrote to memory of 2552	2664	DEM25D8.exe	33
PID 2552 wrote to memory of 2368	2552	DEM7BA5.exe	35
PID 2552 wrote to memory of 2368	2552	DEM7BA5.exe	35
PID 2552 wrote to memory of 2368	2552	DEM7BA5.exe	35
PID 2552 wrote to memory of 2368	2552	DEM7BA5.exe	35
PID 2368 wrote to memory of 648	2368	DEMD0B7.exe	38
PID 2368 wrote to memory of 648	2368	DEMD0B7.exe	38
PID 2368 wrote to memory of 648	2368	DEMD0B7.exe	38
PID 2368 wrote to memory of 648	2368	DEMD0B7.exe	38
PID 648 wrote to memory of 1080	648	DEM25D9.exe	40
PID 648 wrote to memory of 1080	648	DEM25D9.exe	40
PID 648 wrote to memory of 1080	648	DEM25D9.exe	40
PID 648 wrote to memory of 1080	648	DEM25D9.exe	40
PID 1080 wrote to memory of 2160	1080	DEM7AEA.exe	42
PID 1080 wrote to memory of 2160	1080	DEM7AEA.exe	42
PID 1080 wrote to memory of 2160	1080	DEM7AEA.exe	42
PID 1080 wrote to memory of 2160	1080	DEM7AEA.exe	42

C:\Users\Admin\AppData\Local\Temp\dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbb85b9244959b5360d72fc0346fdcf6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\DEM25D8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM25D8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\DEM7BA5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7BA5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\DEMD0B7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD0B7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\DEM25D9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM25D9.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:648
      - C:\Users\Admin\AppData\Local\Temp\DEM7AEA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7AEA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\DEMD01B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD01B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM25D8.exe

Filesize
14KB

MD5
05e15e036f6fe23912bd015fc496acb0

SHA1
1f479b4af6c540afee5eba72ec69b3cc5f22d1ec

SHA256
994738994dbffea25795295cd9435af3df4c9e37a42a3b38b78f365223c12e79

SHA512
8d6853e24c23fd4e16536a657ecdcd6ba0c8c53584377bfaa0c9d696056dfef909634045328124fc8ead1381e1bef35cd49838b4a3410766b17a188eb7d7f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7BA5.exe

Filesize
14KB

MD5
b3c27c62aec233626a57b10a6336e7e7

SHA1
8d41583303848798f1a45183994ad9ad401f9990

SHA256
264d24b03ab4b3a52e38239629bfe03d596e6e81a30def89082238bb2ca37699

SHA512
c8c620f7e51e4f9ebd351f82fe921a2b1e2f4d06e67ee7dd11d65d61e3f87b5c0b140e5411add1229b8f61786a0b6a75be6fdd8fae9351e2005b9d2a2df1979f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD0B7.exe

Filesize
14KB

MD5
1b2ded83e862a064def7c8b593993a1d

SHA1
f00ca1d318f59dfd5537142e669d338448085fc1

SHA256
e36e5ee10855dc6e22382896709d89ed26e9d7bb6ff6f4da02b8054b17e1c3de

SHA512
1db750330e04949ee8e0d116c89ce710ad549f1be5f16e67c49e7da5360c26390bd9ea6e648669f2e40f1557f8b16722d0ecb2f68541631f2b9889f69cb826c8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM25D9.exe

Filesize
14KB

MD5
f0cc63fd12ad12851e38a8d7fbad7df0

SHA1
082383bde2fe14cb41930fd4b118f256add00d00

SHA256
df1b8fccb655ef83078334d2ee53b5b0c9651dc10bf84fce83e455d2fc92ab72

SHA512
39f381f72be2728fe105422a361a38f7e5c96c739781c97a67ab25eb8b7bb814cc816c98d5fd2da3d5f645ac37f5611b45687e440726251ccec3586318a061f6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7AEA.exe

Filesize
14KB

MD5
39ea14261a674856a3677c307fd8ea28

SHA1
322c991d9d2468ae620be6ddeee4f0f569aae573

SHA256
b13eacf9c53fa5830d8705beb02513068fc0bd396f687a46eee567b395590253

SHA512
509a9cc5dea2614d5f98af34efc83b8496e6ee8dc9108cd6ff4389893dc3ebe60536ddc6dd23e3b8e6d92c21e6b750300698dd5fe29ec9d74d7b81067dd916a7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD01B.exe

Filesize
14KB

MD5
2f0b04670a0530ae8b43762e75ce8cb6

SHA1
b9a0a822604fa4f13063ecf721ff7b49b1d85f78

SHA256
b402c3eb4f4d8c7e749d3f2b69f77285a37149db0ba92b4c482fc9900a321365

SHA512
46fe3c47068c5ba4cc03abc5005d76ea8b6058f2867cf5953419c70849432507e458401c30d7e7e841cb88801cce61b32e004c897d06a76b2cc3a7783b58831a

Download Submit

Analysis

Sharing